Chris Sanders 🔎 🧠Feb 21, 2024

Analysts should understand the idea of the dispositional scale. As you investigate something, you always look for dispositional cues indicating whether the activity is malicious or benign.

Benign-looking things add weight to one side of the scale, malicious-looking things to the other. Eventually, the scale tips enough in one direction that we settle on a disposition.

When we can confirm the disposition of an event, other events (caused or affected by the original event) also inherit that disposition.

For example, if we know that an attacker executed a file, we can assign a malicious disposition to all the actions the file takes. Dispositional cues become less important than relational cues at that point.

Where the tilt of the scale begins depends on the nature of the investigation and what started it.

SOC analysts and hunters typically begin with the assumption that events are benign until they can prove otherwise -- the burden of proof is on them. That's what drives them forward. They generally assign a timeline as malicious once they reach 80% certainty of that disposition.

In an incident response or law enforcement scenario, the analysts may already know some malicious action occurred. They're now seeking to associate other events that will inherit that disposition, or individually dispose other events.

It's notable that the examination of seemingly unrelated events still warrants a burden of proof on the analyst. Either you have to associate the new events with the known malicious events, or you should assume they are benign until you can prove otherwise.

When discovered and examined without clear association, individual events start the scale weighted towards a benign disposition.

Sometimes, analysts get lucky and find one thing that clearly indicates a disposition. But often, we're collecting multiple data points and weighing them against each other. It's a constellation or sequence of events that gets us there.

The dispositional scale is always there in some form, and every piece of evidence can tilt it one direction or another. 

#DFIR #SOC #InvestigationTheory

Dan, D-List Super VillainDec 14, 2022
I saw on LinkedIn a screenshot of a #chatgpt3 constructed splunk query. I don’t know if it’s accurate, but there’s a good chance that it is the future of security analysis . IMHO this is not the death of analysis but merely a reinforcement of the fact we need to ask the right questions, which I think is the root of what @chrissanders88 is getting at with his #InvestigationTheory class.