TIPS #36: The Threat Context Gap

Issue: Detection is often designed to find common TTPs, but attackers exploit the unique operational shape of each organization.

Every enterprise is like a snowflake (no, not the data platform). Companies have a unique operational shape formed by a particular set of identity structures, admin habits, RMM usage, service creation norms, data access patterns, and trusted relationships. Two organizations that utilize the exact same tools and frameworks will behave very differently at runtime.

The detection gap

Yet, nearly all modern detection logic is designed to find what’s common, not what’s unique. Security practitioners collect telemetry and build detections around shared indicators, known techniques, and statistically common deviations. They ask questions like ‘Is this behavior known to be malicious?’ and ‘Is this behavior anomalous compared to recent history?’ This approach works well when attackers reuse tools and exploits at scale but fails when they blend into a company’s legitimate systems to bypass common detection logic, as is increasingly the case.

Threat activity isn’t absolute or intrinsic. It’s relational and exists between what could happen, what usually happens, and what is happening now. Threat intelligence should not only tell us what attackers do across the ecosystem- it should also tell us what they do because of who we are.

Defenders who only look for common malicious patterns will always lag attackers who specialize in institutional adaptation. A paradigm shift is required to bridge this gap.

Institutional Threat Differential Intelligence

Institutional Threat Differential Intelligence (ITDI) is the practice of defining and identifying threat activity as meaningful deviations from institutional norms that align with specific attacker objectives.

ITDI is an operating model, not a single product or platform, and it is not a replacement for existing controls. It is the intelligence layer that makes sense of everything those controls already collect.

The ITDI approach helps companies analyze security telemetry in the context of their unique systems, data, and trusted relationships. In other words, the key question becomes: ‘Why does this behavior exist in this enterprise, in this form, at this time?’

Impact: Attackers use stealth through normalcy to persist, escalate their efforts, and meet their objectives.

The following case study illustrates how attackers can bypass standard controls and escalate an attack to a breach and compromise without the ITDI framework.

The Attack and Breach: Adversary in the Middle

Adversary in the Middle (AiTM) attacks are routine entry points that leverage well-understood tactics including reverse proxies, session token theft, and MFA bypass techniques. Companies frequently treat AiTM as an authentication problem alone when in reality it often becomes the primary control plane compromise.

In this case, the attackers steal a valid session and token with AiTM techniques. They are no longer constrained by traditional credential misuse patterns and can explore the tenant as the user to observe what tools exist, what administrative surfaces are exposed, and what access paths are available.

The initial sign-in looks legitimate:

• Browser-based access from a known geography
• Successful MFA
• No impossible travel
• No risky sign-in score

However, the way the attackers behave in the organization’s systems tells a different story:

• The session persists longer than typical for that user
• They reuse tokens in patterns that are technically valid but historically unusual
• The user accesses administrative portals and management endpoints they have permission to view but rarely interact with

Since none of these behaviors are clearly malicious, it’s only possible to see the anomalies through the lens of how the specific tenant normally behaves. This highlights the first principle of ITDI: threat activity is often a deviation in how a user exercises permitted capabilities- not a malicious event.

Lateral Movement

Lateral movement does not require exploits when administrative pathways already exist. Legitimate administrators, service accounts, RMM platforms, device management, and automations regularly create services and enable lateral movement for business purposes.

The attackers move across systems through legitimate administrative access:

• They use standard management utilities
• They do not deploy malware or unusual binaries and do not demonstrate exploit telemetry
• They create new services using native tooling and expected privilege levels

Lateral movement and service creation are not inherently suspicious in the environment, but how (and why) they occur is anomalous:

• Services appear briefly and then disappear
• They run under contexts that are valid but rarely used together
• They bridge systems that historically do not have operational coupling

Traditional detections struggle here because the user’s actions are permitted, and nothing violates policy. However, they are statistically and structurally improbable for the institution. This illustrates the second principle of ITDI: focus on the improbability of permitted actions.

The Compromise: Targeted SharePoint Data Theft

Data exfiltration often takes advantage of permitted access.

The attackers leverage their access to valid tokens and tenant visibility (from the AiTM foothold) to explore the Microsoft 365 environment directly. SharePoint access does not require moving laterally across hosts; it requires understanding where valuable data lives and which identities can access it.

The data theft is subtle:

• No mass downloads
• No archive creation
• No obvious exfiltration spike

Instead, data access and exfiltration focus on a narrow set of documents:

• Financial forecast models
• Sales pipeline workbooks
• Documents associated with unreleased revenue projections

The users technically have access but historically almost never touch these files. Access patterns cluster around information that will be valuable for competitive intelligence or financial manipulation.

From a pure logging perspective, nothing is wrong. From an institutional perspective, the access pattern is highly abnormal. If you only look for permission misuse or unusual volume, you miss the institutional context and the attacker’s intent.

Distortion as Signal and Strategy

Across this case study, attackers distort how an enterprise normally uses its own capabilities. They have also created coincidental distortions along the way to exhaust scarce response resources, misdirect analysis, and take advantage of the pressure to triage quickly.

When authentication abuse, service creation, system exploration, and sensitive data access occur within a compressed timeframe, defenders are forced to decide which activity represents the primary threat:

• The creation of new services may indicate preparation for persistence, future disruption, or collateral leverage for ransomware and business continuity extortion (technical risk)
• The theft of sales forecasts and financial models may represent a far greater competitive or market impact (business risk)
• Without institutional context, these events compete for attention rather than forming a coherent picture

This illustrates the third principle of ITDI: don’t just assess what happened, assess why it may have happened, and which outcomes align most closely with attacker objectives.

Action: Develop a flexible data foundation, a behavioral contrast framework, contextualized analysis capabilities, and actionable insights.

1) Feeding ITDI: Data Accessibility and Data Gravity

Like many areas of cyber and AI, ITDI is constrained by garbage in, garbage out. Your outcomes will only be as good as your ability to ingest, manage, and classify diverse telemetry across identity, endpoint, network, and cloud control planes without forcing data into rigid schemas or centralized bottlenecks.

Databahn enables flexible, scalable, and resilient telemetry pipelines that preserve contextual richness while supporting downstream analytics.

2) Operationalizing ITDI: Abstract Behavioral Threat Contrast

Operationalizing ITDI involves abstracting behavior- a process we refer to as Abstract Behavioral Threat Contrast (ABTC). Here’s how we recommend putting ABTC into practice.

First, model institutional shape to create a structural understanding that goes beyond traditional baselining. This includes mapping identity to resource relationships, common administrative pathways, normal service creation patterns, and data access gravity.

Second, group telemetry into behavioral trajectories. For example:

• Authentication plus token reuse plus administrative exploration
• Admin access plus transient service creation
• Identity based SharePoint access to a rare document cluster

Third, contrast behaviors against institutional history and peer or industry-specific norms. The goal is not classification, but rather to identify behaviors that may be normal somewhere but are meaningfully abnormal in your company.

Fourth, surface behavioral differentials and distortions, and explain why the deviation matters to your company in terms of probable business impact and risk. Articulate this in terms executives will understand, like competitive exposure, financial manipulation, and regulatory impact.

3) Contextualizing ITDI: Interpreting and Prioritizing Behaviors

Once you abstract behavioral distortions, you still face the challenge of understanding causality, intent, and likely attacker objectives.

Qevlar AI applies AI-driven investigation and contextual correlation to accelerate triage, explain why certain distortions matter, and reduce the cognitive load on analysts. This helps you prioritize response based on institutional impact rather than alert volume.

4) Executing ITDI at Scale

Translating insights into action requires a continuous interpretation of complex behavioral signals and alignment to business risk at scale. Otherwise, your ITDI will only be an analytical artifact.

SolCyber’s managed security capabilities integrate institutional context into detection, investigation, and response workflows. This ensures that business leaders can act decisively on insights about distortion, attacker intent, and business impact.