So I wanted to respond to this post which starts "If someone exploits an 0day they still have to setup C2 - this is where TTPs are generated that Blue Teams can win against". And I think for the past year I've gone on a huge journey of discovery, annoying my Cyber Threat Intelligence friends to no end as I ask annoying questions like "After you put some random non-googlable name up, like PLATINUM, can you just add a little flag so I know what country you're talking about?""

(Argh. The whole point of codenames is they are UNIQUE and easy to search for. This is like naming your OS "Windows" I guess.)

Anyways, imagine if seventeenth century biologists were reporting to the newly established Royal Society and they were talking about counting all the animals and doing studies on animals and of course what they used to do that were the various animals that kings and whatnot had gotten stuffed and sent to them. I feel like you would find out that almost all animals had fur and were easily shot by muskets or stabbed with spears! I guess my point here being: Cyber Threat Intelligence is in a very hard place right now, despite soaring revenues and many exciting trophies on the wall.

What you hear, over and over again, is that yes, detecting exploitation is hard, but you will be able to detect "lateral movement" and see the command and control traffic, and when attackers need to "accomplish their mission" they will therefore be detectable. And this is true - for some missions, and for some operational concepts that accomplish those missions. But we fail when we don't consider other operational concepts and other missions. Apparently we call the many reasons we fail to turn data into warnings and then into action: "pathologies".

Good marketing from XDR companies is a pathology in this space. And that pathology goes to the highest levels - when we have leaders in govt say "We don't see any serious Log4J exploitation" we have to think "Wait, we have almost no visibility for Unix targets though". Even when we have the right telemetry, we don't have the right analysis. 

I like to probe our pathologies with annoying questions:

• What percentage of worms do we see?
• What happens when people don't use a C2 but just drop an implant? 
• Who are the hacker groups focusing only on Unix? 
• What percentage of 0day do we really even find?
• Are we looking only at our adversary's actions, or also our own to make trendlines?

But more than that, we are not self-conscious in the way that we should be about our own analytical pathologies. This is because our academic structure for peer review and everything else in this space is pretty busted. Anyways, there's more to the world out there than just lions and antelope and espionage RATs. To see the really interesting things you need a microscope, and the kind of eyes that want to squint through the lenses of microscopes we haven't even built yet.

-dave