“There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can't unravel the thousand and first.”
This statement was made by the legendary fictional detective Sherlock Holmes in Sir Arthur Conan Doyle’s The Sign of Four, first published in 1890. Despite predating the Internet by approximately 100 years, Holmes’ unique approach to deduction holds some valuable insights for cybersecurity operations.
My recent articles have focused on the cyber kill chain and why it’s a necessary perspective for protecting against, and responding to, complex attacks. So what does the kill chain have to do with Sherlock Holmes, and this quote in particular? Well, Holmes is essentially describing a behavior-based model of analyzing an adversary’s actions to predict their next move, just like the kill chain.
“There is a Strong Family Resemblance About Misdeeds”
Behavior-based models, as opposed to the signature-based models that are found in conventional antivirus software and many other detection and prevention tools, follow Holmes’ notion that misdeeds—in this case cyberattacks—have a lot of similarities.
The signature-based approach is to search for known malicious files, hashes, URLs, and other signatures. The behavior-based approach, on the other hand, is to search for patterns of behavior that are highly correlated with malicious activity. This can be done via tools like user and entity behavior analytics (UEBA) or through conceptual models like the kill chain.
A kill chain framework, such as the MITRE ATT&CK matrix, which uses a knowledgeb ..
Support the originator by clicking the read the rest link below.
