7 Tuning statistical logic
This chapter covers
- Tuning statistical constructs to create better security analysis capabilities
- Uncovering malicious beaconing that uses unexpected communication channels
- Capturing packets to gain visibility into a threat execution
In this chapter, you will learn and practice building and using more involving statistical constructs in your threat-hunting expeditions. I want you to experience different approaches, different techniques, and different tools in the statistical toolkit to uncover threats.
First, I introduce approaches such as random time jitter and beaconing to demonstrate that using only standard deviation (chapter 6) is insufficient to uncover threats. I also introduce statistical techniques such as quantiles, which can enhance analytical capabilities to uncover anomalies. Next, I describe how to use density distribution functions to detect data exfiltration, anomalies, and outliers.
You may want to play the soundtrack to The Empire Strikes Back (Star Wars: Episode V) in the background while we go through the first scenario: uncovering beaconing with random jitter. Why? All will be revealed as we proceed.