Page 8 - index
P. 8







connection from internal host A.B.C.D to domain https://www.bad.com/config.php occurred on
23 June 2015 based on logs retrieved from the firewall.” Attribution of an incident is often an
opinion: it is extremely hard to definitively attribute an event to a specific group since they share
similar tactics. Qualify each statement with a scale of trustworthiness based on the source of the
information, the facts to support it, and the methodology applied. Include references and any
supporting or contradicting evidence. Use facts, an analytical methodology, and critical thinking
to conclude reasonable assessments. For example,

“Target 1 received a spear-phishing email at 0927 on 17 June 2015 (reference A)
and is currently working on equipment A. Target 2 received a spear-phishing
email at 1035 on 18 June 2015 (reference B) and is responsible to deploy
equipment B. Both are known to be involved in project 1 and have coauthored a
paper on topic Z (reference C). Therefore, it is possible that the threat actor was
seeking information about project 1, as no one else is reported to have received
similar emails.”

Use appropriate adjectives to quantify the likelihood of your conclusion. Rarely will you have all
the information to be absolutely certain of your assessment; therefore, use words such as “very
likely,” “probable,” or “unlikely.” Lastly, test your conclusions by discussing your findings with
others.

Defend your theories and assessments to verify their robustness. Debating ideas generates
new considerations and opens new hypotheses, enriching the analysis. Keeping an open mind
is essential to combat the personal bias every analyst has when assessing a situation.

Once satisfied with the analysis, it must be communicated. The format of reports varies
according to the readers. Ideally, they should include a point-form summary of key findings, an
introduction, the facts amassed, the analysis, and a conclusion. While most readers will only
focus on the point-form summary, the detailed analysis allows colleagues or future successors
to reference your work.

Additionally, other organizations may require technical data from your report, or internal
departments may want to know likely targets within their ranks. Be certain to ensure that
questions defined in step 1 are either answered or labelled as an intelligence gap for which
further research is required.

Dissemination

Before clicking the “Send” button, consider who should receive the analysis. Don’t assume that
only the network administrators or the CIO is interested in your findings or that they will share
the information with relevant personnel.

List individuals or departments that may be interested in your results, including external
institutions, such as your Internet Service Provider (ISP) or content hosting provider, which may
take specific measures based on your threat assessment.



8 Cyber Warnings E-Magazine – August 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide

   3   4   5   6   7   8   9   10   11   12   13