Intro
I find the topic of cognitive biases extremely fascinating especially when observed from the perspective of a Cyber Security person and an incident or threat hunting exercise they are undertaking.
This interest was re-sparked by a friend, some time ago - I’m finally putting my notes and thoughts out there for others to get interested and aware.
Performing threat hunting activities or simply triaging incidents can generally lead to some form of biases developing - an unfortunate reality we must all face.
Though as Cyber Security researchers, enthusiasts or professionals - its a fundamental requirement that is often severely overlooked and one that we should revisit and take the time to understand what biases can appear and how they can impact our analysis.
By first understanding - we can wishfully eliminate them or at the least - acknowledge and document them in our work outputs.
For me - biases are never going to NOT exist, we just need to get better at identifying, documenting and working with them.
What are the biases?
I’ve listed out the top 10 that you are likely to come across during incident response or threat hunting activities. Though there are possibly more, knowing and being aware of these top 10 will help!
You can find these here on GitBook.
Alongside each I’ve provided a detailed description along with the impact each cognitive bias has in relation to ‘Threat Hunting’ though, this can be applied to incident response triage related activities.
My Favorites
I sadly have a few favorites of which I see often not only in the field but also in the written reports by security vendors. Why these are favorites - well, its not just because I have a sick sense of humor but its because these are most commonly observed and are also some of the hardest to overcome and / or identify at times.
Overconfidence Effect
Sunk Cost Fallacy
Bandwagon Effect
Hindsight Bias
Confirmation Bias
If I was to pick 5 to focus on, understand and determine how to identify - this would be them.
Why does it matter?
Biases lead to outcomes that are likely not factual, or conducive to ‘objective analysis’ which is a fundamental requirement if working in Cyber Security.
As a result the end outcome determined could or is more likely to be inaccurate which could have series consequences - especially in terms of incident response and threat hunting.
Understanding that these cognitive biases exist in the first place greatly helps in being able to identify them in others and in your own work and therefor you can acknowledge and document them if unable to extinguish the biases.
Being able to be clear that a bias exists in a determination and having that documented in specific cases can make understanding of outputs / outcomes more accurate.
Conclusion
Stay informed, understand cognitive biases in respect to threat hunting or incident response.
Use the matrix provided and the exercise to ask yourself the questions to become a better threat hunter or incident responder and therefor practice being an objective analyzer.
till next time…