“If you will begin with certainties, you shall end in doubts, but if you will content to begin with doubts, you shall end in almost certainties.”
– Francis Bacon
Companies have rules, policies, procedures, systems, and a multitude of other frameworks that support decision making about and responses to different cyber security threats. Seldom do such decisions look at an alternative analysis to assess their frameworks. In addition to these frameworks, which are designed to both limit and broaden decision making, humans also have a natural tendency to view information through a defined set of lenses or selectively based upon experience, preconceived conceptions and framing, group think, and other barriers to being able to see the whole range of possibilities. The problem is that not every cyber security threat is going to fall into one of those frameworks; not every threat will be correctly identified and assessed as a threat. How do companies prepare for those threats that fall outside the normal threat spectrum? By employing different alternative analysis techniques to identify threats outside the normal spectrum along with appropriate response techniques.
What are alternative analysis techniques? Normally part of the tool kit of intelligence analysts and strategic planners, these analysis techniques are a set of tools that are also critical to CISO’s, IT security managers, IT security analysts, and others involved in identifying and understanding threats against IT systems and other business systems. Alternative analysis can be defined as a structured set of methods and techniques that can be employed by analysts and decision makers to challenge judgments, challenge underlying assumptions and evidence, stimulate creativity, and increase the range of considered outcomes and responses. These techniques include ‘What if’ analysis, scenarios, red teaming, Devil’s Advocate, Assumption exposure, and others.
Where do these analysis techniques fit? These alternate analysis techniques simply fall in one step of an ongoing cycle of threat and defense identification and review. Step one in this cycle is admitting that your organization has a problem—the problem being that there are cyber threats out there that the IT team is not aware of, may have already been attacked by, and is not prepared to appropriately deal with and defend against. Step two is to employ techniques that will encourage staff to start thinking like the adversary, which is where alternative analysis techniques come in. Step three is to develop and employ defensive measures based upon identified or potential threats during analysis efforts. Step four is to admit that while you were conducting this analysis, your adversaries were thinking up and trying new and different ways to get into your IT systems, so not every threat has been covered, and go back to step one.
How would IT leaders use alternative analysis techniques? In some ways it depends upon the nature of the IT and security team, but there are generally three steps. The first step is understanding the assumptions that underlie the current security posture. Alternate analysis techniques that would be used to do this include Key Assumption Checks and “What If” analysis. The second step is identifying new and potential threats. Alternate analysis techniques employed during this step include Brainstorming, Outside-In Thinking, Analysis/Debate, Red Teaming, Scenarios, and Modeling/Simulations. Step three is testing established defensive postures and techniques against new attack vectors. This would include the alternate analysis techniques of Key Assumption Checks, Devil’s Advocacy, and Analysis of Competing Hypotheses. Each of these analysis techniques are spelled out in more detail in the U.S. Government Central Intelligence Agency document A Tradecraft Primer: Structure Analytic Techniques for Improving Intelligence Analysis.
IT systems are under constant threat. Some of these threats are well known such as SQL injection attacks or spear phishing efforts. But for every threat that is identified and every defensive response that is put in place, adversaries are constantly developing new ways and technologies to attack systems. The result is a constant game of catch up. But the benefit of using alternate analysis techniques is that maybe your counter measures are not so far behind the attackers, thereby reducing vulnerabilities and the damage attacks can cost.