Stairway One

Step 1 -Receive Alert

The first stairway begins with an alert. The alert can come from security tool or by word of mouth, such as a staff member informing you of a pop-up problem. When you begin with an alert, you are given a potential problem that you need to solve. 

Step 2 – Determine Scope

The scope, or goals, of the analysis need to be determined in addition to the environment or sources you will need for your analysis. You do not want to pull the logs of the CEO’s device if the incident involves a Human Resources staff member. Typically, though, when it is an alert from a security tool you will be able to acquire that data in the alert such as which device is experiencing the issues. Remember, the weather forecast workflow taught us it is important to understand what environment you are collecting observables from. 

Step 3 – Compile Data / QoI Check

Once you know what data sources you need you can start to compile the data. Once the data is compiled you can do what is called a Quality of Information Check, or QoI. A QoI evaluates the completeness of the information available as well as the data sources. This check is important because it can identify information gaps. If you discover an information gap a new information or intelligence requirement can be created. In addition, it can assist help boost confidence levels of analytic decisions. 

Step 4 – Clean Data / Omit Useless Data

When I say clean the data, I mean to ensure the dataset is organized in a common taxonomy. It can be extremely irritating when this does not occur and could result in an incomplete dataset. For example, if you have the data field listed as San Diego in a few records and SD in a few others and SDCA in a few others it can get confusing quickly. If you go to query all the logs from the SD office, you will not get the results from the records with San Diego or SDCA listed. This is also the time to omit, or get rid of, any useless data that is not important to your investigation. 

Step 5 – EDA / Visualize and Regression 

Exploratory Data Analysis (EDA) is a form of analysis where you are given a dataset, but not necessarily a hypothesis or data model to match it to. In this form of analysis, you explore the data in order to generate a hypothesis. This is also the time to visualize the data and perform Regression Analysis. Regression Analysis is when you attempt to find relationships between variables in a dataset. 

Step 6 – Generate Hypothesis / Think Steps

Once you perform the EDA and Regression Analysis you should be able to generate a hypothesis. If you remember back to Model of Police Operational Intelligence Analysis, there was a step called Think Steps. Every hypothesis should have a list of think steps. For example, if your hypothesis is that you believe that someone is attempting to brute force an admin account a think step might be to go look at the Windows Event 4625 (failed login) over the last half hour. The Think Steps are the steps you would take for each issue. Determining your think steps will help speed up your confirmatory analysis. 

Step 7 – Confirmatory 

Confirmatory Analysis is when you put your hypothesis or hypotheses to the test using the Think Steps. In the event that you are unable to validate your hypothesis you can start again at Step 5 with further Exploratory Analysis. 

Step 8 – Disseminate

This is the single most important step in the stairway. It is the end goal which is dissemination. This is where you conclude your analysis and interpret your results. This can be in the form of a report or just a note in ticket describing what your findings are and how you came to that conclusion.