The Science of Intrusion Analysis and Incident Response: Introduction

However, my concern is not to document the art of Intrusion Analysis or Incident Response, but rather to transform the art into a science.  What does that mean?  What is the science of intrusion analysis and incident response?

First, we must define science (there are many definitions, this one will suffice for our purposes).

Science (from Latinscientia, meaning “knowledge”) is a systematic enterprise that builds and organizes knowledge in the form of testable explanations and predictions about the universe. — Wikipedia

Second, how will we know when intrusion analysis and incident response have become a science?  Aristotle can give us the answer.

[A] man knows a thing scientifically when he possesses a conviction arrived at in a certain way, and when the first principles on which that conviction rests are known to him with certainty—for unless he is more certain of his first principles than of the conclusion drawn from them he will only possess the knowledge in question accidentally.  — Aristotle (384 BC – 322 BC) in Nicomachean Ethics

From this I draw the following requirements to make intrusion analysis and incident response into a science:

1. Intrusion Analysis and Incident Response must be systematic
2. There must be first principles upon which hypotheses and predictions can be drawn and tested with experimentation
3. There must be an organizing function to build knowledge
4. There must be a set of theories which are generally accepted, testable, and repeatable following from first principles and hypotheses

Why do we care if Intrusion Analysis is a science or not?  An intrusion analysis and incident response science means less duplication of effort solving the same problems and a more cohesive approach to improving tools, tradecraft, and training.

Thanks to Richard (@taosecurity and Tao Security Blog) for the unanticipated use of his image! 🙂