AT-3(4) — Suspicious Communications and Anomalous System Behavior

Train role-based personnel specifically on recognizing and responding to suspicious communications and anomalous system behavior — at a deeper technical level than general awareness training.

Example 1: Train your SOC analysts on identifying indicators of compromise (IOCs) in network traffic and logs. Use your SIEM to show real examples of beacon traffic patterns, DNS tunneling, and lateral movement. Give them PCAP files to analyze with Wireshark as exercises.

Example 2: Train your help desk staff to escalate properly when users report suspicious behavior. Create a triage checklist: if a user reports a suspicious email, the help desk checks the headers, verifies the sender domain, and if suspicious, isolates the message and escalates to the security team within 15 minutes. Practice this monthly.