By Ely Kahn
Pattern-of-life analysis is a well-known (and sometime controversial term) in the US Intelligence Community. One definition of pattern-of-life analysis is:
"A method of surveillance specifically used for documenting or understanding a subject's (or many subjects') habits. This information can then be potentially used to predict future actions by the subject(s) being observed. This form of observation can, and is, generally done without the consent of the subject, with motives including but not limited to security, profit, scientific research, regular censuses, and traffic analysis. Unlike these specific areas of surveillance, pattern-of-life analysis is not limited to one medium and can encompass tracking anything in an individual's (or system of individuals') life from their internet browsing habits to their geophysical movements."
Figure 1: Traffic Analyis in Portland, OR, Over a 3 Year Time Period
In other words, pattern-of-life analysis means identify a group of entities (e.g., suspected terrorists) and track every detail about them (e.g., movements, telephone calls, web activity, etc.) over an extended period of time in order to understand the full context of their current behavior and better anticipate their future activities.
In today's cyber threat environment, a similar amount of rigor (i.e., cyber pattern-of-life analysis) is needed to identify advanced and targeted threats that typically evade traditional cyber surveillance/defensive efforts. One way to think about this from a cybersecurity perspective is that you may want to track a variety of entities within your network: users, hosts, IP addresses, devices, applications, ports, protocols, servers, authentication/authorization systems, databases, etc. For a large organization, the numbers of entities and the relationships between these entities can easily number into the millions or even billions.
For each entity you will want to identify statistics to help understand that specific entity's pattern-of-life. For example, you may want to track statistics like # of bytes transferred, # of login events, # of files downloaded, etc.
So, to do cyber pattern-of-life analysis, you would need a system that can store and analyze billions of entities and keep statistics up to date on those entities in near real-time. From those statistics, you can begin to develop baseline patterns of behavior to help determine what is normal and what appears anomalous. These anomalies could be indicative of a hacker moving laterally through a network or an insider threat hoarding files.
If this sounds interesting, check out our demo to learn more about the implementation of Cyber Pattern-of-Life Analysis.