Member-only story
A cybersecurity practitioner I know recently reached out to me for advice on a problem they had no prior experience with. They had already told the client what they believed the problem was. The client was skeptical. My friend then contacted me and gave me the sparse details, hoping I would agree with their conclusion. Instead, I sent this reply. Since it’s useful advice for anyone new to cybersecurity, I’m posting it here. Maybe it’ll be useful advice for you, too.
[Name deleted],
“It’s our job as trusted security resources to work only with the facts — never do we have the luxury of dealing in speculation. You can only work with, and report on, the logs and other empirical evidence that your client provides for your examination.
“Privately, in the quite confines of your own mind, you can come up with one or more hypotheses. Then, without ever voicing the hypothesis (or hypotheses) to the client, you can search the logs and other empirical evidence for data that will prove or disprove each hypothesis in turn.
“When you have enough evidence to support an explanation for the cause, then you can report the cause to the client, along with the evidence.
“In those cases where the logs or other evidence are no longer available for examination, we…