During my years working in Security Operations, we were very careful to vet anything that came our way. We vetted sources, intelligence, IOCs, TTPs (tactics, techniques, and procedures), and other information as well. The reason for this was straightforward. Leveraging anything that was not properly vetted could result in serious consequences.
What are these consequences you ask? There are many, of course, but a few of them include:
- Drowning in false positives (and thus potentially missing true positives)
- Wasting resources chasing ghosts
- Causing unnecessary downtime by responding to faux incidents
- Damaging trust and relationships (sometimes irreparably) with stakeholders
- Harming the reputation and political capital of the security team
As you can see, some of these consequences are worse than others, but none of them are great. Thus, it is not surprising that the vast majority of security teams vet information properly before introducing it into the security workflow. It is a logical practice that makes complete sense.
Given that we understand this when it comes to information, why is it so hard to apply this practice to people or organizations (teams, enterprises, vendors, etc.)? In other words, while most of us vet security information rigorously, when we hear information, and especially negative information, about people or organizations, most of us don’t vet it rigorously at all. In fact, in many cases, we will begin thinking negatively of or discounting who or what we heard negative information about before asking simple questions that could quickly expose the truth.
This has been a question that has troubled me for quite some time, and I’ve always wondered why this is the case. While I’m not an expert in human behavior, it may provide us some insight here. In general, people do not like to displease other people or to come across as unpleasant. In addition, many people prefer to avoid conflict, even if that conflict is necessary and would result in a greater good.
There are likely many reasons, but even these two help us understand why many people shy away from vetting information they hear about people or organizations. Doing so might require unpleasantness and a bit of healthy conflict. Even so, it is a worthwhile practice that can help security teams ensure they don’t discount someone or something that may add value, while simultaneously embracing and empowering someone or something that may cause harm.
How can we vet information, and in particular negative information, about people or organizations?
Here are a few techniques that can be employed:
- Ask questions: As the German philosopher Friedrich Nietzsche stated, “Truth doesn’t mind being questioned. A lie does not like being challenged.” In other words, when someone is sharing the truth with us, they won’t mind at all if we have a few questions and/or want to clarify a few things. On the other hand, when someone is lying, if you probe even a little bit, the narrative will quickly break down. The person lying might even get reactive, hostile, attack you, and/or attempt to deflect. Those are all signs that the piece of information you have been given may not be reliable.
- Ask for evidence: If a person or organization has indeed done whatever it is they are being accused of, shouldn’t there be evidence of that? It is, unfortunately, a well-known trick of deceitful people that they are often vague and omit specifics. This makes it harder for most logical and empathetic people to identify the inconsistencies in the story that might reveal the truth. The solution to this is straightforward – ask for evidence. If that subsequently results in a variety of evasive tactics and not the evidence that was requested, it is a clue that the information is probably not reliable.
- Approach the targeted person or organization directly: It amazes me that more people don’t simply approach the targeted person or organization directly when confronted with unfavorable information. Some people do, of course, but not enough people do. Doing so gives that person or organization the chance to explain their version of events. And guess what? If they are in the right, it is usually fairly easy to tell from their telling of it. How so? Generally, when a person is right, they will be happy to entertain a discussion, be specific, provide data points, produce evidence, and respond positively to being questioned. It may very well prompt you to question the source, ask questions, and ask for evidence.
- Consider the source: Is the source always the victim in their stories? Does the source always seem to talk about others, rather than focusing on the topic or task at hand? Does the source have a history of raising vague, unsupported negative information about people or organizations? Does the source have a history of being proven wrong or to have been lying? If so, it may be worth considering that this source may be more problematic than reliable.
- Review history: Has the targeted person or organization produced good results for you in the past? If you think back over the advice they’ve given you, has it generally been good advice (whether or not you followed it)? Is the targeted person or organization generally reliable and of good character? If so, you may have encountered false information about this person or organization, and you should probably go through the above bullets to ascertain more details around what the actual truth may be.
While vetting people or organizations takes effort and may go against our nature, it is generally well worth the effort. Just like information, people and organizations need to be properly vetted. If they aren’t, there can be serious consequences for a security team. Consequences that will harm the enterprise security posture.
