Think Steps: A Practical Guide

By: Nicole Hoffman

In 2020 while doing a deep dive into analysis, I unintentionally created my own analysis framework called the Cognitive Stairways of Analysis. I introduced the framework within a blog post, but it didn’t gain traction until I presented the framework at the 2021 SANS CTI Summit in January. During the presentation I mentioned that if you get anything from this talk, I hope it can be the idea of think steps. So, I decided to write this blog to expand upon this idea and show a practical application. 

I discovered the idea of ‘think steps’ within a white paper titled How Analysts Think: Think-Steps as a Tool for Structured Sensemaking in Criminal Intelligence Analysis by Nallini Selvaraj, Simon Attfield, Peter Passmore, and William Wong. The authors define think steps as “a template that enables the analyst to “approach the case”, decompose it into separate elements and classify associated data accordingly.” ( Selvaraj et al. 2016 ) 

If you remember my talk, I will mention the process of sensemaking. Sensemaking is the process of how our brains make sense of the world around us. Humans cannot remember every observation they experience, so the brain maintains this data within schemas. The schemas are organized in the brain in something called a semantic network.  

When experiencing an event, the brain attempts to find a relevant schema in its semantic network. Any observations within the event that do not fit with a schema is known a discrepancy or insight. When an insight is discovered, the brain does one of two things. It either updates one of its schemas or determines the observation is untrustworthy and ignores it.

So, our brains are constantly going through an exploratory and confirmatory analysis process. For example, I have experienced several thunderstorms throughout my lifetime, but recently I moved to Texas. I like to believe I have a schema within my brain full of the characteristics of a thunderstorm I have experienced.

A week after I moved here there was a really bad thunderstorm that resulted in a tornado and some very loud thunder. When I say loud, I mean really, really loud. These storms were nothing like I had experienced before. It was incredibly stressful, and I imagine my brain was trying to make sense of the events as they were happening.

My brain may have scrolled through my thunderstorm schema like a rolodex trying to determine if this event fit. Eventually, my thunderstorm schema within my semantic network was most likely updated to include these new characteristics. 

Why am I bringing up sensemaking when this is a blog about think steps? I promise I will get there. Stay with me. I am going to pull back an additional layer in this conversation and dive a little deeper.

We have gone over how our brains make sense of the unknown, but what about how the brain forgets? Before I get into this let me just note that I am not a neuroscientist or an expert in this field. I simply research information and interpret what I learned. 

I found a really interesting article about the ability to forget and how it is crucial to how our brains work. The article, titled The Forgotten Part of Memory, was written by Laura Gravitz. Gravitz details how Paul Frankland, a neuroscientist from Toronto, Canada, found evidence that the brain is wired to forget. What was previously thought to be a flaw in the brain may actually be a useful feature. Paul Frankland’s research involved adult mice however, researchers believe the human brain may be quite similar. 

“Because the hippocampus is not where long-term memories are stored in the brain, its dynamic nature is not a flaw but a feature, Frankland says — something that evolved to aid learning. The environment is changing constantly and, to survive, animals must adapt to new situations. Allowing fresh information to overwrite the old helps them to achieve that.” (Gravitz, 2019)

So, in a way our brains may be constantly going through data management and determining what is important and what is not so we can continue to evolve into new environments. If our brains our wired to forget it would make sense that think steps would be extremely helpful tool for helping our brains identify what we are experiencing. More specifically, think steps can be an incredibly beneficial tool for capturing tacit knowledge. 

There are three types of business knowledge according to an article written by Rachel Alexander titled Different Types of Knowledge: Implicit, Tacit, and Explicit. The article defines these types of knowledge as follows:

  • Explicit Knowledge: Knowledge that is easy to articulate, write down, and share. 
  • Implicit Knowledge: The application of explicit knowledge. Skills that are transferable from one job to another are one example. 
  • Tacit Knowledge: Knowledge gained from personal experience that is more difficult to express. 

Capturing tacit knowledge from subject matter experts can be difficult especially in remote work environments. This is one of the reasons it sucks when really experienced employees leave. Standard operating procedures (SOPs) are an excellent tool for capturing this data, but often times they are not as detailed as they need to be to encompass the full breadth of tacit knowledge. Moreover, SOPs should remain a living document that evolves with the workplace, which is not always the case. 

I believe think steps could act as a key element to cyber security SOPs. I discovered the think step idea within a criminal intelligence white paper. The use case makes so much sense to me. A seasoned detective can quickly identify when specific crimes are occurring based on the signs they have witnessed throughout their career. Imagine capturing that knowledge for training younger detectives who are just starting out? I can see the same value in the field of cyber security and threat intelligence. 

If you have been in tech a few years you may have heard the phrase  “drinking from a fire hose”. This phrase refers to the immense amount of data you are expected to learn when starting something new like a new job. Everyone knows you won’t remember everything. We are only human, but if you are like me, I try and take notes to help me remember.

Over time I am able to get rid of some notes as I repeat the same tasks over and over. It leaves me wondering how many other people are doing this. What if we captured these questions and added them to our think steps / SOPs? It could be incredibly valuable for new employees in the future. There will always be new questions about why the documents should remain living documents. 

I wanted to provide a useful example of think steps. One of the threats I see on a recurring basis is domain spoofing or squatting. This occurs when someone registers a domain remarkably similar to a legitimate domain. These domain registrations can lead to many different outcomes. Here are just a few that I have personally witnessed:

  • Business email compromise (BEC) spear phishing attack meant to trick the recipient with a fraudulent email crafted to appear similar to a specific individual’s legitimate email. The motive is usually financial whether it be payroll or wire fraud schemes. 
  • Benign domain parking, or cash parking, is when a domain registrant places advertisements on an inactive web domain to generate revenue. Parked domains typically generate revenue based on how many visitors land on the site and click the advertisements. These domain registrants can also sell their domains to interested parties. The motive is typically financial gain and not malicious. 
  • Malicious domain parking can include malicious links instead of legitimate advertisements. Moreover, many BEC phishing campaigns originate from a parked domain. 
  • The domain belongs to a legitimate company with a similar name. 

When analyzing domain registrations to determine the potential impact I might follow the following think steps. 

  1. When was the domain registered? Is it new or has it been a while? If it has been registered for a long time it may indicate a lack of malicious intent.
  2. Who registered the domain? Are there other domain registrations by this individual? If there are a lot of other registrations, are the domains all targeting one legitimate site or several within the same industry? Or multiple industries? This could indicate a large phishing campaign or a targeted one is imminent. However, many domain registrants use a privacy feature like WHOIS Guard to hide their registration details. Sometimes you can look at previous domain registrations where this feature was not enabled. 
  3. Are there any mail servers set up? If so, how many? This could be an indication that a phishing campaign is imminent. However, this is not always the case. 
  4. Is domain parked? If so, do the advertisements look legitimate or malicious? Certain red flags such as typos can indicate a malicious link posing as a legitimate advertisement. Is the domain using a legitimate domain parking service? I have seen threat actors craft a website to appear parked when it is actually has malicious links instead of advertisements. 
  5. Does the domain have a functioning website? If so, does the website contain any copyrighted branding? This could indicate an attempt is being made to trick visitors in believing the site is associated with a legitimate company. This can impact an organization’s reputation because a visitor may not be aware they are being tricked by a threat actor and just blame the legitimate company. 
  6. Has this domain/IP been reported for malicious activities and/or is the domain on any blacklists? If so, what was the reason the domain was reported? If the IP was reported previously make sure to check if the IP is a shared IP. There are several IP addresses in which thousands of domains are hosted so when the IP address is reported as malicious it’s not super useful information unless the specific domain is listed. 

In conclusion, I hope this blog can help provide a practical application of think steps. In the framework of the Cognitive Stairways of Analysis, think steps go hand in hand with the hypothesis. Every hypothesis should have a set of think steps. Like SOPs, think steps should be living documents.

So, when starting out don’t be concerned if you feel like you are missing something. Just write what you know and as you go through the process of investigations write down any new think steps that you think of that you did not already have written down. Most importantly, share these with your team to shorten the gap of tacit operational knowledge. 


Blog at

%d bloggers like this: