Let's talk about PREVALENCE ANALYSIS. This is one of the most useful concepts for analysts to understand because it drives so many actions. Prevalence is basically what proportion of a population shares a specific characteristic. 1/
First, prevalence is often an anomaly detection technique. Let's say you've found a process running with a name you don't recognize. If it's running on every host on the network you might say it's more likely to be benign. 2/
If the process is only running on one or a couple of hosts, that could be a bit more suspicious. Is there a common thread between the hosts? A pattern? There's more work here. 3/
Prevalence also helps find other investigative paths to pursue. Let's say that suspiciously named process runs on every host in the finance dept. That's a pattern you can explore to see if the process is benign or malicious. 4/
In both of those cases, we're talking about feature identification and pattern matching. Things like... common things being common, how the rarity of occurrence often points to suspicious things, and so on. 5/
Next, consider that most investigations begin with some anomaly. Skilled analysts choose to work backward or forward from that evidence. Prevalence can dictate your stopping point in either direction. For example... 6/
Working backward means working to a low prevalence event. The one user who clicked a link, the one execution occurring before the others, and so on. Finding root cause often means finding low prevalence events. This can be the easier direction if the data is there. 7/
Working forward often means working to higher prevalence events. The lateral movement to many hosts, the mass execution of the same binary, authentications to multiple hosts, and so on. This direction is often harder than working backward, all things being equal. 8/
With all of these uses of prevalence analysis, there's a facet of behavioral analysis and making decisions based on quantities. Analysts get better at making those decisions as they gain experience. 9/
Prevalence analysis doesn't exist in a vacuum and pairs with interpretations from other techniques. Execution analysis, lateral movement analysis, encoding analysis, and so on. 10/
Tactically, ask yourself how you do this sort of analysis now. For the most common data types you look at, how would you determine the prevalence within a population? Do you have the tools to do this? Are you practiced at it?11/
If you're a new analyst, consider prevalence often. Both how you can use it for anomaly detection and how it drives your investigative path choices. The more you actively think about this, the better prepared you are to wield the technique when appropriate. 12/
Collecting prevalence data is often trivial. Tools enable it well... it's mostly just counting and aggregating things.
Harder is identifying when to use the technique and interpreting the data. There's an opportunity for deliberate practice here. 13/
What can prevalence data tell me here?
Am I working toward low or high prevalence events?
What does this level of prevalence mean?
How can I confirm what this level of prevalence indicates? 14/
And on this Tuesday, you now have an increased prevalence of the word prevalence. Metaprevalence? 😂 😅 15/15
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Upon notification of potential malware infection, SOC analysts tend to spend more time trying to confirm the malware infection, whereas IR/DF analysts tend to assume infection and move toward understanding impact.
Usually, this results in different investigative actions. Confirming infection focuses more on the leading portion of the timeline relevant to the current event. Exploring impact focuses more on the trailing portion of the timeline.
Sometimes the investigative actions can look the same, but that depends on the malware and how the infection presents. Even with similar investigative actions, the intent is different.
The natural thing for inexperienced analysts to want to do is jump to the worst case scenario and begin investigating that thing. After all, the bad thing is very bad! But, that's usually a bad idea for at least three reasons. 1/
First, all investigations are based on questions. You use existing evidence to drive questions whose answers you pursue in evidence. If there is no evidence that indicates the very bad thing, you are probably jumping the gun by looking for it. It's a reach. 2/
Second, the very bad thing is often very hard to investigate. Exfil is a prime example. The techniques for investigating and proving data exfil are often time-consuming and cognitively demanding. Now you're distracting yourself from the actual evidence you already have. 3/
Over and over again, I observe that highly skilled analysts do something that might seem counter intuitive, but is key to their success.
They constantly review the facts -- what they know. That's the current timeline and the relationships they've uncovered.
Inexperienced analysts resist this sometimes because it feels like it takes up a lot of time. But it's worth the time. This is where analysts discover timeline gaps, identify new investigative questions, and prioritize their next move.
As you might imagine, revisiting the facts depends highly on documenting what you know when you come to know it. That's a habit that gets formed over time but can form faster if you understand the value and are deliberate about it.
For threat hunting, a non-trivial amount of the work is referencing, creating, and updating system and network inventory. This doesn't get talked about enough as a skill set that someone develops. 1/
Threat hunting is all about finding anomalies that automated detection mechanisms don't find. That means manual anomaly detection, which sometimes means weeding out things that are normal. 2/
For example, let's say you discover a binary that runs in the middle of the night on a host and that's weird! So, you eventually search for the prevalence of that behavior and see it running on other hosts in that department. 3/
Last week I laughed at my wife's playoff football predictions because of her reasons, but then she went 5-1. So, here are this week's predictions and her explanations...
Saturday:
Packers over Rams - "The Packers were in the Pitch Perfect movie"
Ravens over Bills - "Bills is a dumb name for a football team."
Sunday:
Browns over Chiefs - "I'm not excited about either of these teams, but there's not a lot going on in Cleveland so I feel like they need this."
Saints over Buccaneers - "Because that's the team you [I] like."
I'm sad and angry about the insurrection that took place in DC yesterday. I have a lot I want to say at some point, but for now I just want to say this in case anyone following me needs to hear it...
Free and fair elections are the bedrock of democracy. While more should be done to make access to elections easier, the presidential election was fair and the results are valid.
There has been no legitimate evidence that suggests any anomalies remotely close to a scale that would overturn a decisive election result. That's after 62 failed lawsuits and multiple recounts and audits.