top of page
Search

What Happens If an Attacker Never Makes a Mistake?

  • Mar 27
  • 3 min read

The most dangerous attacks do not look like attacks

We like to believe attacks are loud. Failed logins, SIEM alerts, and malware detections are what most analysts are trained to look for. But the most dangerous attackers generate none of that. There are no failed logins, no alerts, and no obvious anomalies. From the system’s perspective, everything is working exactly as expected.


The broken assumption

Most detection strategies rely on one core idea: malicious activity will look different. This works against noisy attackers, but it fails against disciplined ones. A skilled attacker does not try to look malicious. They focus on blending into normal behavior.


Silent access

The entry point can be invisible. There is no brute force or exploit. Credentials are obtained through phishing, reuse, or previous leaks, and authentication succeeds immediately. In the logs, it is just another valid login from a legitimate user.


What it looks like in practice

In the screenshots below, we can observe activity that, at first glance, appears completely normal. A user named HR_specialist successfully logs into a system. There are no failed attempts, no alerts, and no obvious anomalies. However, when we introduce context, the picture changes.




This user typically logs only into their assigned workstation (HR-Laptop). In this case, however, they accessed a Production Server, a system that is normally used exclusively by developers and technical staff.

Individually, each action remains valid. The login is successful, the credentials are correct, and no rule is violated. But it is not expected behavior.


Shortly after, another event is recorded as shown below.



The same user executes the whoami command. On its own, this is a completely legitimate and commonly used command. It does not indicate malicious activity and would not trigger traditional detection rules.

However, when we analyze historical behavior, we see that this command is typically executed by administrators, not HR users.


There are:

  • no spikes

  • no failed logins

  • no known malicious signatures

  • no rule violations

Every single action is valid in isolation.

But together, they form a pattern that does not align with the user’s normal behavior:

  • first-time access to a sensitive system

  • execution of an administrative-type command

  • deviation from established usage patterns

This is exactly where behavioral detection becomes critical.



How a typical SOC detects

A typical SOC builds detections around what is clearly wrong. This usually means rules based on failed logins, known malicious signatures, predefined thresholds, or obvious anomalies. SIEM platforms are optimized to answer questions like: “Did something break?”, “Did something match a known attack pattern?”, or “Did a threshold get exceeded?”

This approach works well when attackers are noisy or careless. But it assumes the attacker will eventually trigger something unusual. If nothing breaks, nothing gets flagged.


What CyberSift does differently

Instead of asking whether something is malicious, we ask whether it is expected. A login is normal, PowerShell is normal, and accessing internal systems is normal, but not for every user, not in every context, and not in every pattern.

To achieve this, we build dedicated behavioral rules tailored to each client environment. We continuously learn how users operate, what privileges their accounts have, how administrators typically behave, and where logins usually originate from. This allows us to understand not just activity, but intent within context.

On top of that, we generate a large number of “first-time seen” detections. First time a user accesses a system, first time a tool is used, first time a login appears from a new location, or first time a new type of action is performed and many more. Individually, these are not malicious. But they highlight changes that would otherwise go unnoticed.

Importantly, this does not replace traditional detections - it sits on top of them. We still rely on standard SIEM rules, signatures, and known attack patterns. But behavioral detection fills the gap where everything looks valid, yet something no longer fits.

Over time, this approach allows subtle deviations to become visible, even when no single event is strong enough to trigger an alert on its own.


We are not only detecting attacks. We are detecting when reality no longer matches expectation.

Where detection actually happens

Detection does not happen at the level of individual events. It happens in patterns and relationships over time. A new tool, a new system, or a new sequence of actions may seem insignificant on its own. But together, they form behavior that no longer aligns with what has historically been observed.


Final thought

The most dangerous attacker does not generate noise.

They follow the rules, produce clean logs, and blend into the environment. They look exactly like a normal user, but they operate in the wrong context. And that is the only place where you will ever find them. -Written by Andy Urlep, Security Analyst, CyberSift


Comments

bottom of page