Every attack described in this track passes through a network. In theory, defenders have complete visibility. In practice, defenders miss most attacks until well after the fact. This module closes the Network Mindset track by explaining why network detection underperforms its promise — and what the mature programs actually do.

Why this happens

Network detection is hard for structural reasons:

Encryption dominates. ~95% of outbound traffic is HTTPS. Inline inspection requires TLS interception, which has collateral costs. Without interception, you see domain + volume + JA3 — not content.
Volume overwhelms. Mid-size enterprise: 100s of GB of log data daily. Real attacks are 0.01% of that. Finding them requires precise queries + good detections.
Baseline drift. “Normal” changes constantly. New SaaS integration, new vendor, new employee traveling — each shifts the distribution.
False positives exhaust analysts. Generic rules fire on legitimate behavior; analysts disable or ignore. After a few weeks, the detection exists but nobody responds.
Attackers blend with legitimate tools. Living-off-the-land binaries (LOLBAS) — attackers use tools already on the system. Process + connection look normal; intent is malicious.
Time-to-detection measured in months. Industry average dwell time (M-Trends, Mandiant) was 10 days in 2023 but often extends to months for sophisticated attackers who actively avoid detection.

Modern detection stack (what actually works)

# Layer 1: Network flow / packet data
# - Zeek (formerly Bro) for protocol parsing + behavior
# - Suricata for signature-based IDS
# - Full packet capture at high-value points (egress, DMZ)

# Layer 2: Endpoint detection
# - CrowdStrike, SentinelOne, Microsoft Defender, Elastic Defend
# - Process + network + file events from every host
# - Correlates local process with outbound connection

# Layer 3: Identity + cloud
# - Entra ID / Okta / auth0 sign-in logs
# - Cloud provider audit (CloudTrail, Azure Activity, GCP)
# - SaaS API logs (GitHub, Slack, Salesforce)

# Layer 4: SIEM for correlation
# - Microsoft Sentinel / Splunk / Elastic / Chronicle
# - Detections in Sigma / KQL / SPL
# - Correlated across sources

# Layer 5: Threat intel integration
# - VirusTotal / CrowdStrike Intel / Recorded Future
# - IOC enrichment (domain reputation, IP history, file hashes)
# - TTP matching (MITRE ATT&CK mappings)

What mature detection looks like for specific attacks

Cobalt Strike C2 beacon

Beaconing pattern: periodic calls home. Detection signals:

JA3/JA4 TLS fingerprint matches known Cobalt Strike library
Periodic connections to a domain with regular intervals (60s ± 12s jitter)
Domain registered within last 90 days
Process: PowerShell, rundll32, or injected into signed binary
Parent process: Office document (Word → rundll32 → beacon)
EDR detection: reflective DLL injection, unbacked executable memory
SIEM rule: Sigma rule T1071.001 Cobalt Strike beacon

Any single signal = investigate. Multiple signals correlated = high confidence.

Kerberoasting

Windows Event 4769 (TGS request) for multiple different service accounts from one user in short time
Requested encryption type RC4 (attacker often prefers this for faster offline crack)
Service account for the TGS request isn’t one the requester normally interacts with
Source IP is unusual for that user (workstation not server)

Lateral movement via PsExec

Event 7045 (service installed) with unusual service name on many hosts
Event 4624 (logon type 3) from same source to multiple destinations quickly
Network connection to port 445 from a workstation to many servers
EDR sees suspicious PsExec binary invocation

Credential dump (Mimikatz)

Event 4656 access to LSASS from unexpected process
Specific API sequence (OpenProcess + MiniDumpWriteDump against lsass.exe)
EDR detects Mimikatz signatures or behavioural patterns
LSASS protected-process-light (PPL) blocks most userland attempts

The telemetry gap

Every detection above requires specific log sources. Organizations often have gaps:

No Sysmon / equivalent. Default Windows logging doesn’t capture parent-child process relationships. Without Sysmon or EDR, investigating “what spawned this?” is blind.
No DNS logging. Internal DNS resolver exists but queries not forwarded to SIEM. Entire class of attacks invisible.
No full packet capture at egress. When investigating an incident, can’t retrospectively see what an attacker’s malware communicated.
Cloud log retention 30 days. Dwell time is often longer than retention. Investigation goes cold at the data boundary.
EDR not deployed on servers. Workstations covered, servers not. Attackers move to servers immediately.
MacOS / Linux poorly covered. Heterogeneous fleets = heterogeneous coverage.

The detection-engineering discipline

Building working detections is its own specialty:

Hypothesis: “If attacker X does TTP Y, we’d see pattern P in logs Q”
Data check: Do we actually have logs Q? If not, fix first.
Write rule: Sigma rule or native SIEM query
Tune: Run in alert-only mode for 1-2 weeks. Collect TP/FP. Adjust filters until TP rate above 20%.
Promote: Move to production with runbook for analysts
Monitor: Track fire rate + TP rate monthly
Retire or refactor if zero TPs in 6 months

Detection-as-code: store rules in Git, CI tests conversion + staging data, deploy via API. Same rigor as application code.

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 29% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

7 more sections locked below

Module 10 · Why Network Detection Underperforms 🔒