We've been hit, how can CyberDefenses help?

The Tao of Investigation

CyberDefenses - Crime Scene

by Daniel Cohen

The tent-pole show ‘Law and Order’ ran on NBC for twenty years.

Its durability made it the longest-running crime drama in American primetime television history. It was so successful that it spun off multiple successful times, creating SVU, Criminal Intent, and Trial by Jury. The original ran for 456 episodes (with re-runs that were actually watched, not just played in an empty doctor’s office) and made quite a few people rich, both in front of, and behind the camera.

Why is this important to bring up?

The success of ‘Law and Order’ proves something very vital about the American public. It proves our collective love for investigation. For putting things right. We love witnessing the thought processes of detectives trained to bring our perpetrators to justice (or to ‘order’ if we want to keep things canonical). We love watching the subtle clues unfold, trying to pick up on seminal evidence as the we creep into the second act. We love rooting for spunky characters like Ice-T’s Fin Tutuola after they make their inevitable quip, which will likely be quoted at the water cooler the next day.

We love going along for the ride.

But how often do we stop and think about the mechanics of the ride? About the bricks that are put in place to keep everything smooth. About the chemical construct of the gas in the tank. About the hands on the wheel. Things look easy from our side of the small screen, but if we were thrown into this fictional universe, would our nonfictional selves act as rationally?

How do we make order out of chaos?

There are so many intricacies involved in any sort of investigation that we inevitably wonder: how do we know where to start? How do we know we’re keeping on the right track?  How do we not get lost in logic loops, and understand when we’ve puttered up to our final-destination?

Investigation seems tricky, but really a lot of it can be boiled down to a few key steps. These can be used from investigating the mystery of the universe, to the mystery of where that dang remote disappeared to.

Let’s start with the ‘Ladder of Inference.’

The Ladder was erected by organizational psychologist Chris Argyris and used by Peter Senge in The Fifth Discipline: The Art and Practice of the Learning Organization.

It looks a little something like this:

Investigatory behavior starts at the bottom and carefully steps up the rungs, methodically pairing down our information into palatable options. At first, we have our reality and facts to pull from. This is the biggest pool. Once we select a reality from that collection, we can interpret the data, make rational assumptions, and draw a set of conclusions. Whittling it down once more, we get our beliefs, which can be manifested into physical actions that we deem right. If it seems simple, it is. If it seems confusing, it can be that too. Simple because it has concrete steps. Confusing because sometimes the rungs are slipper or look like other rungs.

Let’s take a real-world example.

You get a suspicious text message that reads as follows:

There are a few different options you can take. You can click the link. You can text back. You can ignore the text and risk losing services. You can reach out to Verizon.

The common choices would be to either click or not click.

 

Let’s use the Ladder of Inference to investigate.

Reality and facts: You’ve just received a suspicious text.

Selected reality: The message is coming from an unverified sender.

Interpreted reality: If you don’t click the link, you risk losing service.

Assumptions: Here we have two:

  1. We can assume that the link goes to Verizon.
  2. We can assume the link is malicious.

Conclusions: Let’s follow the ladder.

  1. The link is safe.
  2. The link is malicious.

Beliefs: Now split into two higher rungs.

  1. If the link is safe, I will maintain service.
  2. If the link is malicious, I risk losing sensitive data

Actions: Two possible actions.

  1. Click link
  2. Ignore link

A rather simple example, but a good illustration of the point in general. If you apply the concept to more complex situations, you can find your thought process can benefit from seeing clear, concise steps.

It’s also useful to take things one step further and lump the rungs. We can distill our steps into the ‘Three Whats.’

  • What?
  • So what?
  • Now what?

What? = what exactly happened.

So what? = what does the event mean in blunt terms.

Now what? = what can we do about the situation.

Using the same example boiled down: We get a malicious text (what). Clicking the link might mean getting infected, but not clicking risks losing service (so what). We can choose one of two options (now what).

There’s no magic formula for properly preformation an investigation correctly every time (at least one that can be internalized without massive student loan debt and a few decades on the beat) but with the Ladder of Inference, you can at least have a solid foundation. You can raise a bit of order in the chaos. The ladder might not change your general jurisdiction, and you still might have to stand behind the yellow tape, but if you’re planning on starting your own spinoff called Kitchen Crimes, it just might help you solve the mystery of the missing thin mints.

Put the ladder away. We already know you ate the thin mints.

To learn more about Incident Response and how we can help visit https://cyberdefenses.com/services/managed-security-services/incident-response/

About the author

Carin Young

Contact CyberDefenses today to learn how we can help your company’s cybersecurity needs.