Parallels with the Paradise Papers Investigation
I recently watched the Vice News Tonight hour long show on the Paradise Papers. If you have HBO I highly recommend you give your time to this episode. If you don't have HBO, maybe try one of those free trials and still give it a try and then binge watch Game of Thrones while you are at it.
You can also go read more about it on their website, but you won't get the insight into what it took for 400 journalist to hunt through the leaked documents.
The episode deep dives into the 9 month investigation of the journalists, the different angles they all decided to take on looking at the data, and effort it took to validate their findings.
Granted I think about threat hunting close to 12 hours a day, but I couldn't help but see the parallels between the ICIJ journalists methods/concerns and threat hunting methods/concerns.
I was fascinated as the show moved from The Guardian's investigation, to The New York Times' investigation and then to the Russian journalists investigation, who were putting their lives on the line. Each group had a different angle, a mission no more or less than important to the other journalist's and they were all happening simultaneously. Together the story became something else entirely different than what it would have been had the small German company that received the leak investigated solo.
I have been experimenting with this idea of "pack hunting" with my team. I detailed it a few blog posts ago, Pack Hunting. What I am hoping to achieve is exactly what the ICIJ achieved with the release of this story. The ability to hunt on a target from multiple angles resulting in a stronger, more comprehensive and persuasive story. One that just might actually bring about change in my organization. Seeing this only made me more resolute that this is a direction my team needs to go.
They also show the journalists wrestle with leads, these tiny breadcrumbs that are important and impactful, but don't add up to a full picture. They discuss whether to share those findings and what else they need to make them concrete. Any hunter or incident responser is familiar with the struggle with the suspicious evidence that they can't quite validate, maybe the logs have rolled or there isn't any corroborating evidence to back up the suspicious finding. I don't have a way to fix this, but I do know that it feels better when I can at least share in my post hunt brief findings what the team needed to have to get the evidence that would have answered the question of the suspicious finding.
Beyond this there was the use of similar tools like Linkurious that I am sure spawned this similarity in my mind. I couldn't help but wonder what threat hunting might have to offer other fields of studies.