I might as-well start with the elephant in the room – Analysis of Competing Hypotheses.
Analysis of Competing Hypotheses
This is thrown about all over the place, nearly every cyber threat intelligence article or company mention the Analysis of Competing Hypotheses, but what actually is it?
Well it is actually in a group of techniques called Diagnostic Techniques. Diagnostic Technique is a structured analysis technique and ACH is an analytical process with the aim of rejecting rather than confirming hypotheses. Typically you identify a set of alternative hypotheses, evaluate those and reject the least likely with the idea being you are left with the most plausible. Useful for when there are alternative explanations for what has/is/likely to happen. It is also a good method for showing how you arrived at a particular conclusion so other analysts can see your reasoning and and rationale based off the data you have.
There are some caveats to the analysis of competing hypotheses such as not being able to identify all relevant information, that information could be inaccurate or misleading, biases could creep in such as Groupthink when performed in a group. The whitepaper is here for you to read more about it. https://www.scip.org/store/viewproduct.aspx?id=5195115 and of course wikipedia here. https://en.wikipedia.org/wiki/Analysis_of_competing_hypotheses