Detection Using Indirect Observation and Indicators of Consequent
The concept of Indicators of Consequent is something familiar to some, but impacts detection engineering efforts in a way that I think requires a level of formality by adding this to our collective understanding of detection. I’ll introduce the subject with a metaphor of planetary discovery. In the 1840’s, astronomers observed anomalies on the orbit of Uranus indicative of the planet being interacted upon by the gravitational pull of a large and previously unknown planetary body. Neptune, a planet that can’t be seen without a telescope and happens to orbit a cool billion miles farther from the sun than Uranus, was discovered because people knew to look for it due to the impact its presence had on the environment.
Adversaries Can’t Break the Laws of Physics
Indicators of Consequent are the ripple effect of an entity’s existence. If you throw a rock into a pond, you’ll see concentric circles expanding from the point the rock interacted with the surface. Understanding this phenomenon and having the ability to monitor wave action on the pond will enable detection if another object interacts with the surface of the pond in the future, and further, allow you to pinpoint where that interaction occurred. This becomes important because the decision to develop and/or deploy a security control must factor cost to acquire and maintain the capability, while balancing the impact on the environment as I identified in this earlier blog. There are certain threats that may or may not be likely enough to build custom detections for, or economically feasible to defend against. To this end, Indicators of Consequent act as mitigating factors or controls within your environment.
So, if a tree falls in the woods and nobody hears it…
The first time this concept was introduced to me it was in the context of firmware rootkits. Being compromised in a manner that can survive an operating system reimage is rightly terrifying, but it still requires an adversary to have compromised an endpoint undetected, modified BIOS or the GUID partition table, and then after all that happened, without a communication channel it’s hard to realize impact. Due to the low frequency this technique is seen in the wild, I’d argue there are more economically impactful defenses that could be leveraged, and this nightmarish scenario only becomes nightmarish if you don’t have sufficient monitoring in place *in your environment* to hear it.