skip to content
DFIRinProgress Blog

Decision Making in Cyber Security: Are You Suspicious?

/ 2 min read

TL;DR

Why Should I Care? Making solid decisions is crucial in cyber security and a poor decision can lead to serious consequences.

What Should I Consider? Using the question “Are you suspicious?” as a guide in the investigation process.

Are You Suspicious?

In my first full cyber security role I had a great mentor who helped me understand how to make good decisions. He often boiled it down to the question:

Are you suspicious?

That became my go-to for investigations and formed as a guide of sorts. If you’re suspicious you need to dig deeper until you’re at a point where you have conclusive evidence for an escalation or can confidently state you’re not suspicious with evidence. When you conclude that an event is non-suspicious it’s all about the documentation. Stating you’re not suspicious or the event was a false positive does not cut it. Stating how you concluded that the event was non-suspicious linking business processes, communications and other findings is what makes the difference.

A Straight Line Isn’t the Only Way

The investigative process is not a one-pass process rather it should be iterative involving pivoting as required based on findings.

My Thoughts from Investigating Windows Systems.

There is no one way to solve a problem. Findings will take you down different paths - some will lead to dead ends, others could be leads bouncing you onto new paths. Sometimes solving a problem means taking a step back (This can be hard especially when you are invested in solving the problem as soon as possible).

Curiosity

Cyber security is one of the best industries to work in for the amount of puzzles and problems there are to solve. Stay curious and continue learning. There is always another rabbit hole to go down and learn.

It is okay to not know something. No one has seen it all and no one knows everything. If you are unsure don’t be afraid to put your hand up and ask a question.

Mistakes

Everyone makes mistakes. It’s what you do after the mistake that matters.

You are going to make mistakes. There is an abundance of quotes about mistakes and that it is the follow-on actions that matter. It is clear that you are going to make mistakes and it is how you handle those mistakes that matters. This applies to cyber security just as much to life in general. So when you make a mistake focus on how you handle the mistake that is what really matters.