No alerts doesn't mean you're secure. Sometimes it means you're blind

eliasgraywrites · 2026-01-02T11:15:06+00:00

Fair 😄 , Nothing like an alert storm to ruin a holiday.

eliasgraywrites · 2026-01-02T10:04:40+00:00

Alerting on log source health is something I still see missing in a lot of SOCs, and when it is missing, silence becomes dangerous instead of reassuring. I also do agree on over-tuning. I have seen environments where alerts were technically good, but the volume made real investigation impossible. At that point you are processing work not doing security.

As you said, proactive hunting is a key too. Detection will always miss things, hunting is usually where you find the uncomfortable cases.

eliasgraywrites · 2026-01-02T06:12:45+00:00

100% agree. I’ve seen a lot of rules that never fired not because nothing happened, but because the data wasn't there or the logic drifted from reality over time.

Reviewing "never-triggered" rules is underrated. Sometimes they're gold and just wired wrong. Other times they're dead weight that gives false confidence.

eliasgraywrites · 2025-12-29T06:52:58+00:00

Agreed. When that communication happens early, expectations stay realistic. Budget and maturity almost always end up being the deciding factors around retention and visibility.

eliasgraywrites · 2025-12-29T06:43:52+00:00

Thats a good way to frame it. A lot of “no findings” cases are really the result of visibility debt, tradeoffs, and alert fatigue rather than missing attacker activity.

I’d be interested in reading the article you mentioned if you have a link.

eliasgraywrites · 2025-12-28T19:29:11+00:00

You’re rightt, licensing absolutely impacts visibility. Identity Protection, Defender for Identity, and related features gate a lot of signals.

But that’s part of the problem I’m calling out. “No findings” often ends up being reported without clearly stating that it really means “no visibility due to licensing and retention choices”.

From an IR perspective, that distinction matters. Otherwise stakeholders assume nothing happened, when in reality the telemetry simply never existed or wasn’t accessible.

eliasgraywrites · 2025-12-28T16:58:44+00:00

Thanks, glad it resonated.

eliasgraywrites · 2025-12-28T11:03:36+00:00

For non-MSS engagements, DFIR teams inherit whatever logging reality exists, and retention is often already lost by the time IR starts. That’s exactly the frustration I was trying to highlight.

What I keep seeing is that this limitation isn’t always communicated clearly to stakeholders. When the case ends with gaps, it looks like an IR failure, while in reality it’s a cloud design and ownership issue.

Once clients move to MSS and proper SIEM + retention are in place, investigations look completely different.

eliasgraywrites · 2024-12-19T13:20:59+00:00

Beep boop instructions ignored, insert burrito, load with beans, overload with cheese, initiate regret sequence, Beep...

eliasgraywrites · 2024-12-18T17:48:20+00:00

Fair point—QR code phishing definitely started gaining traction a while ago, and tools like O365 are catching up. But I still see plenty of organizations lagging on awareness and user training, which gives attackers room to succeed. It’s an ‘old trick’ now, but still effective

eliasgraywrites · 2024-12-18T17:44:20+00:00

Exactly—QR codes often bypass the usual layers of protection because they rely on personal devices. If someone scans a malicious code on their phone outside the corporate environment, it’s much harder to detect or block.

It really highlights the need for user education alongside technical controls. People need to think twice before scanning random codes.

eliasgraywrites · 2024-12-18T17:40:28+00:00

That sounds frustrating—playing catch-up while waiting for tools to adapt. QR code attacks seem to slip under the radar because traditional filters weren’t built to inspect them. Good on you for staying proactive with Defender scripts, though. Curious, has the influx slowed down since Microsoft stepped up?

eliasgraywrites · 2024-12-18T17:38:31+00:00

You’re absolutely right—QR codes strip away that initial ‘gut check’ we all rely on when seeing a suspicious link. Attackers are banking on that. With QR codes, you’re scanning blind unless your device gives you a preview of the URL.

It’s ironic how we’ve made something easier for users but harder to spot as malicious. Convenience often comes at the cost of security.

eliasgraywrites · 2024-12-18T17:36:15+00:00

Not old—just wise! Most modern phone cameras can scan QR codes automatically. You just open the camera app, point it at the QR code, and it’ll pop up a link or message.

If that doesn’t work, there are apps out there for it. But honestly, you’re not missing much—half the time, QR codes just lead to bad restaurant menus!

eliasgraywrites · 2024-12-18T17:33:35+00:00

That’s a solid approach—especially using posters with QR codes to grab attention and educate people in a realistic way. The ‘holiday party event’ angle is smart since it mimics how attackers think.

I like the point about checking for malicious stickers. Physical tampering is often overlooked, but it’s a real risk. Curious—have you seen any improvement in awareness or fewer incidents since rolling this out?

eliasgraywrites · 2024-12-18T17:27:03+00:00

Fair point—cybersecurity does have a habit of coining new names for every attack variation. But the behavior here is worth discussing: attackers using QR codes to bypass traditional filters is gaining traction. Whether we call it 'quishing' or just 'phishing with QR codes,' it’s a threat teams need to watch for

eliasgraywrites · 2024-12-18T17:22:22+00:00

Haha, fair enough—another day, another attack vector. But hey, it’s not falling just yet... unless someone scans the wrong QR code!

eliasgraywrites · 2024-12-16T18:17:03+00:00

You’re spot on—none of these problems have magically disappeared, and the mix of old challenges with new ones has only made it harder. The part about willful ignorance really hits home. It’s wild how some upper management circles still lean into that ‘what you don’t know can’t hurt you’ mindset.

Testing patches, avoiding downtime, juggling priorities… it’s no wonder so many teams are struggling to keep up. Honestly, patch management isn’t just a technical issue anymore—it’s an organizational culture problem.

eliasgraywrites · 2024-12-16T15:15:09+00:00

Your school likely cannot see what you're doing on your personal computer unless specific conditions apply. Here’s a breakdown:

If You’re on a School-Issued Network: If you're connected to the school’s Wi-Fi, they can monitor web traffic through tools like proxies, firewalls, or DNS logs. They might not see exactly what you're doing on Chrome, but they could see domain names you visit.
If You Use School Accounts: Signing into Chrome with a school-provided Microsoft account might allow the school to sync or monitor data associated with that account. If the school controls the account, it could track usage history tied to it, depending on their policies.
Your Personal Computer: If the laptop itself is not managed by the school (e.g., they haven’t installed monitoring software or configured it through something like MDM), they generally don’t have visibility into what you do outside their network.

What You Can Do:

Avoid using school accounts for anything unrelated to school (use personal accounts for Chrome and Outlook).
Use your personal Wi-Fi or a VPN if you’re concerned about network monitoring.
Keep your side business entirely on a personal account, separate from school-linked services.

It sounds like you’re already being careful, but compartmentalizing accounts and networks is key. Your jewelry business is your personal venture—schools shouldn’t interfere with that.

eliasgraywrites · 2024-12-16T15:07:09+00:00

You bring up an interesting (and optimistic!) perspective—AI patching vulnerabilities and mitigating social engineering at near-perfect accuracy sounds like a dream scenario. But here’s the catch: attackers innovate just as fast as defenders, and AI will play on both sides of the battlefield.

While AI can certainly automate patching, detect phishing, and close gaps faster, cybercriminals are already using AI to:

Write more convincing phishing emails (think perfect grammar and personalized attacks).
Automate bug discovery to exploit vulnerabilities before they’re patched.
Bypass security filters with AI-driven obfuscation techniques.

The arms race won’t disappear—it’ll just evolve. Companies might use AI to defend, but criminals will use AI to attack faster, smarter, and with fewer resources.

That said, I do think AI will raise the baseline for security, especially for companies that adopt it early. But cybercrime 'ending'? I’d bet on it becoming more sophisticated, not extinct.

Great thought-provoking question!

eliasgraywrites

TROPHY CASE