Table of Contents
Attackers usually don’t want to be discovered until they’ve reached the point where they want to announce themselves. They want to stay quiet, hoping to go unnoticed in the beginning stages of their attack. This is often achieved by taking small actions, the kind that can easily be dismissed when viewed in isolation. Minor activity that may be somewhat out of the norm, but it’s not happening at a scale or pace that is going to set off any alarm bells. And because they’re doing their best to maintain a sense of stealth, they don’t feel they need to alter tactics or tooling that much when they perform the same initial actions in a different target environment.
Just like we saw with “The Call That Protected Four Clients,” that sense of, “I have a bad feeling about this,” and a scope with which to run down that feeling, creates an opportunity for discovery of a threat that an organization could take far longer to discover when working in isolation. Much like when statisticians talk about the importance and relevance of sample size, a SOC from an MDR can apply discovery to an exponentially larger sample than any one organization could itself.
That provides the opportunity to take advantage of an attacker taking their quietness for granted. It’s about that expanded sample size. It’s one thing to be a singular dot in a small cluster. But to be the same, singular dot in multiple clusters, that becomes noticeable much faster. It’s no longer an anomaly in an environment. Its repetitive nature in multiple environments belies its identification as an anomaly. It reminds me of the saying, “once is happenstance, twice is a coincidence…” But the catch for a security practitioner is that we don’t like coincidence. It’s too neat and clean of an explanation. The presence of a coincidence makes us want to dig deeper and prove it as such.
It’s that element of human curiosity that you can’t truly automate. Sure, once the curiosity is piqued, I can automate their ability to conduct searches and queries, provide the results, but it’s still that human curiosity that is the catalyst to digging deeper, doing more to ensure that a coincidence is just that.
We hear that attackers are automating a lot, but there’s still a human at their initiation point too, which means they can’t help but act according to their normal behavior. That creates a pattern that is discoverable once you start to look for it. What may seem quiet as a singular one-off becomes a flashing red light when you see it repeated over and over again.
By expanding the sample size and applying that innate doubt about “coincidences,” patterns begin to emerge that tell a more detailed story of activity. That’s where the SOC shines brightly. That’s a capability that I can’t replicate as a standalone organization. It’s a pattern I won’t be aware of until others start reporting it as an “anomaly” too, and by then, it’s almost too late and a compromise has occurred.
Read the Tales from the SOC eBook.
