THREAD
Let's talk about detection philosophy a little bit. There are 2 main competing approaches; 1) Define Normal, Detect Abnormal, and 2) Find Evil. 1/7

First, let's acknowledge this is a false choice. You can do both. The key is to know which approach is superior in which context. In general, I prefer Find Evil. Let me tell you why. 2/7

To make Find Evil work, you need to think of attackers as groups with motivations and goals, then frame that in the context of a process, lifecycle, or even a cyber kill chain. Seriously, this is key. 3/7

Understanding the attackers, either by individual group and/or general category is the next step. ATT&CK is a great resource for this. Use it to build a list of detections to build & deploy. 4/7

Now prepare to monitor and maintain your detection posture against these attackers and their TTPs. The reason to treat detection this way is that attackers are people. 5/7

It is incredibly rare for any attacker to abandon all of their methods, tools, and habits and start from scratch. If we can catch an attacker across all phases of the attack lifecycle at one point in time, then maintain it, 6/7

...we should be able to detect them even if they replace known tradecraft with never-before-seen tactics, because some method or habit will still persisit through that change. 7/7