From the course: Threat Hunting Essential Training
Join today to access over 25,400 courses taught by industry experts.
Anomaly-based hunting
From the course: Threat Hunting Essential Training
Anomaly-based hunting
- [Instructor] When we talk about identifying an anomaly, we're trying to find something that deviates from what is standard, normal, or expected. I like to break down anomaly identification further into two buckets so we can talk about each independently. First, we try to find outliers that deviate from what is considered normal. Second, we can try to find outliers that deviate from what's standard or expected. The reason for breaking down the definition into two buckets is because something could be normal, but it may not be expected. Let's look at an example. If you look at data leaving your network to establish a baseline and have an active attacker exfiltrating sensitive data to an unauthorized cloud file storage location, the exfiltration activity would be considered normal in your baseline. Now, exfiltration of sensitive data is probably not expected. This is why I like to differentiate normal from expected. So…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.