{ "id": "bc787972-85d3-4942-b6ac-6772f237f4f8", "created_at": "2026-04-06T00:17:18.145744Z", "updated_at": "2026-04-10T03:37:33.016032Z", "deleted_at": null, "sha1_hash": "1700004efa12de16c0d85188ca1d6b62d0720ebd", "title": "Ghosts on the Wire: Expanding Conceptions of Network Anomalies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 329216, "plain_text": "Ghosts on the Wire: Expanding Conceptions of Network\r\nAnomalies\r\nBy Joe Slowik, ATR\r\nPublished: 2021-07-27 · Archived: 2026-04-05 16:42:36 UTC\r\nUpdated October 14, 2021.\r\nNetwork security operations generally and network security monitoring (NSM) more specifically evolve with\r\ntechnology like any other information technology (IT) field. One important development in NSM, along with\r\nincreasing emphasis on host-centric detection, is the rise of machine learning and artificial intelligence (ML/AI)\r\nmechanisms to analyze large, streaming datasets to identify items deviating from normal operations. Such\r\nadvances enable security anomaly detection, where a combination of ML/AI and advanced statistics generate\r\nalerts and alarms relevant to an underlying baseline of normal operations.\r\nAn anomaly-based approach to network defense and monitoring is very powerful, but the current perspective of\r\nanomaly detection is overly weighted toward statistical and ML/AI modeling techniques. While these items are\r\nexpansive and will be increasingly useful as underlying datasets become ever larger, space still exists for a more\r\nclassic version of anomaly-driven detection.\r\nIn this post, we will examine an expanded conception of anomaly analysis to demonstrate how network operators\r\nand defenders still retain various options for monitoring and protecting their respective environments using a\r\nthreat-focused, intelligence-driven approach to NSM and similar alerting.\r\nAnomalies Defined and Reviewed\r\nThe idea of an “anomaly” is quite simple: something that deviates from what is standard, normal, or expected.\r\nBased on this general definition, network anomalies would encompass items ranging from a newly resolved\r\ndomain, a never-before-seen user agent, or something more exotic such as a mismatch between communication\r\nprotocol and standard port assignment.\r\nYet the idea of anomaly-based defense in NSM and related security disciplines increasingly is linked directly and\r\nexclusively to mathematical models for identifying anomalous trends in a large dataset. While this approach is\r\ncertainly valuable and may over time prove to be the only viable approach to dealing with massive datasets, this\r\ntechnique largely abandons contextuality in favor of mathematical speculation.\r\nML/AI-derived anomalies represent a deviation from a baseline. Such an approach can be very valuable in\r\nidentifying new or unusual traffic, but at the same time such events are confusing as their only reason for being\r\ninteresting is their strangeness. Such strangeness can arise for several reasons: misconfiguration, a change in\r\noperations, user error, or potentially malicious operations. Given a black box approach to ML/AI anomaly\r\nidentification, contextuality as to why a given item is even relevant — let alone a security concern — is lost.\r\nhttps://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/\r\nPage 1 of 6\n\nYet if we break free of a strictly mathematical view of potential security anomalies, several possibilities emerge.\r\nLooking at anomalies as more than just a statistical deviation, but as a meaningful, identifiable alteration from a\r\nnormal state of affairs allows us to inject context and meaning into the event in question. In this fashion,\r\ndifferentiating the simply weird from the concerning becomes possible because we can begin framing unusual\r\nevents in light of how such an observation relates to pre- and post-event actions and how such an event may relate\r\nto an adversary’s intrusion lifecycle.\r\nIn this perspective, an anomaly becomes not just an observation deviating from a long-term baseline, but an item\r\nthat represents a change in operations that at the same time can be associated with potential malicious behaviors.\r\nSearching for anomalies thus becomes enriched by understanding and projecting why such an anomalous, unusual\r\noccurrence matters. Such an outlook represents a refinement from a view of the simply strange to the unusual, and\r\npotentially malicious, which reduces our corpus of possible events — but does so in a way that is useful since it\r\nredirects our focus to higher-confidence instances where such unusual events can be highly correlated with\r\nbehaviors associated with adversary operations.\r\nWhat we seek in this perspective is a refinement of anomaly to include observations that incorporate an\r\nunderstanding of adversary operations. By enriching our understanding of outlier events and anomalous network\r\noccurrences to incorporate cyber threat intelligence (CTI) and similar perspectives, we can drive higher value and\r\nhigher confidence alerting on items of interest. Analysts and network defenders can then devote energy towards\r\nexploring and investigating a likely malicious event, rather than focusing on first trying to determine whether a\r\ngiven occurrence is truly malicious, or merely weird but ultimately benign.\r\nExamples of Network Anomalies for Detection Purposes\r\nThe above considerations are not merely theoretical in nature. Rather, adopting a CTI-enriched understanding of\r\nanomalies to incorporate perspectives on adversary operations unlocks powerful detection possibilities related to\r\nknown techniques and campaigns. By exploring a few examples of such activity, we can gain greater\r\nunderstanding of how the concept of an anomaly should be expanded to include detecting items straying from the\r\nusual, but informed by CTI understanding of adversary operations and behaviors.\r\nSandworm Operations and Mismatches\r\nIn June 2020, the U.S. National Security Agency published a report on exploitation activity linked to a threat actor\r\ntypically referred to as Sandworm. Subsequent analysis of this campaign revealed various actions associated with\r\nthis actor and the specific campaign targeting the Exim mail transfer agent (MTA). Reviewing analysis of this\r\nactor’s activity in this campaign, several mismatches in functionality or expected relationships emerge:\r\nUse of Windows-specific user agent strings for retrieval of follow-on payloads as part of malicious script\r\nexecution in likely Linux system environments\r\nLeveraging standard ports but using uncommon protocols or services on these ports for command and\r\ncontrol (C2) functionality\r\nWe observe the former in connection with a post-intrusion script executed by Sandworm:\r\nhttps://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/\r\nPage 2 of 6\n\nFigure 1. Post-intrusion script executed by Sandworm.\r\nAn anomalous situation emerges given the nature of communication in the above item. While the Exim MTA will\r\ntypically reside only on Linux servers, the script in question uses a hard-coded user agent string associated with\r\nWindows workstations. Identifying this communication anomaly will allow a defender to spot the C2 channel\r\nthrough the mismatch in system type and traffic information. If sufficient visibility and IT asset identification\r\nexists, defenders can articulate alerts identifying functional mismatches for further investigation and analysis.\r\nFigure 2. Post-exploitation Sandworm activity shows mismatch.\r\nIn addition to the user agent item, the above section of post-exploitation Sandworm activity shows another\r\ninteresting mismatch between expected and observed behavior. In this case, a hard-coded HTTP connection exists\r\n(again using a Windows-based user agent), but instead of using TCP 80 for communication, the request leverages\r\nTCP 53 (typically associated with DNS zone transfers). Such activity could be used to evade firewall or similar\r\ncontrols (as DNS is typically allowed outbound). But examination of traffic flow information would show a\r\nmismatch between protocol used (HTTP) and associated port (TCP 53). This type of mismatch would not be\r\nrandomly occurring and can be highly correlated with evasive activity by an entity within the network. By\r\ndetecting such traffic, defenders can identify not merely suspicious but likely malicious behaviors for further\r\nresponse and investigation.\r\nNOBELIUM and Unusual DNS Queries\r\nMultiple entities identified a complex, long-running intrusion campaign leveraging a supply chain intrusion\r\nthrough Solar Winds Orion network monitoring software in December 2020. Subsequent analysis, along with\r\nlabeling the adversary responsible as NOBELIUM, identified additional intrusion and lateral movement\r\nmechanisms leveraging adversary compromise of Microsoft Cloud and O365 environments. The combination of\r\nMicrosoft and Solar Winds vectors for intrusion and access represent a formidable combination for defenders to\r\nhttps://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/\r\nPage 3 of 6\n\ndeal with — a situation made more complicated still given the adversary’s savvy use of network infrastructure to\r\nevade indicator-driven network defense and investigation.\r\nExamination of the Solar Winds Orion intrusion vector, labeled SUNBURST, reveals one key observable linking\r\nall known events: use of a common initial C2 domain for victim identification and filtering. The domain,\r\navsvmcloud[.]com, was used to collect lengthy DNS requests, such as the below items observed in DomainTools\r\nIris, that contained encoded victim information. Based on this information, the responding server would then\r\ndetermine whether the victim would receive a CNAME response back to move events on to second-stage C2\r\ninfrastructure.\r\nFigure 3. avsvmcloud[.]com was used to collect lengthy DNS requests.\r\nWhile a variety of careful, operations security-centric steps are made by NOBELIUM in establishing this nested\r\nC2 activity, the initial C2 beacon nonetheless stands out while linking first-stage infection vectors. While\r\ndetecting anomalous DNS activity (long subdomains, DNS lookups followed by no actual traffic to the identified\r\nresource, etc.) on its own may be insufficient for meaningful alerting, additional enrichment may enable higher-confidence assessments. For example, linking this DNS activity to the specific device responsible, such as a Solar\r\nWinds Orion network monitoring server, can tie an anomalous network event to high-profile, high-value\r\ninfrastructure. Such correlation, in this case based on functionality and context, serves to bubble up the merely\r\nanomalous to activity that requires investigation.\r\nLarge Archive Downloads for Analysis Evasion\r\nNOBELIUM-linked activity continued in late May 2021 with a phishing campaign spoofing non-governmental\r\norganizations (NGOs) and other entities. For this campaign, the initial infection vector was a malicious link in the\r\nNGO-spoofing email leading to an ISO optical disk image file.\r\nFor reasons of efficiency and scalability, ISO file types (which are legitimately used for a number of purposes,\r\nincluding distributing operating system installation disks) are often excluded from active analysis (scanning\r\nengines or sandboxing) because of their size. For example, a typical Linux installation ISO for Ubuntu is\r\napproximately 2.6 gigabytes in size, while Windows 10 ISO installers are typically larger than 3 gigabytes. To\r\navoid undue stress on security appliances, such files are therefore exempt from security analysis — allowing an\r\nhttps://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/\r\nPage 4 of 6\n\nentity such as NOBELIUM (among other adversaries) to use this visibility gap to transfer malware within an ISO\r\narchive.\r\nAs reported by multiple entities, NOBELIUM distributed malware as an ISO with several components inside: a\r\ndecoy document or PDF, a DLL containing the actual payload, and a LNK file that would handle execution of the\r\npayload while displaying the decoy. While ISO files can (obviously) be of any size, what is notable about the\r\nimages distributed in this campaign is that they are relatively small, as shown in the samples provided in the\r\nfollowing table:\r\nWhereas typical ISOs are often measured in gigabytes, these items at most come in at a little over 20 megabytes.\r\nAs such, an anomaly can be identified in this behavior: retrieval of relatively small ISO files, and in this case from\r\nlikely new (to the victim) network infrastructure. This combination of anomalous observations — odd file given\r\nfile type and newly observed network infrastructure — can be used as an identifier for activity that requires further\r\nanalysis and investigation.\r\nContext-Driven Anomalies and Enabling Response\r\nA threat-centric, intelligence-driven approach to anomalies also enables response due to greater contextuality and\r\nbackground understanding of suspicious activity. In identifying an anomalous object given a known, identifiable\r\nbehavioral deviation, defenders can now ask relevant questions as to how the observation manifested and toward\r\nwhat it likely leads. This stands in contrast to the approach in most black-box mathematical model identifications,\r\nwhere significant effort must first be expended to determine whether the odd observation is even suspicious (or\r\nmalicious) before considering what comes next.\r\nThus, in a behavior-aware, intelligence-driven perspective for identifying anomalies relevant to network-normal\r\nbehaviors, possibilities emerge for guiding investigation and response post-detection. Frequently described as\r\nplaybooks within the security industry, incident response (IR) personnel can leverage pre-determined, historically\r\nrelevant follow-on actions to pursue a detection after it emerges. Since the triggering anomaly is strange because\r\nof context and operation relative to the network and potential adversary actions, IR actions can be focused toward\r\nknown-valuable investigative paths.\r\nEnabling IR and defensive operations is a goal for many organizations to better utilize and direct limited\r\nresources. By ensuring an intelligence and contextual perspective for security detections, such as an enriched\r\nidentification of anomalies, organizations can meaningfully enable such a posture. In doing so, asset owners and\r\ndecision makers create a more focused, rapid response to malicious activity, minimizing adversary dwell time and\r\nimproving defender identification and response metrics.\r\nConclusion\r\nThe concept of a security anomaly has been debased due to the exclusive focus on mathematical and statistical\r\nmodel identification of odd events in network security as the only perceived manner of implementing such an\r\napproach.\r\nThrough reevaluation of the anomaly concept, we find possibilities for contextual, behavior-driven variants that\r\nallow defenders and responders to rapidly triage and transition initial observations toward high-confidence\r\nhttps://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/\r\nPage 5 of 6\n\nsecurity alerts. By adopting this enriched conception, we as network security professionals can reclaim the idea of\r\nanomalous events from black-box modeling and reintroduce it to fundamental security monitoring and response.\r\nIn doing so, we will enable a more focused, more accurate means to respond to security events as they occur,\r\nwhile significantly reducing wasteful actions in response to events that are merely odd but fundamentally benign.\r\nFeatured Webinars\r\nHear from our experts on the latest trends and best practices to optimize your network visibility and analysis.\r\nSource: https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/\r\nhttps://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/\r\nPage 6 of 6\n\nincluding engines or distributing operating sandboxing) because system installation of their size. disks) are For example, often excluded a typical Linux installation from active analysis ISO for (scanning Ubuntu is \napproximately 2.6 gigabytes in size, while Windows 10 ISO installers are typically larger than 3 gigabytes. To\navoid undue stress on security appliances, such files are therefore exempt from security analysis -allowing an\n Page 4 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/" ], "report_names": [ "ghosts-on-the-wire-expanding-conceptions-of-network-anomalies" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434638, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1700004efa12de16c0d85188ca1d6b62d0720ebd.pdf", "text": "https://archive.orkl.eu/1700004efa12de16c0d85188ca1d6b62d0720ebd.txt", "img": "https://archive.orkl.eu/1700004efa12de16c0d85188ca1d6b62d0720ebd.jpg" } }