Key Shifts in the Defender's Perspective
Introduction: The Illusion of 100% Prevention and the Need for a Mindset Shift
For a long time, the core objective of cybersecurity has been to keep every single threat out. Building high walls—by implementing strict firewall policies, deploying multiple security solutions, and continuously patching known vulnerabilities—has cemented this "prevention-centric" strategy as the defender's primary mission.
However, handling and analyzing countless incident response (IR) cases in the field makes it painfully clear that the goal of "100% prevention" is rapidly becoming an unattainable illusion.
Today's IT environments are no longer confined to closed internal networks. Cloud migrations, the normalization of remote work, and a complex web of third-party solutions have expanded the attack surface far beyond what defenders traditionally had to monitor and protect. We are now fighting an extremely asymmetric war: defenders must secure tens of thousands of defense lines without a single flaw, while attackers only need to find one vulnerability to breach the perimeter.
We must now accept the uncomfortable truth that it is impossible to perfectly block every external attack. The modern security paradigm has already shifted from "how do we completely prevent intrusions?" to the "Assume Breach" mentality—a realistic premise acknowledging that defenses will inevitably be compromised.
The new perspective required of defenders means we can no longer afford to fixate solely on keeping adversaries outside our infrastructure. We must acknowledge that threats will cross the walls and shift our focus to controlling the situation after they do. True defensive success is no longer defined as "allowing zero intrusions," but rather as "disrupting attackers before they can achieve their ultimate objective (Impact)—such as data exfiltration or system destruction—even if they manage to set foot inside the network."
So, why are we experiencing such profound limitations in blocking the very first step—Initial Access? And why is it becoming increasingly difficult to fully reconstruct an incident based solely on residual artifacts? In the following sections, we will examine the realities of modern, evolving threats and explore the new critical areas where defenders must truly focus their efforts.
Part 1: Initial Access Beyond Our Control
The most painfully clear reality in cybersecurity practice today is that completely preventing Initial Access from the outside is now beyond human control. The layered defense lines surrounding our systems have been rendered ineffective by several critical shifts that have vastly outpaced the defender's speed and control.
AI Weaponization: Shattering the Defender's Response Window
The most significant threat is that the full-scale adoption of AI in cyberattacks has pushed the speed and sophistication of these attacks beyond imagination. In the past, even when a new vulnerability (CVE) was discovered, it took time for attackers to analyze and weaponize it, granting defenders at least a minimal window of time to apply patches.
However, the emergence of hacking-specialized AI models—such as Anthropic's recently unveiled 'Mythos'—has completely shattered this defensive timeline. These AIs not only scan a target's Attack Surface to autonomously discover vulnerabilities, but they also automatically generate and execute exploits to take over systems within mere hours, entirely without human intervention. In a reality where vulnerabilities are weaponized the very moment they are discovered, the traditional pace of a security team identifying a flaw and scheduling a regular patch simply cannot keep up with automated AI attacks.
The Limits of Defending Against Social Engineering
Furthermore, consider the AI-generated phishing and social engineering attacks. Gone are the days of awkward translations and clumsy attachments. Attackers now perfectly learn the target company's actual business context, internal jargon, and even the social media activity of specific employees to churn out emails that look "more real than reality."
No matter how excellent your security appliances are, there is no technical way to completely block an authorized insider, fully deceived, from clicking a malicious link or executing a file disguised as a legitimate document. Against attacks targeting human psychology and inevitable mistakes, every security solution has clear and distinct limitations.
Supply Chain Attacks: Weaponizing Trust
Finally, the most devastating blow comes from Supply Chain Attacks, which infiltrate networks via the "trust-based links" we rely on daily. Attackers no longer bother struggling to knock down the heavily firewalled front doors of their target organizations.
Recent incidents, such as the Axios package contamination and the LiteLLM dependency hijacking (a critical component in AI development), perfectly illustrate this tactic. Attackers subtly inject malicious code into open-source repositories or third-party libraries that developers use routinely. The moment a developer enters a standard module update command as usual, the malicious code establishes a foothold deep within the internal network, bypassing security appliances without triggering a single alert.
Ultimately, no matter how solidly you fortify your internal systems, it is impossible to simultaneously control external third-party contamination, unavoidable human error, and the overwhelming speed of AI attacks. This is precisely why we must abandon a defense strategy fixated solely on "not being breached" and begin embracing a new perspective.
Part 2: Erased Footprints and the Dilemma of Reconstructing the Full Scope of Activity
Attackers who somehow manage to set foot inside an internal network no longer operate as loudly as they did in the past. When deployed to an incident response (IR) engagement and sifting through mountains of data, the single most frustrating pain point for defenders is this absolute "absence of traces."
Fileless Attacks Bypassing the Disk and the Practical Limits of Memory Acquisition
Recent advanced threats treat fileless techniques—which operate by injecting payloads directly into memory rather than dropping traditional malicious files (e.g., .exe, .dll) onto the disk—as a default option. Without physical files, conventional disk-based security solutions and traditional post-incident forensics are rendered useless.
Ultimately, the only remaining option is to directly analyze volatile data, namely the system's memory. However, in the field, this presents another massive hurdle. Taking a full memory dump can cause fatal system freezes or severe service degradation, particularly in high-capacity database environments where uninterrupted service is critical, or on core Linux operational servers. From a business continuity standpoint, merely securing management approval for this operation is exceedingly difficult. While critical time slips away during these lengthy coordination processes, the invaluable clues residing in memory simply evaporate into thin air.
The Perfect Camouflage of Legitimate Tools: Exploiting LOTL (Living off the Land) Techniques
The LOTL (Living off the Land) strategy, where attackers use legitimate, pre-installed system utilities as weapons instead of importing separate hacking tools, is another major factor blinding defenders. Attackers hijack tools routinely used by actual IT administrators and the OS itself, such as PowerShell, WMI, or basic shell commands.
In these scenarios, superficial execution logs look exactly like "normal process behavior." To determine whether a tool was executed for routine maintenance or for malicious Lateral Movement—in other words, to figure out what it actually did—defenders are forced to dig deep into secondary system artifacts.
Anti-Forensics by State-Sponsored Threat Actors
Attackers, however, are already well aware that defenders will come looking for these artifacts. State-sponsored threat groups, particularly those linked to North Korea, frequently deploy dedicated anti-forensic tools or scripts to sever the defender's trail once their objective is achieved or if they detect defensive monitoring. They deliberately target and corrupt the core system logs and artifacts that defenders rely on, making investigation incredibly arduous.
Self-Deletion: Malware That Vanishes Upon Achieving Its Goal
In a slightly different vein from anti-forensic utilities, the behavioral mechanism of modern malware itself is often what leaves defenders in the dark. Today's malware doesn't even need external scripts or tools; it comes equipped with built-in self-deletion capabilities. Once it achieves its ultimate objective—whether that's seizing control of the internal network or exfiltrating data—it completely wipes itself from the system. Because the malicious file vanishes after its job is done, responders arriving at the scene lose any opportunity to analyze the original payload.
The Need for Real-Time Visibility
Consequently, when incident responders arrive late to the scene, all that remains are empty PCs and servers devoid of both the malware payload and the system artifacts needed to track its activity. Reconstructing the attacker's full scope of activity based solely on post-incident data has become virtually impossible.
To overcome this seemingly hopeless situation, the industry often advocates for the adoption of EDR (Endpoint Detection and Response) solutions. It is undeniably true that EDR is an excellent, highly effective tool for tracking process and memory behaviors at the endpoint level. However, this does not mean that organizations must unconditionally rush to purchase expensive commercial EDR tools for defense.
Whether you utilize a commercial EDR platform or build an in-house log pipeline sending data to a corporate SIEM using free tools like Sysmon, the specific form of the tool is secondary.
The true core of modern defense is not the shell of a commercial solution, but rather establishing a comprehensive architecture of "Real-time Visibility." Organizations must have a system capable of monitoring the traces of process executions, memory manipulations, and anomalous communications occurring on endpoints and servers before those footprints evaporate.
Part 3: The Post-Intrusion Kill Chain and the Dilemma of Behavior Identification
As discussed earlier, the reality in the field is that perfectly blocking initial access and conducting post-incident analysis with compromised artifacts are becoming increasingly difficult. This naturally leads defenders to a single, overarching question: "Once an attacker breaches the network, how do we disrupt the intermediate stages before they achieve their final objective?"
Behavior-Based Detection and the Dilemma of Legitimate Activity
Since simply blocking malicious IPs or hash values (Indicators of Compromise, IoCs) has clear limitations, defenders must now monitor the attacker's "dynamic behavior" itself and use it as the criterion for prevention. However, establishing these criteria in practice is much easier said than done.
This dilemma arises not only because of the attackers' clever camouflage tactics, such as the previously mentioned LOTL techniques. The more fundamental cause is that today's corporate IT environments are incredibly complex, and the spectrum of "normal operations" performed by internal employees and system administrators is virtually infinite.
Looking at real-world operations, developers frequently download and execute external scripts of unclear origin for testing purposes. IT administrators might use PowerShell to simultaneously connect to multiple servers and modify deep system configurations for emergency troubleshooting. Alternatively, a routine solution update process might autonomously make massive modifications to the registry. When viewing these single events or behavioral trajectories in isolation, such legitimate business logic looks alarmingly similar to an attacker's malicious Privilege Escalation or Lateral Movement.
Consequently, what happens if we indiscriminately enforce strict, behavior-based blocking policies? It leads to massive outages that halt actual IT maintenance work and core business processes. We cannot afford to choke the life out of our own business merely to chase out an attacker.
Breaking Free from the "Solution Illusion" and Establishing Custom Baselines
To grasp the context amidst this noise, the security industry has recently been actively adopting Machine Learning (ML)-based detection capabilities and AI-driven automated analysis. These algorithms learn from massive amounts of endpoint behavioral data to score subtle anomalous activities.
However, the real task for practitioners is to break free from the illusion that "deploying an advanced EDR or AI solution will automatically block everything." Simply spending money on expensive EDR does not magically resolve the complex dilemma of behavior identification in the field. Even the brilliant algorithms provided by vendors cannot perfectly understand your company's unique IT environment and business specificities; if left untuned, they will only unleash a flood of false positive alerts.
Ultimately, what matters most is not which solution you use, but rather the defender-driven effort to determine: "How will we carve out the baselines and custom policies that distinguish legitimate from malicious activity for our specific organization?"
Tools are merely a means to broaden our visibility. Whether using a commercial solution or building a pipeline by integrating open-source tools with an in-house SIEM, the true core is accurately understanding the context of your own environment. This requires a rigorous process of setting your own unique detection thresholds—by identifying normal operational patterns within the corporate management network and leveraging reliable threat intelligence indicators.
In an era where initial access must be assumed and traces are easily erased, the most realistic and heavy burden defenders must bear is precisely this: achieving "a perfect understanding and control over our own environment."
Conclusion: Reflections on the Defender’s Path Amidst the Winds of Change
To summarize the discussions so far, the time has truly come to let go of the outdated paradigm of "perfect prevention." In the face of advanced AI weaponization and normalized supply chain attacks, preventing 100% of initial access is nearly impossible. Furthermore, the difficulty of post-incident analysis—which now relies on compromised artifacts left behind by self-erasing threats—has skyrocketed.
As a result, we as defenders naturally face two weighty questions.
First, "How do we identify and disrupt the actions of an attacker who has already breached the network?" We need to maintain an open mind as we consider how to understand our organization's unique business context amidst a sea of noise, and how to establish our own customized criteria for distinguishing between normal and malicious behavior.
Second, "What must we prepare in advance for post-incident analysis, which is becoming increasingly difficult?" No matter how thoroughly traces are erased or how difficult the analysis becomes, we cannot simply give up on identifying the cause of an incident. If we fail to accurately pinpoint and mitigate the Root Cause, we will inevitably, and helplessly, suffer the exact same second and third breaches. Determining what systems and infrastructure must be established in advance to ensure proper root cause analysis—such as forwarding and preserving core artifacts and logs to a secure central server in real-time before attackers can wipe them using anti-forensics—is another core assignment we must deeply ponder.
I have simply outlined the thoughts and struggles that have recently come to mind while working in the field. I am not sure if this will be of any help, but I hope it provides some value to those wrestling with similar dilemmas.
Fierce winds of change are currently blowing through the security ecosystem. As the technological paradigm rapidly shifts, it feels like a time when entirely new, unprecedented challenges are endlessly emerging for both attackers and defenders. To all the security practitioners out there fighting every day in this turbulent current, carving out a path where there are no clear-cut answers: let's all stay strong together.