The Semantic Chain: DAIKI #
Some threat hunt frameworks break down hunt types by trigger (which team or process triggers a particular hunt), others break it down by data types, e.g. network data vs endpoint data. All these approaches lead to confusing hunt structures and miss the point of what threat hunting is really about: extracting meaning out of data, and devising ways of identifying behavioural patterns. In that regard threat hunting is no different to data science approaches.
For AIMOD2, hunt types are differentiated by the position in which we commence our data analysis in the road from data to insight, i.e. the path that leads from atomic, disconnected data points to highly connected, insight-based impact. We call this model the DAIKI: Data –> Information –> Knowledge –> Insight. This model is an adaptation of the known DIKW pyramid (Data, Information, Knowledge and Wisdom).
DAIKI and Impact #
The aim of any threat hunt mission is to produce impact. AIMOD2 is mission-driven because it is impact-driven. Impact can be defined as the effect an activity, event or decision produces on the organization’s resilience. In cyber threat hunting, our goal is to mitigate threats and help reduce the organization’s risk exposure, thus increasing organizational resilience.
But what does impact have to do with data semantics? AIMOD2 considers that impact is generated by a threat hunt team at every level of the semantic chain. However, the further along the semantic chain you produce outcomes, the higher the impact and added value that is delivered to an organization. Concomitantly, the further along the semantic chain you begin your hunt mission from, the easier it is to drive your outcomes to the insight stage.
Limiting a team’s focus to only atomic and disconnected data, such as sweeping the environment with hashes, does not yield the same impact as when the team utilize synthesized knowledge derived from threat intelligence.
The DAIKI Stages #
What drives the progression from low connected data to highly connected insight is a series of synthesis operated by one or many teams in an organization. The transitional states that link the different stages imply the extraction of meaning that radically transforms the quality of the information.
Information can be described as contextualized data, knowledge as interpreted information and insight as assimilated knowledge that becomes a new way of doing and thinking. These transitional states are dominated by the what (data to information), the why (information to knowledge) and the how (knowledge to insight).
What drives the transition through each stage is the concept of bounded applicability, borrowed from Cynefin’s framework for complexity, which I’ve mentioned already multiple times here, here and here. Cognitive Edge’s glossary defines bounded applicability as:
the concept that different and contradictory things work in different bounded spaces
In other words, there are no context-free situations. When transitioning from one stage to the next in DAIKI, we make choices that imply we focus on some data clusters over others, and choose models that lead to a specific solution over others. In this process we discard scenarios and limit the amount of data we work with.