Detection Using Indirect Observation and Indicators of Consequent

Concentric ripples on a pond showing interaction with the surface of the water.
Photo by Snappy Shutters on Unsplash

The concept of Indicators of Consequent is something familiar to some, but impacts detection engineering efforts in a way that I think requires a level of formality by adding this to our collective understanding of detection. I’ll introduce the subject with a metaphor of planetary discovery. In the 1840’s, astronomers observed anomalies on the orbit of Uranus indicative of the planet being interacted upon by the gravitational pull of a large and previously unknown planetary body. Neptune, a planet that can’t be seen without a telescope and happens to orbit a cool billion miles farther from the sun than Uranus, was discovered because people knew to look for it due to the impact its presence had on the environment.

Adversaries Can’t Break the Laws of Physics

Indicators of Consequent are the ripple effect of an entity’s existence. If you throw a rock into a pond, you’ll see concentric circles expanding from the point the rock interacted with the surface. Understanding this phenomenon and having the ability to monitor wave action on the pond will enable detection if another object interacts with the surface of the pond in the future, and further, allow you to pinpoint where that interaction occurred. This becomes important because the decision to develop and/or deploy a security control must factor cost to acquire and maintain the capability, while balancing the impact on the environment as I identified in this earlier blog. There are certain threats that may or may not be likely enough to build custom detections for, or economically feasible to defend against. To this end, Indicators of Consequent act as mitigating factors or controls within your environment.

So, if a tree falls in the woods and nobody hears it…

The first time this concept was introduced to me it was in the context of firmware rootkits. Being compromised in a manner that can survive an operating system reimage is rightly terrifying, but it still requires an adversary to have compromised an endpoint undetected, modified BIOS or the GUID partition table, and then after all that happened, without a communication channel it’s hard to realize impact. Due to the low frequency this technique is seen in the wild, I’d argue there are more economically impactful defenses that could be leveraged, and this nightmarish scenario only becomes nightmarish if you don’t have sufficient monitoring in place *in your environment* to hear it.




Perspectives on how people, processes, and technology come together for effective threat mitigation, by a recovering cybersecurity industry analyst.

Recommended from Medium

How Social Media Usage Determines our Individual Security

CyberEd #7 Types of Security Operation Centers (SOC)

Lillee Jean — Cyberbullying Accountability + Artificial Intelligence Training ( Bullyish, 2021)


Half of All Unemployment Money was Stolen by Criminals during Pandemic as Microsoft Announces…

OWASP Top 10 — What Do They Mean?

How we create and handle the non-custodial in-app 2key Wallet

{UPDATE} PapiWall Hack Free Resources Generator

How i find (CORS) cross-origin resource sharing misconfiguration

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josh Zelonis

Josh Zelonis

Josh Zelonis is a Director of Security Strategy for Palo Alto Networks, a former Forrester analyst and cybersecurity tech founder.

More from Medium

Okta proves why supply chain risk management matters

LOLBINed — F-Secure Support Tool (FSDIAG)

Threat Detection Quality Checklist For Any Organization

Bypassing Access Mask Auditing Strategies