Software Engineering Institute

While various indicators may suggest the presence of threats in the network, the analytical process attempts to verify the existence and extent of the business risk. Furthermore, these analytical efforts often uncover other avenues of investigation that may require further attention. The repeatable process offered by Dr. Bakken applied to specific use cases, noting the threats observed, an overview of the logic and data used, along with the results and nuances related to the interpretation will be the focus of this discussion.

Background: Logical step definition and initial data selections offer guardrails for deep statistical analysis related to any use case. When derived from a repeatable process, the runway between definition and deployment becomes much more efficient. Applying the logical flow to use cases also enables greater preparedness when transitioning into analytical efforts, supporting a more rigorous analytical effort throughout.

Use Case Examples: We will discuss the application of this process against two example scenarios:

• A select group of physical devices on the network are found to be exhibiting questionable behaviors. These behaviors include the use of remote connection-based software known to be used for malicious purposes, use of unexpected ports, data transfer to unexpected destinations, and the use of unapproved bridged networks. From a threat perspective, these devices cause concern due to their unapproved activity which is in conflict with the vendor documentation related to connectivity, behavior, and usage.
• Threat actors are utilizing password spray attacks to attempt to obtain access to the network. These attacks “spray” multiple user accounts with the same, often easy-to-guess credentials, with specific jitter patterns. Detecting these attacks follows the same repeatable pattern, identifying cases where accounts are being sprayed, thus uncovering risks related to password policy requirements and expectations for organizational users and enforcement of those policies.

Attendees Will Learn: Participants will be exposed to applied procedural workflows that can be repeated in other organizations. Integrating these procedures, the statistical efforts become more efficient, have sufficient rigor, and produce repeatable results. Attendees can utilize this presentation to identify process gaps in analytical preparation, develop deeper insights into their data, understand the need for collaboration with other teams to validate results, and apply these techniques to their own practices.