Skip to main contentSkip to main content
Room Banner
Back to all walkthroughs
Room Icon

Baselines and Anomalies

Premium room

Identify normal activity and hunt for anomalies.

medium

90 min

2,422

User profile photo.

To access material, start machines and answer questions login.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” 

Sun Tzu - The Art of War.

Anna has been hired by Deer Inc. and tasked with creating a strategy to detect and respond to advanced attacks. The organisation already has security controls such as firewalls, EDRs, and WAFs. However, as they saw in a recent incident, advanced threat actors can bypass these controls if they are not customised to the specific organisation's environment. Therefore, Anna's task is a little more daunting than implementing the traditional security controls. She has to set up an advanced defence to thwart advanced attacks.

A computer looking at its image in the mirror.

Advanced attackers blend in with the network and utilise tools and techniques that bypass triggering security devices. They do this by using tools often used for benign purposes, blurring the line between normal activity and threat actor activity. The defenders must also step up to detect and respond to such attacks. They can not defend what they don't know about, so one of the essential things the defenders can do is know how their network works, create a baseline of normal activity and use that baseline to detect otherwise stealthy threats. The attackers can know what is often benign, but only the defenders will know what is suspicious in their environments. And thus, by this knowledge of oneself, the defenders can defend against advanced attackers. Let's help Anna build such use cases to help her defend against these advanced actors.

Learning Objectives

In this room, we will focus on 

  • Defining normal behaviour by creating baselines for an organisation's corporate network.
  • Going through examples of suspicious behaviour identified after defining normal behaviour.
  • Build a tailor-made defence strategy based on what is normal for an organisation.
  • Practice identifying normal and separating the suspicious from it using a solution.

Prerequisites

To take maximum benefit from this room, it is suggested that you first complete:

Note: This room contains a non-guided challenge in Task 7. So having good knowledge of is highly recommended.

Answer the questions below
Let's begin.

Ready to learn Cyber Security?

The Baselines and Anomalies room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information see our cookie policy.