Defensive Avoidance vs Vigilance to Detail
NSM is a methodology that facilitates the investigation of security incidents. Whichever tools you use to accomplish this, at the end of the day it is you, the investigator, who has to make sense of the gathered information. There’s only one tool for doing this, and it’s called GreyMatter v1.0; it’s installed at the factory between the ears of every one of us. Well, most of us, at least.
I’m interested in investigation as a skill in its own right, and I find it useful to learn how investigators in areas outside of IT go about their business. Whilst their skills may not be directly relevant to the infosec world, there are definite parallels in that all investigators have to acquire and collate information and extract high-quality evidence from it.
As an example, Advanced Surveillance by Peter Jenkins is a great manual on physical surveillance. I’m not likely to ever lead a team imposing surveillance on Mister Big, but it’s very interesting to see how Peter goes about acquiring information and handling it in a manner acceptable to law enforcement and the courts. It also makes it easy to spot TV cops conducting surveillance badly. Dexter really needs to read a copy.
I’m currently reading Investigative Interviewing by Dr Eric Shepherd, a Consultant Forensic Psychologist (a cool job title if ever I heard one!). The book is aimed at UK law enforcement, and is intended to complement their interview training.
Early on in the book, Dr Shepherd introduces two investigative mindsets, “Defensive Avoidance” and “Vigilance to Detail”. Introducing Defensive Avoidance, Dr Shepherd says:
There are many pressures in the workplace: volume of work, shortage of staff, limited time and resources, and restricted budgets. These pressures are liable to lead investigators to adopt a mindset of defensive avoidance that is not consistent with quality performance. More cases can be worked more quickly and with less “grief” by not “doing” detail: by not enquiring in detail, by not observing closely, and by not examining systematically. Defensive avoidance is a decision to minimize the mental demands and to evade the complexity and implications of detail. It is characterised by taking the “short cut” as much as possible. [...] The common theme is confirmation bias, ie the search for information that confirms prior belief and ignoring that which does not.
An investigator with this mindset may approach their interviews with the goals of confirming what they know, or what they think they know, or what they want to be true. This is not necessarily borne out of laziness or incompetence; above, Dr Shepherd lists other pressures that lead to defensive avoidance.
Elsewhere, I’ve seen defensive avoidance categorised by:
- Lack of vigilant search
- Distortion of the meaning of warning messages
- Selective inattention and forgetting
Dr Shepherd then introduces a second mindset, Vigilance to Detail:
The alternative mindset to defensive avoidance [...] is vigilance: the decision to be attentive, observant, and circumspect in respect of detail. Common sense argues that the life-blood of an effective investigation is a comprehensive grasp of the fine-grain detail. An investigator who is not committed to all the detail – warts and all – is a contradiction in terms. Vigilance to detail is mentally and physically demanding. The pressure can be markedly eased by operating with a model of investigation that assists thinking and action in the gathering and processing of detail.
An interview conducted with this mindset will seek to establish an account of what happened. This then becomes a body of evidence, and the investigator will draw their conclusions from it well after the interview has concluded, not before or during it. This mindset will also drive you to pay attention to not only what was said, but what was not said.
Stepping back into the infosec world, these two mindsets seem familiar – I’ve seen defensive avoidance before:
- In this story, anti-virus said that everything was OK, so the issue was not (initially) looked at in any more detail.
- In this story, the helpdesk removed the obvious symptoms of infection without looking in more detail at what the infection actually was and how it got in (there was another driver towards defensive avoidance here – apathy. The helpdesk staff didn’t care about the detail – all they wanted was for the user to get off the phone as quickly as possible).
- More than once I’ve reported an incident to a customer, only to have them say “it’s OK, our anti-virus caught it”. If your AV took care of it, why am I still seeing hostile traffic?
- The lower tiers described here could be said to be exhibiting a degree of defensive avoidance, too.
Vigilance to Detail, on the other hand, reminds me much more of what you can do if you are practicing NSM principles:
- NSM captures all the detail crossing the network and provides you with a terrific amount of information from which you can extract high-quality evidence.
- It allows you to see not just what was said (AV/IDS alerts etc.) but also what was not explicitly said (eg, session data from apparently benign transactions).
- NSM allows you to investigate indicators that others may take at face value (AV/IDS alerts etc.), or
- To determine why you have a “non-barking dog” on your hands (eg a blatantly infected machine that’s spewing spam whilst its AV does nothing).
At the end of the day, Vigilance to Detail is just a mindset, and NSM is just a methodology. It’s up to us, the investigators, to make the most of both.
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk