Looking for fingerprints instead of footprints: A bit of honesty about the current cybersecurity landscape by Ken Bagnall
Most of us in cybersecurity have fallen into a bit of a trap. We have been taught to defend our networks by looking at the past. We rely on Indicators of Compromise (IOCs). These are things like malicious IPs or file hashes. Using them as a primary defense is not really a strategy. It is just playing catch-up.
An IOC is a record of a crime that has already happened. By the time it shows up on your screen, you are already “right of boom.” You are struggling to clean up a mess while the attacker has already achieved what they wanted. It is forensics, not defense.
The first victim problem
I have spent years seeing people deploy and then rip out overhyped technologies that promised the world and delivered nothing. IOC-based security is a bit like that. It is a reactive cycle that is actually quite grim when you look at it. For a piece of intelligence to exist in that model, someone else has to get hit first. A domain only becomes an indicator after it has been used to successfully strike a company.
While we wait for these lists of “known bad” assets to update, criminals are using automation to spin up new infrastructure in seconds. They use techniques like fast flux to rotate IPs or hide their intent behind big providers like AWS and Azure. Most security tools are essentially blind to the majority of what these groups are doing.
Why we do the hard work
When John Jensen and I built Silent Push, we knew we had to stop looking at what happened and start looking at what is being built. To do that properly, you cannot rely on third-party feeds or recycled data. You have to manage the collection and contextualization of the data yourself.
We took on the task of setting up the most aggressive data collection platform to monitor all internet infrastructure and its changing relationships as it is the only way to get an unadulterated view of the world. We do not wait for a threat actor to hit someone. We look for the fingerprints they leave behind while they are still in the staging phase.
Finding the fingerprints
I like to think of the current cyber crime landscape like the era of privateers. These groups have a subtle nod from their home government to commit crimes as long as the money comes home and there are no domestic victims. But they are creatures of habit. They leave signatures in their DNS records and the way they configure their web servers.
By tracking all internet signals in one place, we can see an attack being prepared. We spot the “activation” events where a parked domain suddenly switches over to an attacker-controlled server. This gives us what we call Indicators of Future Attack (IOFA). On average, this approach provides a lead time of 104 days. That is months of warning before a strike is even launched.
No more guesswork (it’s possible)
I have no time for tools that give you “maybe suspicious” alerts or vague probability scores. That just leads to alert fatigue and burns out your team. The focus has to be on deterministic data. It is either attacker infrastructure or it is not.
When you have that level of clarity, you do not have to guess. You see the threat actor’s intent as it is being organized and you shut it down. It is about moving away from the “first victim” model and finally staying one step ahead of them.
