Hello and welcome to the second lesson from the module and the license and production. In this lesson, we will discover together what technique off analyzers, which is analyzers of competing hypothesis and the license of competing hypotheses is also called a C H and N V. This video will mostly call it a CH.
This lesson is fully dedicated to explain this technique, and it will start with a quick definition. We also will explain how is it used in city I and will in memory the different steps off a CH and finally will close this video with a practical study case about wannacry incident.
C. I. A. Defines a C H as a tool to a judgment on important issues requiring careful waiting off alternative explanations or or conclusions. It helps an analyst overcome, or at least minimize some of the cognitive limitations that make oppression, intelligence and analysis
so difficult to achieve.
And the license of competing hypothesis or a C H requires an analyst to explicitly identify all the reasonable alternatives and have them compete against each other for the analysts favor, rather than evaluating their plausibility. One at a time.
Like many other cyber threat intelligence models
that were borrowed from parallel domains, especially military
A C H was also borrowed. Toe. Eight analysts, producers and consumers off cyber Threat intelligence have largely relied on a ch teau evaluate data and analyze it all the basis off identifying attributions patterns and more.
A C H is an eight step procedure. The first step is an emirate. All the possible hypothesis. In this step, we do not consider feasibility. The second step is support hypothesis by seeking additional evidence for supporting or refuted hypothesis,
and we discuss missing evidence.
Third step, we compare the evidence, and for this we use a mass tricks off evidence like the one displayed in this light
fourth step, we'll find the metrics by removing non diagnostic evidence. Adding overlooking evidence is now applicable, including formulation off new hypothesis on documenting the excluded evidence.
is prioritize the hypothesis by likelihood.
Then we determined evidentiary dependence, which means confidence off evidence and consequences of that evidence being invalid. Several step report conclusions, including all considerate hypothesis, key evidence and proper estimate of language. The final step is qualify
or evaluate needs, which means to take in consideration that evidence
may change in time and these changes may impact the outcome so that you need to know and their witch circumstances. Evidence may change and how these changes would affect your conclusions after an emirate of the different steps off a C H. So now we are ready to see how we can use a T H
in real life and the license.
Cyber Security intelligence provider Digital Shadows gave a real world example off a C H in action
in May 2018 when a model unpublished report about multiple competing hypotheses surrounding the wannacry Ransomware incidents, the malware impacted enterprise networks and organizations across the globe
and a very tee off explanations also began to warm their way through the Information Security Community.
Who was responsible for Wannacry campaign and was what waas their objective.
Digital Shadows outlined four possible hypotheses about potential attribution and tested them against the set off evidence that become available during and after the incident occurred.
Each one, or hypotheses Number one is a sophisticated, financially motivated cyber criminal actor h to an unsophisticated, financially motivated cyber criminal actor,
a nation, state or state affiliated actor conducting a destructive operation.
H for a nation, state or state affiliated actor aiming to discredit the national security agents. And I say
now, after outlining the different hypothesis and based on the information available about this incident, a list off evidence was created and they were compared against each other, using a Metrix off hypothesis as the one displayed on this light.
The next step will be refining this matrix and removing all the evidence that is not relevant. After refining the A CH metrics and eliminating the evidence with little value and basic off the available information about Wannacry, we can get the metrics displayed on this light.
And the Wannacry campaign was most likely
legend by either on a sophisticated, financially motivated cyber criminal actor, H Tool
or a nation, state or state affiliated. After aiming to discredit the National Security Agency essay, which is 84
from the A C H metrics, we can identify that age Tool, which is an unsophisticated, financially motivated cyber criminal actor, was the strongest scoring hypotheses
from the evidence that was available. While a C H brings many benefits, the main problem with using this approach is that there is currently no way to structure the process off testing evidence against a set off hypothesis.
As a result, producers off intelligence often create multiple competing hypothesis around a given threat, hoping to identify the strongest hypotheses example the one most supported by the available evidence. If a process off testing evidence can be structured more effectively,
the benefits off a C H will become even more apparent.
In this lesson, we discovered together, what is a CH? We've seen a C H in cyber threat intelligence. We intermarry that the different steps or the eight steps off a C H. And we've seen a really case off how you can use a C H in a really worth case, which was wannacry incidents.
And as a key takeaway. Please take in consideration that there is no guarantee that a CH or any other procedure will produce a correct answer. And the license of competing hypothesis does, however, guarantee an appropriate process off analyzes. This procedure
leads you through a rational, systematic process
that the votes, some common analytical pitfalls or cognitive biases.
This is all four and the license of competing hypothesis and the next video we'll discover together another technique off analyzes, which is actually a combination or emerging off to techniques which are cyber kill chain and diamond model