Let's talk about PREVALENCE ANALYSIS. This is one of the most useful concepts for analysts to understand because it drives so many actions. Prevalence is basically what proportion of a population shares a specific characteristic. 1/
First, prevalence is often an anomaly detection technique. Let's say you've found a process running with a name you don't recognize. If it's running on every host on the network you might say it's more likely to be benign. 2/
If the process is only running on one or a couple of hosts, that could be a bit more suspicious. Is there a common thread between the hosts? A pattern? There's more work here. 3/
Prevalence also helps find other investigative paths to pursue. Let's say that suspiciously named process runs on every host in the finance dept. That's a pattern you can explore to see if the process is benign or malicious. 4/
In both of those cases, we're talking about feature identification and pattern matching. Things like... common things being common, how the rarity of occurrence often points to suspicious things, and so on. 5/
Next, consider that most investigations begin with some anomaly. Skilled analysts choose to work backward or forward from that evidence. Prevalence can dictate your stopping point in either direction. For example... 6/
Working backward means working to a low prevalence event. The one user who clicked a link, the one execution occurring before the others, and so on. Finding root cause often means finding low prevalence events. This can be the easier direction if the data is there. 7/
Working forward often means working to higher prevalence events. The lateral movement to many hosts, the mass execution of the same binary, authentications to multiple hosts, and so on. This direction is often harder than working backward, all things being equal. 8/
With all of these uses of prevalence analysis, there's a facet of behavioral analysis and making decisions based on quantities. Analysts get better at making those decisions as they gain experience. 9/
Prevalence analysis doesn't exist in a vacuum and pairs with interpretations from other techniques. Execution analysis, lateral movement analysis, encoding analysis, and so on. 10/
Tactically, ask yourself how you do this sort of analysis now. For the most common data types you look at, how would you determine the prevalence within a population? Do you have the tools to do this? Are you practiced at it?11/
If you're a new analyst, consider prevalence often. Both how you can use it for anomaly detection and how it drives your investigative path choices. The more you actively think about this, the better prepared you are to wield the technique when appropriate. 12/
Collecting prevalence data is often trivial. Tools enable it well... it's mostly just counting and aggregating things.
Harder is identifying when to use the technique and interpreting the data. There's an opportunity for deliberate practice here. 13/
Harder is identifying when to use the technique and interpreting the data. There's an opportunity for deliberate practice here. 13/
What can prevalence data tell me here?
Am I working toward low or high prevalence events?
What does this level of prevalence mean?
How can I confirm what this level of prevalence indicates? 14/
Am I working toward low or high prevalence events?
What does this level of prevalence mean?
How can I confirm what this level of prevalence indicates? 14/
And on this Tuesday, you now have an increased prevalence of the word prevalence. Metaprevalence? 😂 😅 15/15
• • •
Missing some Tweet in this thread? You can try to
force a refresh
