Welcome to the VB2021 conference!

arrow left Back

What cyber threat intelligence analysts can learn from Sherlock Holmes

16:00 - 16:30 UTC Fri 8 Oct 2021
Selena Larson (Proofpoint)
In 1887, Sir Arthur Conan Doyle introduced readers to Sherlock Holmes. The brilliant, arrogant, and cocaine-addicted consulting detective became one of the best-beloved characters in literary history. Holmes' unbelievable adventures reported by his trusty sidekick Doctor John Watson introduced Victorian popular culture to the capabilities of forensic science and analytical techniques that would become the foundations of modern detecting. And these can be applied to cyber threat intelligence, too.

"In solving a problem of this sort, the grand thing is to be able to reason backward," Holmes tells Watson in A Study in Scarlet. This puzzle-solving technique, though presented as a work of fiction, is a reliable method for cyber threat intelligence analysts and forensic cyber investigators. Modern crimes perpetrated by cyber criminals and state-backed actors have things in common with Victorian-era murderers: they leave evidence behind. In cyber threat intelligence, these are known as "threat behaviours," or the tactics, techniques and procedures executed by adversaries. Each of these behaviours is a clue to identifying cyber attackers' motives and methods.

In his debut story, Conan Doyle sums up what it means to think like a detective – or, in our case, a cyber threat analyst: "There are few people, however, who, if you told them a result, would be able to evolve from their own inner consciousness what the steps were which led up to that result," Holmes says. "This power is what I mean when I talk of reasoning backward, or analytically."

In this paper and presentation I will describe the investigation and forensic techniques Sherlock Holmes first introduced to mainstream readers, as well as modern interpretations of the detective's analytical methods. Additionally, analysts will learn how to apply those concepts to modern cyber investigations and understand how critical thinking, analytical puzzle solving, and historic forensic sciences can apply to their current careers.
Selena Larson
Proofpoint

Selena Larson is a senior threat intelligence analyst at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced threats and develop actionable threat intelligence. Previously, Selena was a cyber threat analyst for the industrial cybersecurity firm Dragos, and a cybersecurity and privacy journalist.