Here’s an interesting situation: a SOC analyst receives an alert indicating the launch of a suspicious service. However, the process name suggests that it is a legitimate system process (see the first line of the screenshot). Therefore, the analyst ignores the alert.
And that’s a mistake. If you examine the additional data more carefully, you can find that a tunneling tool was actually launched, disguised as a system process. The analyst should have been alerted by actions such as renaming the process and placing it in the system32 folder.
Why did the analyst make such a mistake? This is a common cognitive bias known as the “anchoring effect.” The first piece of information about a new phenomenon has the strongest influence on a person (not just an analyst, but anyone). This principle is even enshrined in popular sayings (“you are judged by your appearance,” “the first word is more important than the second”).
Here’s another example: a detection rule often generates false positives (FP). Having become accustomed to this, the SOC analyst closes another alert without paying due attention to it… but it was a real attack.
This is another well-known cognitive bias, characteristic of reasoning by analogy. It is also enshrined in popular culture – in the form of a story about a boy who too often cried “wolf, wolf!” in jest.
Our colleague, SOC analyst Taha Hakim, has compiled examples of such stereotypes and “blind spots” that are characteristic of cybersecurity specialists in his article. He also proposed a number of methods that allow analysts to identify such biases and mistakes in their logic.
The main idea: do not rush to explain a phenomenon based on the first facts you receive. It is better to treat your ideas as hypotheses that need to be either proven or disproven with additional data.
More details – in the article “Human factor in cyber defense: when the enemy is our own mindset”
