According to Ken Bagnall, CEO and Founder of cyber intelligence firm Silent Push, spotting malicious infrastructure before it’s weaponised remains one of enterprise security’s toughest challenges, with many SOC teams missing early warning signs due to a lack of context linking harmless-looking domains or networks to known attacker patterns.
In this interview with Frontier Enterprise, Bagnall discusses the blind spots, integration pitfalls, and data priorities that can help organisations shift detection further left in the kill chain.
What’s the most common blind spot that enterprise SOC teams miss in the early threat set-up phase?
The most common blind spot is lacking the context to understand what they’re seeing. Discovering a domain that was recently set up with nothing on it yet means very little to defenders taking that first look, unless they have the additional context to know that the domain is linked to Scattered Spider, for instance, and positioned for an attack that could be launched within the next 15 minutes to an hour.
In that time, the team may still be asking questions to see if what they found is legitimate, and it may already be offline by the time they finish getting answers. Context is king for a reason, which is why treating indicators as composite objects can help defenders get that context up front and match a known infrastructure pattern to something that might otherwise seem benign.
Why are threat actors’ APAC platform impersonations so effective and often undetected?
Lack of awareness is a key factor, both on the defender side and among the general public. If you don’t have any reason to suspect that a job board might be illegitimate, or that a government portal could be impersonated to steal your information, then you’re less likely to question potential red flags.
Combine that with the success threat actors have had, both in collecting valuable user data and in achieving their overall objectives, and these platforms become attractive targets.
Why do security teams miss early warning signs despite having threat intelligence?
“IOC fatigue” is a real issue. Indicators of compromise often don’t have much staying power these days, given how quickly infrastructure can be and is abandoned. This makes it harder to decide which intelligence feeds are worth integrating when defenders know that many are, by definition, descriptions of past attacks.
One way to address this is to supplement those feeds with intelligence that focuses not on what an attacker has already used, but on what they are likely to use next, including other infrastructure they may have in reserve.
What’s the biggest integration mistake security teams make, and how can it be fixed?
Misconfiguration or incompatibility can generate chains of false positives that wear down defenders’ trust in those tools, turning benign molehills into what seem like malicious mountains.
What does early threat detection actually require in practice, and where do most fall short?
You have to find the pattern. How does an attacker set up their infrastructure? What services, registrars, or ASNs (autonomous system numbers) do they use? What does their network look like, how does it communicate, and can you fingerprint it? Is there automation in play, and if so, what is it doing? What do you look for when what you’ve found is abandoned and goes dark? How do you find the next campaign, and how can you be sure your attribution is correct?
Detecting threats earlier in the kill chain, and at the scale needed to counter the global threats that organisations face today, requires a fundamental shift in approach; one built on reliable, purpose-driven data that enables defenders to detect malicious activity before weaponisation. As for why most fall short, the simple answer is that many are satisfied with “good enough,” and “good enough” doesn’t cut it. Detecting future threats is a goal that’s notoriously difficult to act on, if not outright impossible, without having that objective clearly in mind from the outset.
