In 1887, Sir Arthur Conan Doyle introduced readers to Sherlock Holmes. The brilliant, arrogant, and cocaine-addicted consulting detective became one of the best-beloved characters in literary history. Holmes' unbelievable adventures reported by his trusty sidekick Doctor John Watson introduced Victorian popular culture to the capabilities of forensic science and analytical techniques that would become the foundations of modern detecting. And these can be applied to cyber threat intelligence, too.

"In solving a problem of this sort, the grand thing is to be able to reason backward," Holmes tells Watson in A Study in Scarlet. This puzzle-solving technique, though presented as a work of fiction, is a reliable method for cyber threat intelligence analysts and forensic cyber investigators. Modern crimes perpetrated by cyber criminals and state-backed actors have things in common with Victorian-era murderers: they leave evidence behind. In cyber threat intelligence, these are known as "threat behaviours," or the tactics, techniques and procedures executed by adversaries. Each of these behaviours is a clue to identifying cyber attackers' motives and methods.

In his debut story, Conan Doyle sums up what it means to think like a detective – or, in our case, a cyber threat analyst: "There are few people, however, who, if you told them a result, would be able to evolve from their own inner consciousness what the steps were which led up to that result," Holmes says. "This power is what I mean when I talk of reasoning backward, or analytically."

In this paper and presentation I will describe the investigation and forensic techniques Sherlock Holmes first introduced to mainstream readers, as well as modern interpretations of the detective's analytical methods. Additionally, analysts will learn how to apply those concepts to modern cyber investigations and understand how critical thinking, analytical puzzle solving, and historic forensic sciences can apply to their current careers.

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speaker later, contact Selena on Twitter at @selenalarson.