The common quip “Attackers Advantage, Defender’s Dilemma” describes how an attacker must only find one way in, and the defender must plug every hole - and it gets one thing majorly wrong.

Once the attacker has a foothold, the asymmetry is reversed and the attacker must not raise a single eyebrow whilst the defenders must only discover and investigate a single abnormality.

Not only can organization build standard security detection systems that look for known-bad, they can also deploy (often quite elaborate) deception systems that intentionally entice an attacker, and on top of that they have the most potent of detection systems: engineers trying to get their damn jobs done.

From the xz utils backdoor to hundreds of other examples, it’s often the abnormality of what an attacker is trying to accomplish that pushes on the envelope of normal system behavior and starts impacting systems in a way which inspire engineers to dive deep into root causes and discover the malice.

This is why living off the land and keeping up the appearance of a compromised identity just doing a regular 9-5 job is so critical for an attacker to fly under the radar. But surely there will be a point where the attacker is doing so much to appear like a regular employee, they must be tempted to flick their CV over LinkedIn and just get a damn job?

Ever get that eerie and deeply uncomfortable feeling someone is watching your every move? As a defender, you’re on our turf now. And we are watching.