Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Sherlock in the SOC: Leveraging Security Knowledge in a Behavior-Based Approach

There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can’t unravel the thousand and first.”

There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can’t unravel the thousand and first.”

This statement was made by the legendary fictional detective Sherlock Holmes in Sir Arthur Conan Doyle’s The Sign of Four, first published in 1890. Despite predating the Internet by approximately 100 years, Holmes’ unique approach to deduction holds some valuable insights for cybersecurity operations.

My recent articles have focused on the cyber kill chain and why it’s a necessary perspective for protecting against, and responding to, complex attacks. So what does the kill chain have to do with Sherlock Holmes, and this quote in particular? Well, Holmes is essentially describing a behavior-based model of analyzing an adversary’s actions to predict their next move, just like the kill chain.

“There is a Strong Family Resemblance About Misdeeds”

Behavior-based models, as opposed to the signature-based models that are found in conventional antivirus software and many other detection and prevention tools, follow Holmes’ notion that misdeeds—in this case cyberattacks—have a lot of similarities. 

The signature-based approach is to search for known malicious files, hashes, URLs, and other signatures. The behavior-based approach, on the other hand, is to search for patterns of behavior that are highly correlated with malicious activity. This can be done via tools like user and entity behavior analytics (UEBA) or through conceptual models like the kill chain.

A kill chain framework, such as the MITRE ATT&CK matrix, which uses a knowledgebase of thousands of real cyberattacks, breaks down those similarities to predict the likely steps an adversary will take—the modern equivalent of using the details of a thousand misdeeds to anticipate the thousand-and-first.

“You See, But You Do Not Observe”

In the spirit of Sherlock Holmes, let’s use the analogy of a crime in the physical world to illustrate the value of this approach. Imagine that a detective comes across a broken window, sees someone running in the opposite direction, and upon looking in the window, hears a person inside shout that their phone and wallet are missing. It should be obvious to the detective that a robbery has taken place. 

While this is a very simplistic example, it’s only obvious that a crime has occurred because of the detective’s knowledge of the steps that a robbery is likely to follow (a real-world kill chain). If the detective saw each piece of the crime separately, and was unable to make correlations, there would be many plausible explanations for the scene that wouldn’t suggest a robbery. The window could have been broken accidentally by kids kicking a soccer ball; the person running might just be out for a jog; and people misplace their phones and wallets all the time. Nothing suspicious going on here!

As absurd as it may sound, this is where many security teams are stuck: treating every security event separately, with minimal ability to view the context of the attack or the connections between related events. To paraphrase Holmes himself, they see, but they do not observe.

“The Art of Detection”

Security analysts are the detectives of cybersecurity, each with a wealth of knowledge built up on the job. If you give them the tools they need to see the whole picture, they’ll have a much better chance of identifying suspicious activity. The behavior-based approach is all about leveraging this knowledge, instead of obstructing it. In the case of MITRE ATT&CK, it goes a step further and actually builds the collective expertise of the security industry into the framework, allowing security teams to vastly enhance their own knowledge.

Kill chains and other frameworks are just one way to take a behavior-based approach to cybersecurity. By integrating data from across your security tools, you can also add valuable information about the geographical location, time of day, user role, network activity, and other data associated with events to highlight anomalous actions.

By combining all the information that you have at your fingertips and analyzing it not just through signature-based methods, but also a behavior-based perspective, you give yourself a magnifying glass with which to focus on evidence of advanced attacks, while ignoring red herrings. Or, in the eloquent words of Sherlock Holmes: “It is of the highest importance in the art of detection to be able to recognize, out of a number of facts, which are incidental and which vital. Otherwise your energy and attention must be dissipated instead of being concentrated.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.