In life, intelligence analysis, and cybersecurity, making sense of complex situations and uncovering the truth requires asking the right questions. My 5W Strategy is built on answering five key questions: “What happened?“, “Why did it happen?“, “Why did it happen that way?“, “What did we do about it?“, and “Who did it?”
This approach, though universal, has proven exceptionally valuable in my personal and professional career in intelligence and security operations center (SOC) fields.
The Power of the 5W Strategy
The 5W strategy serves as a framework that can break down any situation and identify its root cause. Whether analyzing a life event or a security breach, these questions serve to clarify the situation, understand intent, and outline a plan of action.
1. What Happened?
In the intelligence world and SOC operations, the first step is to define the event itself. Whether it’s a cyberattack, a new piece of intelligence, or an unexpected anomaly in the system, identifying “What happened?” creates a solid starting point. In a SOC environment, this often means recognizing an intrusion attempt, a suspicious login, or a pattern that doesn’t fit the norm.
Example (SOC Operation):
- Event: Unusual traffic detected from an external IP.
- Question: What happened?
- Response: A possible Distributed Denial of Service (DDoS) attack has been initiated.
This process ensures no action is taken before confirming the incident. Similarly, in life, understanding what exactly took place is necessary before moving forward with decisions.
2. Why Did It Happen?
Once we know what happened, the next critical step is determining “Why?” This question allows us to assess root causes, motivations, or vulnerabilities that led to the event.
Example (Intelligence Analysis):
- Event: A sudden uprising in a politically unstable region.
- Question: Why did it happen?
- Response: Social tensions fueled by economic inequality triggered the uprising.
Understanding motivations in intelligence work can be the key to predicting future events or preventing them.
3. Why Did It Happen That Way? (Inspired by Mindhunter)
This deeper layer of analysis is where insight meets precision. Drawing from behavioral analysis techniques, this question digs into not just why something occurred but why it happened in a specific manner. This level of inquiry is inspired by the behavioral profiling seen in “Mindhunter,” where patterns of criminal behavior are crucial to understanding the perpetrator’s psychology.
Example (Cybersecurity):
- Event: A phishing attack targeting financial data.
- Question: Why was the phishing email crafted this specific way?
- Response: The threat actors used a language style familiar to the organization to avoid suspicion, increasing the likelihood of successful compromise.
This is crucial in SOC operations because it offers insight into the threat actor’s strategy, helping to refine countermeasures and preventive protocols.
4. What Did We Do About It?
This question highlights the importance of actions taken in response. In intelligence, it often means countermeasures, diplomatic actions, or policy changes. In SOC, it could involve applying patches, isolating systems, or mitigating damages.
Example (SOC Response):
- Event: Network breach detected.
- Question: What did we do about it?
- Response: Isolated affected systems, mitigated the attack vector, and implemented additional security measures.
The effectiveness of these actions depends on how quickly and thoroughly they are executed. Reflecting on this question allows for improvement in future responses.
5. Who Did It?
Finally, identifying “Who did it?” is essential in both life and intelligence. In SOC operations, it could be identifying the hacker group or the individual behind the attack. In life, it’s often about understanding the people involved and their roles.
Example (Intelligence Analysis):
- Event: A sophisticated ransomware attack.
- Question: Who did it?
- Response: Traced the attack back to a known cybercriminal group operating in Eastern Europe.
In the intelligence world, identifying the actors behind events can lead to better prevention strategies or punitive measures.
| Question | Life Example | SOC Example | Intelligence Example |
|---|---|---|---|
| What happened? | Missed an important deadline. | DDoS attack detected. | Political uprising in unstable region. |
| Why did it happen? | Poor time management. | Vulnerability in firewall. | Economic inequality. |
| Why did it happen that way? | Misjudged the effort required for the task. | Attack targeted specific open ports. | Use of social media to organize protests. |
| What did we do about it? | Rescheduled the task and set reminders. | Isolated network and implemented security updates. | Sent diplomatic aid to the region. |
| Who did it? | Identified distractions that caused delays. | Attribution to a threat actor or a threat group. | Identified the leader behind the protests. |
The 5W Strategy Applied to Intelligence and SOC Operations
In conclusion, applying the 5W strategy sharpens the focus in intelligence and SOC operations, allowing teams to not only react but anticipate future threats. It emphasizes an approach that is both methodical and adaptive, allowing us to continuously learn, evolve, and strengthen our defenses—whether in cyberspace, geopolitics, or everyday life.
Leave a reply to “Who Did It? Unmasking Threat Actors in Cyber Intelligence (The 5W Sequel)” – Thirdeye Intelligence Cancel reply