Subject: Identifying key entities
Phase 1 Β· piece 2 of 7
Who is involved?
Subject is the who of the alert. Every entity that authenticated, executed, or acted on the systems the alert touched. Not just humans. Anyone or anything with an identity that the system trusted.
What you will get from this chapter
By the end of Subject you should be able to:
Enumerate every entity connected to the alert: humans, service accounts, machines, cloud roles, network identifiers.
Evaluate each entity across four dimensions, authentication, authorization, behavior, relationships, so the assessment is repeatable across alert types.
Compare current activity against historical baselines to separate normal-for-this-entity from anomalous.
Recognize insider patterns using the Insider Threat Matrix A public framework maintained at insiderthreatmatrix.org that catalogs insider techniques across motivation, preparation, action, and anti-forensics. Useful as a shared vocabulary for describing insider risk and threat. and produce a Subject-level risk picture.
Subjects are not just users
A common mistake when teaching Subject is to map " Entity A person, system, or organization that interacts with or affects a security incident. " to β User Account A unique identity or profile used to authenticate and authorize access to a system or resource. .β Modern environments have far more identities than people. Understanding what counts as a subject is the first skill of the phase.
π€ Human users
Standard users, administrators, contractors, executives, vendor logins. Each has a different risk profile based on access and job function.
π€ Non-human identities
Service accounts, automation bots, deployment pipelines, scheduled tasks. Often have broader access than humans and outlive the people who created them.
βοΈ Cloud and infrastructure
EC2 instances, Kubernetes pods, Lambda functions, cloud roles, federated identities. Each represents an identity boundary the SOC needs to track.
π Network and trust
IP addresses, MAC addresses, certificates, API keys. Not identities in the traditional sense, but the markers that systems use to decide who is who.
The four pillars of Subject analysis
ASSURED splits Subject into four pillars. The first three structure how to think about an entity. The fourth handles a special case.
Four dimensions
Authentication, authorization, behavior, relationships. The lens that turns any entity into a structured profile.
Read βEntity types
User accounts, endpoints, applications, services, network identifiers. Each type has its own analysis pattern.
Read βBehavioral framework
Pattern recognition, baseline development, anomaly detection. The toolkit for separating normal from suspicious.
Read βInsider analysis
Risk vs. threat. Motivation, means, preparation, infringement, anti-forensics. Plus the Insider Threat Matrix as a structured lens.
Read βWhy Subject deserves its own phase
A useful heuristic: most missed intrusions are missed at Subject, not at Alert. The detection engine often fires correctly, but the analyst stops at β User An individual who interacts with a system, network, or application. X did Yβ without asking what kind of identity X is, what X normally does, or what other identities connect to X.
Identity is not the same as person
Tap to revealThe user account named alice@example.com is an identity. So is the service account that aliceβs CI/CD pipeline uses. So is the cloud role that pipeline assumes when it deploys to staging. All three can act with aliceβs level of trust. Treating them as the same person is how Privilege Escalation Gaining access at a higher trust level than the actor originally held, by any means: exploiting a bug, abusing a misconfiguration, stealing credentials, impersonating a token, or socially engineering an elevation. gets missed.
Identities outlive people
Tap to revealService accounts created five years ago, by engineers who have since left, often still have production access. They have no manager, no review cadence, and no normal user to compare against. Subject analysis is what surfaces these forgotten identities.
Behavior is the strongest signal
Tap to revealFor any identity, the question βis this normal for this identityβ is more informative than βis this normal in general.β A 03:00 login is unremarkable for a follow-the-sun support account and alarming for a finance executive. The same alert means different things depending on whose history it touches.
Relationships reveal scope
Tap to revealA compromised identity is rarely the destination. It is the starting point for Lateral Movement Adversary traversal from the initial-access host to other hosts inside the environment. Each hop expands the blast radius and adds new entities for Subject analysis. Often piggybacks on legitimate authentication, which is what makes it hard to detect. . Mapping which other identities and systems a compromised entity can reach is how the analyst sets the bounds of the investigation, which feeds directly into the Scope phase next.
Next up
The four dimensions
The lens that turns any entity into a structured profile: authentication, authorization, behavior, relationships.
Read the four dimensions