The hypothesis approach to incident response
08:45 Wednesday, 08 September 2021
UK Cyber Security Council
Cyber incident response is a multi-skilled field. Across the response team, we require capabilities that stretch from the general end of the spectrum (communication, organisation and documentation) all the way to the technical end (fault diagnosis, malware eradication, system rebuilding, and so on). This post focuses on just one of the many skills needed in the field of incident response.
When an incident is under way, and we are trying to understand the nature and - hopefully - the source of the attack, it's very easy to be lured into digging more and more deeply into a single clue and neglecting any others. Unless one is fortunate enough to have picked the correct potential cause, this is seldom a helpful thing to do: time spent on the wrong thing is time that should have been spent on the right thing.
A way to force oneself to focus is the hypothesis-based approach.
The principle is simple: since diagnosing the issue is probably complicated, one changes the target so that the aim is to reach a hypothesis of what the problem is, within a defined, short time window. Although this seems to take the focus away from the job in hand - figuring out the attack and stopping it - this is the right thing to do because it takes attention from a problem that is very hard to solve and onto a task that is very easy to complete. Most importantly, in order to come up with a hypothesis you are forced to look “wide and shallow” - considering everything that seems to be involved in the issue - rather than “narrow and deep”, digging into just one avenue of investigation.
Once you have distilled the hypothesis, you then test it. You look at whatever else you can see and ask: does this behaviour align with the hypothesis? If nothing you see shows the hypothesis to be wrong, then there is a very good chance that it’s right- in which case you now know where to look. If the evidence breaks the hypothesis, this is still helpful as it gives valuable information as to where not to look when devising the next iteration of the hypothesis.
The hypothesis approach works not because you always come up with a correct hypothesis (you don’t) but because it prevents you running miles down a metaphorical rabbit hole and forgetting to examine all the other evidence in front of you. Yes, if the first hypothesis turns out to be correct, then great. But the point is that the hypothesis is in fact far less important than the thought process through which it forces you to go.