Cyberattacks are sophisticated and challenging at the best of times, especially given the modern tactics adversaries use to confuse and misdirect incident response (IR) teams. Investigative success comes with knowledge and context of the business environment, allowing you to determine the nature of the attack and decide how best to deal with it. The problem is, investigations never go to plan. Even with the most skilled experts in the room and a plethora of tools and training at your disposal, human factors can harm investigations.
Investigation Psychology with Incident Response
An essential but often overlooked factor when building IR capability is the impact certain human behaviours can have on investigative outcomes. Incident managers need to be aware of these traits to be able to counteract their effect. Adverse responses can harm witness testimony and destroy digital evidence, and in some cases, cause more harm than the initial attack. The following common human behaviours can mislead incident investigations, resulting in inappropriate or unfavourable outcomes:
1. The Streetlight Effect
The Streetlight Effect gets its name from the following psychologists’ parable.
An intoxicated man is crawling on his hands and knees under a streetlight. “Do you need some help?”, asks a passing stranger. The man says he’s okay, he’s dropped his wallet. “Where did you drop it?”, asks the stranger. Scratching his head, the man says he’s sure he dropped it down the road. Confused, the stranger asks “Why are you searching here and not at the spot where you thought you dropped your wallet?”, to which the man responds “Because the light is better over here.”
Incident responders must ensure they don’t take the first obvious path through an investigation as it can lead to erroneous conclusions that may leave the business exposed to residual risks, especially if the threat hasn’t been contained. It’s no surprise that cyber adversaries are smart, cunning and deceptive, covering their tracks as they rummage through our networks and systems for things to steal. Responders must avoid this Streetlight Effect by leaving no digital stone unturned and questioning the conclusions of those they interview. This behaviour leads us to the next psychological trait IR managers need to be aware of.
2. Truth-Default Bias
It’s human nature to trust people first. Novice investigators often assume the people they encounter are honest, since it’s easier to trust what individuals say than face possible confrontation by challenging their testimony. However, in IR, you should never believe what people say. Instead, you should capture evidence and witness proof firsthand, eliminating the possibility of conclusions built on hearsay. For many reasons, deception creeps into discussions with managers, users and IT people, usually when people don’t want to admit their mistakes, guilt, fallibility, or gaps in their knowledge. Intentional deception is rarer, but in many cases, misdirection is subconscious. The intent may be to take the IR team’s gaze away from their work or to cover up a mistake or problem. Busy administrators can also misdirect when assuming they know what happened and reporting it as fact rather than investigating thoroughly. Expecting honesty even when it might sound implausible is known as Truth-Default Bias. IR managers can counteract its effects by believing nothing and seeking evidence to back up every claim.
3. Confirmation Bias
For IR managers, Confirmation Bias is one of the most challenging traits to navigate, since members of the IR team can also fall into this trap. Confirmation Bias is the tendency for people to look for evidence or propose hypotheses as truths which confirm their personal beliefs as to how something happened. The outcome of influencing an IR team by Confirmation Bias is that the investigation lacks evidence-based decision making, with conclusions based on supposition and conjecture. No two attacks are the same, so proposing a hypothesis and cherry-picking data to prove it correct, must be avoided at all costs.
Experience is the best way to ensure psychological traits don’t ruin good investigations. We recommend IR teams undertake training to help them manage these behaviours and conduct awareness sessions that explain the issues and simulate interviews with exaggerated acts of each characteristic. IR is as much about dealing with people as it is about dealing with systems. But the difference is, people are unpredictable, so it’s time to take back control and reverse the odds.