Unveiling the Art of Threat Hunting: Exploring Subjective vs. Contextual Anomaly Detection
Defining every type of anomaly may not be straightforward, but we can identify some common ones. The anomalies you seek will depend on the specific activity under investigation and the evidence associated with it:
Subject Anomalies: These are unexpected data points directly within the evidence that describe an action.
As shown above process number 12, looks legitimate but if you see closely the name contains a “0” (zero) instead of the letter “o”.
Contextual Anomalies: On the other hand, contextual anomalies refer to unexpected data found in relation to other data sources surrounding an action.
In threat hunting, understanding the distinctions between these types of anomalies is crucial for effective detection and response.
The processes 1 and 11 are the same, logically the wininit.exe in Windows should have one running in time not two.
The eye test draws on your cognitive pattern recognition ability and your experience-derived heuristics
- Attempts to mirror legitimacy
- Unexpected frequency of occurrences
- Regular thighs in an abnormal context
- Unexpected randomness or patterns
- Generic non-descriptives
Frequency of occurrences
Too many things are a bad thing
- Events that occur fewer or greater than the average or expected number of times
- Requires you know the standard sequence and deviation thresholds
Generic Non-Descriptives
- Attempts to hide by presenting broad or generic information
- Unfortunately, many legitimate entities use generic names.
Missing information
- Evidence that is missing expected data or context
- As shown below the size of the document is 16kb (is too small)
Unexpected Obfuscation and Encryption
- The unexpected use or absence of obfuscation or encryption
- This anomaly type centers on actual vs. expected entropy
Unexpected One-to-Many Relationships
- Events from one source to many destinations, or vice versa, when that is not expected in the given context
In conclusion, we delved into the intricate world of threat hunting, focusing on the crucial task of distinguishing subjective from contextual anomalies. While not all anomalies can be predefined, we explored common types and how they manifest within evidence.
hope you enjoy it ^^
