Really? Are You Sure? (Updated)
I just read a security-related blog post in which the author asserts that distinct and detectable behavior patterns almost always precede security incidents. It sounds reassuring, until you think about it.
After the fact—yes, I agree—the patterns are usually observable; before the fact, I'm not so sure. It's kind of like a tough riddle; it'll tie your brain in a knot, but the answer's usually obvious once you hear it.
Individuals working within a socio-technical environment exhibit a wide range of behaviors driven by a wide range of motivations, some of which might not be obvious even to themselves. What's more, threat actors embedded within a larger group will often (almost always?) do their very best to mask their suspicious patterns of behavior.
I'd love to see a model of obvious patterns of behavior that security professionals can use to detect a threat actor before the bomb goes off or the data walks out the door. Pointing to allegedly vulnerable points in a linear "kill chain" isn't sufficient, at least in my opinion.
Interestingly enough, the author also asserts that safety events are predictable. Once again, I disagree; this is simply too broad an assertion—some are, and some aren't. The really worrisome safety risks (usually?) appear predictable only after the accident or event, when we can trace the complex interactions and concurrences backwards. Thinking strictly in terms of stable and predictable safety risks aligns with the traditional, linear cause-and-effect thinking that more and more safety experts are moving beyond.
In the end, it comes down to show and tell. Show (don't tell) me that security incidents are predictable before the fact. Show (don't tell) me that safety risks are stable and predictable over time—again, before the fact. If you can do that, I'll listen.
Update: After a conversation with another red teamer, it makes sense to append another thought to this post. When historical data exists, use it. Just don’t let a forecasting model based on the data foreclose the possibility of new attack modes.