Comprehensive detection means we should focus our efforts on the parts of attacks that provide the most substantial return on investment (this is the principle of some techniques should only be detected opportunistically). Intuitively, that’s the “middle” of the attack.
In the heatmap below, the attack path usually flows left-to-right.
Image source
Attackers collect background data, gain initial access, establish a persistent foothold, gain privileges, conduct internal reconnaissance, and then try to achieve their objectives. Because detecting Impact (during/after objective is successfully accomplished) is too late to be meaningful 1, and detecting Execution is nearly impossible due to the wide variation of attacker payloads/methods, orgs should focus detection on the phase where the attacker is gradually exploring and preparing to achieve their objective.
Many trusted cybersecurity professionals have observed that the defender needs to be able to detect the attack before the attacker’s goals are fully realized, and that the defender has many opportunities to find the attacker before that point.
Since we can yield early stages of the attack, and since we must detect before impact, that means we should focus on the techniques in the middle of the attack.
Footnotes
-
Unless the detection drives automatic prevention/response, which it usually doesn’t in a SOC (maybe in a vendor product!) ↩