By: Nicole Hoffman
After creating this framework, I implored others to contribute to the framework either by creating their own stairway or by remixing an existing stairway to fit their analytical processes. I am excited to announce a new stairway that I have been working on for the past few months with the help of Juan Spinel (@juan_spinel).
Juan inspired the creation of this stairway when he applied my framework during a talk, he gave at IsolationCon in April 2021 where he reverse-engineered the intelligence gathering processes. I was unable to attend the virtual conference. However, I was able to see a test run a few days before.
I am not sure if the conference was recorded. I was unable to find his talk on YouTube to share within this blog, but he did write up a summary of the talk on his blog: https://spinel.ch/page/2/. Just scroll down to intelligence gathering strategies.
You know those OSINT photo competitions where someone will tweet a photo and others will guess where it was taken from? This is the type of intelligence investigation Juan applied my framework to and let me tell you it was fascinating. I was inspired to create a stairway that embodies the data collection and analytical processes introduced by Juan.
Getting right into it, you will notice a good number of differences in this stairway than my other three. Mind you I perform OSINT investigations on a daily basis, but I still learned a lot of invaluable information from Juan’s methodologies.
In previous stairways, I paired think steps alongside hypothesis generation. The two were always together in my mind. However, I realized recently that I personally use think step to help drive my OSINT investigations. I have lists of sources I use for different types of sources as well as questions to answer or really just things to consider during the investigation. For more information about the application of think steps, please see my previous blog where I dive into this topic. Also, please feel free to always ask me questions should any arise.
Another big change in this stairway is the cycle including data enumeration > exploratory data analysis > quality of information (QoI) checks and omit useless data. The reason I did this is because this is an ongoing cycle. As I am collecting data, I am analyzing it and determining relevance. Next, I want to check the quality of the source and get rid of data I do not need.
I almost included create information from data in the cycle because I am regularly adding notes and sources as I go to a centralized location, such as a document. However, I realized that taking notes and creating information from data are two different things. Creating information is the beginning of your report. If you hand someone a document of notes, they may not know what is going on. However, if you begin to outline a report or begin writing the report about what you know from the data then it would be easier for someone to understand.
This is why I like to call the creating information from data the story building phase. As you begin building the story, you may identify knowledge gaps or pivot points. For example, if you are investigating a piece of malware you may list in your notes a set of domains the malware is communicating with. This would be a pivotal point, because this would warrant additional investigations, but they are useful to the overall investigation.
The final thing I wanted to point out was the color-coded legend. It is actually kind of a funny story. As you may have noticed from my blog, I really enjoy the color pink. When Juan and I were collaborating on the stairway I changed the color of every other step to pink or purple. He had asked if there was a specific reason in which I responded I just love color.
Then we realized what if it was color-coded to add an additional layer of structure to the overall stairway. Overall, I hope you enjoy this new stairway. I am so thankful for Juan’s help during our collaboration. Stairway number five is also in the works. I am working on a threat hunting stairway with a good amount of help from others in the community. So please stay tuned for this stairway in the coming months.
As always, I implore others to contribute to the framework. If there is a specific analytic process you perform on a regular basis that is not represented within the existing framework, please let me know. It is my goal to have a stairway for several areas across information technology.
Step 1 -Trigger
The fourth stairway begins with a trigger. This is something that has sparked an OSINT investigation.
Step 2 – Determine Scope
This is where you identify the goals of the investigation as well as determine the audience of the final deliverable, such as a report. Will this be a technical report, an executive report, or both? Scope affects dissemination.
Step 3 – Gather Relevant Think Steps
A great way to capture tacit knowledge from subject matter experts is by documenting think steps. Every analyst performing open-source investigations has sets of think steps. For example, if the trigger that started the investigation is a suspicious domain, the think steps may include specific sources to check for data, such as VirusTotal.
Furthermore, think steps may also include a list of questions that come up every time you investigate a domain, such as what malware is communicating with the domain. Think steps can help speed up confirmatory analysis later.
Step 4 – Data Enumeration
Begin collecting data from open sources. Refer to the think steps for a list of sources to check.
Step 5 – Exploratory Data Analysis
Exploratory Data Analysis (EDA) is a form of analysis where you are given a dataset, but not necessarily a hypothesis or data model to match it to. In this form of analysis, you explore the data in order to create information. This is also the time to visualize the data and perform Regression Analysis. Regression Analysis is when you attempt to find relationships between variables in a dataset.
Step 6 – QoI Check / Omit Useless Data
As you are enumerating and analyzing data, you can perform regular Quality of Information Checks, or QoI. A QoI evaluates the completeness of the information available as well as the data sources. This check is important because it can identify information gaps.
If you discover an information gap a new information or intelligence requirement can be created. In addition, it can help boost confidence levels of analytic decisions. This is also the time to omit, or get rid of, any useless data that is not important to your investigation.
Step 7 – Create Information from Data
I like to call this stage the story building stage. This is where you need to ask, ‘so what?’. What does all the data mean. As you are putting information together, you may identify knowledge gaps and collect additional information. Often times, this is due to identifying a potential what if scenario.
This is known as pivoting. For example, if you are investigating a suspicious domain, you may realize there is malware communicating with the domain. This is a perfect pivot point to also investigate the malware.
Step 8 – Generate Hypothesis
Now that you have all of the information collected and organized, you can generate a hypothesis. However, it is important to remember that not all OSINT investigations will result in hypothesis generation. Sometimes there is not enough information.
For example, you investigate a suspicious domain and see a comment on VirusTotal attributing the domain to a specific threat group, but you can’t find anything else confirming this. If you were to hypothesize the domain is attributed to the threat group then you moved on to the next step to confirm, you may not be able to. Does this mean it’s not true? Without concrete evidence proving one way or another, it’s still a possibility on the table.
Step 8 – Confirmatory Analysis / Think Steps Review
This is when you put your hypothesis or hypotheses to the test. In the event that you are unable to validate your hypothesis, you can start again at Step 4 with further Data Enumeration. In the event you do not have a hypothesis, due to the type of investigation, this stage is where you confirm you do have evidence for all of the other information within your report.
Claims need to be backed up with proof and sources. This is also a great time to review your think steps. Are there any questions left unanswered or sources unchecked?
Step 9 – Disseminate
This is the single most important step in the stairway. It is the end goal which is dissemination. This is where you conclude your analysis and interpret your results. This is often in the form of a report, but it depends on the investigation. Remember, the scope affects the final deliverable.
Threat Hunter Girl 