As an analyst, I enjoy thinking. As a cognitive science nerd, I also enjoy thinking about thinking. How can I think better? As someone diagnosed with ADHD, analysis can sometimes be challenging especially if I am not super intrigued about the topic.
This is partially what led me to go down a rabbit hole of studying analytic tradecraft to determine how humans analyze the world around them. First and foremost, I was hoping this would increase my overall analytic abilities. I also wanted to share my findings in a blog post in hopes it would help others in the industry.
Deep in the rabbit hole in hyper focus mode I discovered the process of sensemaking which I believe is the core of what analysis really is. Next, I wanted to know how other cyber analysts analyze data specifically. A few cups of coffee later, I was thinking about how analysts from other industries analyze data.
This led to the research project that resulted in the cognitive analysis framework The Cognitive Stairways of Analysis. Within this project, I studied how other industries are performing analysis and I took key findings and created my framework.
I took an unconventional path into infosec. I’ve worked in several industries in several cities and states, and like to think I have a good amount of street smarts. By this, I have experienced a lot that makes me more of a well-rounded person and analyst.
I can typically make friends in any room because I have either lived somewhere someone else has, I have worked in or with someone’s field, or sometimes some other connection. That is if I am not completely socially awkward or full of social anxiety. Honestly it depends on the day.
Long story short, I really enjoy using the skills I have learned outside of infosec and applying them to problem solving in cyber threat intelligence. This is known as lateral thinking, or a way of solving problems using an indirect and creative approach via reasoning that is not immediately obvious.(Wikipedia) Several problems, especially in infosec, require different perspectives to solve.
So this is a the first part in a lateral thinking blog series that is going to dive into five lessons from the healthcare industry that can be applied to infosec.
1. Bedside Manner
Doctors, nurses, and other medical professionals are expected to communicate complex medical topics in a simple and comforting manner. Bedside manners are not something that comes naturally for some. I have had LOADS of medical staff with the worst bedside manner. However, I believe having great bedside manner can lead to a very successful medical career. Bedside manner relies on empathy, kindness, and good communication.
As you become more technical or proficient in a specific subject or field, it becomes more and more challenging to communicate what you are doing and why in non-technical jargon. Communication is a skill we cannot leave behind in our technical journeys. I know we have a lot of acronyms in tech, but my favorite one that I have heard is ELIF which stands for explain it like I’m five. It may sound easy, but it is not always this way.
Sometimes my brain cannot think of fancy eloquent words so I end up using the most basic words I can muster up. This typically happens in the middle of a presentation. At the end, sometimes I feel like I am not as smart as other presenters because they spoke so eloquently. However, I have had people say thanks for simplifying it and not making it overly complicated.
If you work in cyber threat intelligence, bedside manner can equate to client engagement and dissemination. You may have to write an intelligence report for audiences of varying technical abilities. Sometimes the entire report is for an executive and sometimes it’s just the executive summary. Understanding your audience is always important if you want to be successful in what you do because at the end of the day you want intelligence to be actionable. If they have no idea what you are talking about it will most likely not be actioned.
2. Physical Examination
One of the more exciting elements of a medical analytic process is that they get the opportunity to perform a physical examination of a patient. A doctor can collect all the data they want, but a physical examination can provide a plethora of information the doctor would not otherwise be able to obtain. However, there are times when doctors are performing virtual visits where they have to do the best with what they have.
In these cases, the doctor needs to ensure they have think steps or questions readily available to ask since they may be able to see the patient but not touch them or listen to their lungs. (by touch I mean when they press on your stomach and what not) The reason they need to be on their game and have ideas ready to go is because the patient is expecting a prognosis at the end of the visit.
I have always been on the vendor side of infosec which means that I am not physically able to see my clients or their network problems. I cannot comb through their logs or grab an email header from a phishing email for them. When a problem comes up, I have to know what things to ask for just like a medical professional. Different threats are going to present with different symptoms.
For me with ADHD, this is not always easy to do off the top of my head. I have a bad memory. Theres also A LOT to think about in infosec. Other times my brain just stops working the moment I need it to and I end up asking a bunch of follow-up questions after a meeting which is fine. So, I use think steps. These are tools I discovered in a criminal intelligence analysis process. To learn more about think steps, you can read my blog post called Think Steps: A Practical Guide.
3. Monitoring Outcomes
When my doctors diagnose my ailments and prescribe medication, they will often monitor the effectiveness of the medication. If the medication is not solving my problem and I am getting worse, this could indicate the diagnosis was wrong. This is especially important for hospital staff monitoring patient reactions to medications.
One time I woke up after an endometriosis procedure only to find out I am very allergic to the pain medication I was given post-op. Had my nurse not been paying attention, it could have been a lot worse.
For me in intelligence, I like to regularly ensure my recommendations are helpful. The only way to do this is to follow up with my clients and see what worked and what did not. This is not only helpful to me as their analyst, but I also typically learn a lot from these engagements about what its like being in security operations. If one particular client really enjoyed certain recommendations, I will often share them with others if a similar issue comes up in the future.
This can be applied to so many areas of infosec, but the other one that always comes to my mind is policy. There are so many times people claim they have password policies, but then some breach happens, and the password is password. So, if I were to create a security policy I would want to monitor whether it is effective and being enforced.
4. Trust, but Verify
In medicine there are some illnesses that have similar symptoms. I remember one time I went to the hospital in a massive amount of pain. The doctor concluded it was my appendix. He gave me meds to controls the pain and was sent off to do a scan to confirm. The scan confirmed it was a cyst that had ruptured and not my appendix.
Could you imagine, though, if the doctor had not confirmed his diagnosis and treated the wrong issue? It could have been bad. Or if he thought it was a cyst and sent me home, but it was actually my appendix. Scary stuff.
Historically, malware has a way as masquerading as something other than what it is. For example, in 2017 there was a new variant of the ransomware Petya discovered called NotPetya. Ransomware typically encrypts user data before demanding a ransom for the decryption key. NotPetya, however, was created to look like ransomware, but it actually had wiping capabilities making the victim devices unbootable.
So trust your instincts and provide recommendations accordingly because if you are right it will be beneficial for everyone to know those recommendations sooner than later. However, ensure you let the client know that you need to confirm your hypothesis. There are a lot of times in intelligence where there is just not enough information to confirm with 100% confidence. This is typically where you see low, moderate, and high confidence assessments.
5. Practice-based Learning
Practice-based learning basically means learning while on the job. So instead of being in a classroom or reading a book, doctors are constantly increasing their knowledge and abilities while evaluating patients. Over time, doctors will start to easily identify the symptoms of certain illnesses. Although, sometimes there will be cases where they cannot figure out with the usual evaluation and tests.
They either need to refer to a specialist or hit the books and see what they can find out. Doctors are constantly self-evaluating and understand they will always be learning new things.
Sound familiar? Infosec is always changing and never boring in my opinion. There will always be more to learn, and it can be overwhelming. I just accept there is only so much you can learn at one time. The majority of my learning is through practice-based learning. I let the client requests guide my learning journey week by week.
Sure, there are certain areas of tech I am typically focusing on enhancing through textbook and classroom learning, but overall, I learn by doing. Degrees and certs are great, but I still think good old-fashioned experience is super helpful with expanding your knowledge base.
Threat Hunter Girl 