In detection engineering (DE), distinguishing between true and false positives is a critical challenge. Much like how American criminal law relies on the concepts of mens rea (intent) and actus reus (action) to determine criminal liability, detection engineers must not only identify suspicious actions but also assess the intent behind those actions. It's not enough to detect unusual behavior; we must understand why it's happening to classify and respond to potential threats accurately. By drawing on principles from criminal law, detection engineers can refine their strategies, prioritize risks, and improve the overall effectiveness of their detection alerts.
This blog delves into how legal concepts can inspire new approaches to the DE process, ultimately improving the accuracy and precision of cybersecurity defense strategies.
In criminal justice, the concept of "burden of proof" isn’t only fundamental, but also essential in determining the level of evidence needed to establish guilt. Similarly, in DE, the burden of proof refers to the level of confidence we have in the detection outcomes, specifically whether we can confidently classify an alert as malicious based on the observed action and the inferred intent.
Just as mens rea (the guilty mind or intent) and actus reus (the physical action or conduct) must be proven in a criminal case, DE must evaluate both the action and the intent behind that action to determine if it’s a legitimate threat.
In DE, different levels of proof can be applied to evaluate the risk of an alert, guiding the decision-making process:
Preponderance of the evidence: This standard is often used in civil cases and means that something is more likely than not. In DE, this level of proof might be applied when an alert meets a threshold of risk based on multiple data points, such as correlation across various logs.
Example: A login from an unusual location combined with a failed attempt to access restricted files might meet the preponderance of evidence threshold, suggesting a higher likelihood of malicious intent.
Clear and convincing evidence: This is a higher standard that requires a high degree of certainty. For DE, an alert may meet this level of proof when there’s strong evidence of malicious behavior, such as successful lateral movement or privilege escalation.
Example: If an attacker gains administrative access and uses that access to disable security controls, this behavior represents clear and convincing evidence of malicious activity.
Beyond a reasonable doubt: This is the highest standard of proof used in criminal cases. In DE, this level of confidence might be required before taking drastic actions like disabling an account or blocking network traffic. It requires near certainty that the activity is malicious, supported by extensive evidence and contextual analysis.
Example: A combination of compromised credentials, data exfiltration, and communication with a known malicious IP address can constitute proof beyond a reasonable doubt, justifying a strong defensive response.
The detection engineer’s responsibility is to evaluate alerts through these varying levels of proof, using correlation, cardinality, and other risk-based alerting techniques to establish confidence in the detection's outcome.
Correlation: By linking related events across multiple data sources, detection engineers can strengthen the burden of proof. For example, a login from a suspicious IP combined with unusual file access patterns provides stronger evidence of malicious activity.
Cardinality: Understanding how often a specific behavior occurs across different contexts helps establish whether an action is abnormal. Rare or highly unusual actions may warrant higher levels of scrutiny.
Risk-based alerting: By prioritizing alerts based on the potential impact and likelihood of malicious intent, detection engineers can apply the appropriate burden of proof before taking action. Higher-risk alerts require stronger evidence to justify a response.
This triad of evaluation mirrors investigative processes in criminal justice, helping detection engineers enhance their strategies and improve both detection accuracy and response effectiveness.
Now that we understand how the burden of proof helps establish confidence in detecting potential threats, it’s essential to explore the core legal principles—mens rea and actus reus—that form the foundation for evaluating and classifying these threats in DE.
In criminal law, prosecutors need to prove both mens rea (the mental state) and actus reus (the physical act) to secure a conviction for most crimes. Similarly, in DE, we need to prove both the action (e.g., privilege escalation, data exfiltration) and intent (e.g., malicious insider, attacker) in order to classify an alert accurately. The burden of proof concept in DE helps determine how strong the evidence is for the action and intent to confirm that the alert represents a true security threat.
In American criminal law, a case is typically constructed by demonstrating that both mens rea and actus reus were present during the commission of a crime. Mens rea refers to the intention behind committing a crime, while actus reus involves the physical act that constitutes the offense. To secure a conviction, prosecutors must prove both elements beyond a reasonable doubt, showing that the defendant intended to commit the crime and carried out the unlawful act.
Similarly, in DE, determining whether an alert signifies a real threat involves more than just identifying a suspicious action—it requires evaluating the intent behind that action.
For example, consider two users executing the same command on a system. One may be a legitimate administrator performing a routine task, while the other may be an attacker attempting lateral movement. The difference lies in the intent. By analyzing patterns of behavior and contextualizing the actions within a broader framework, we can better determine malicious intent and refine our detection processes.
Building on this foundational understanding, let’s explore how we can apply mens rea and actus reus principles specifically within DE. In this context, we need to evaluate both the action and the intent behind it to determine whether the activity is malicious. Applying mens rea and actus reus principles to DE involves evaluating both the action taken and the underlying intent:
Mens rea focus: Understanding the motivation behind an action helps to classify alerts more accurately. For example, if an employee downloads large volumes of data before leaving the company, their intent may indicate potential insider-threat behavior.
Actus reus focus: Identifying concrete actions, such as unauthorized access attempts or privilege escalation, helps detect potential security breaches based on observable evidence.
When both mens rea and actus reus are present, there's a stronger case for classifying an alert as malicious. This dual evaluation mirrors how criminal investigations build cases based on both action and intent to determine guilt.
Now that we understand the role of mens rea and actus reus, let’s focus on how intent plays a critical role in alert classification. While an action such as a mass file transfer or privilege escalation can be easily identified, determining intent is far more challenging. A single action may not be enough to distinguish between legitimate and malicious behavior. This often requires correlating multiple actions over time and making a judgment call based on context.
Accurate categorization of alerts is essential for an effective threat response, as misclassification can lead to wasted resources or, worse, missed threats. In DE, intent plays a central role in classifying alerts into categories like benign true positive, false positive, true positive, and false negative. However, because intent is harder to determine than action, security teams often rely on behavioral patterns, historical data, and contextual signals to make informed decisions.
Benign true positive: When an alert indicates an action that matches detection logic but is ultimately harmless, understanding the actor’s intent is key. Since intent is difficult to assess from a single action, corroborating signals—such as prior behavior, user role, and business context—help differentiate legitimate from malicious activity. For example, if a user performs a mass file transfer, cross-referencing their typical behavior or checking for business justification can clarify intent.
False positive: An alert that indicates suspicious activity but is ultimately benign often arises from misunderstood intent. Multiple suspicious actions might be necessary before intent can be determined. If an alert is triggered due to unusual login activity, but subsequent behavior aligns with legitimate use, the initial suspicion may be unwarranted.
True positive: An alert that correctly identifies malicious activity. Here, intent must be inferred from a combination of actions. For example, a user encrypting files may not immediately indicate ransomware, but if combined with attempts to disable security tools, this confirms malicious intent.
False negative: When a true threat goes undetected, analyzing intent retrospectively can reveal gaps in detection logic. Intent is often hidden in subtle behaviors, requiring security teams to look for patterns over time rather than single events. A user escalating privileges once may not be inherently malicious, but if they then access sensitive systems and create persistence mechanisms, the intent becomes more apparent.
Since intent is difficult to quantify directly, DE relies on aggregating multiple signals, behavioral analysis, and threat intelligence. By prioritizing intent as a critical factor in detection classification, SOC teams improve the accuracy of assessing true positives while reducing benign true positives and false positives, as well as minimizing the risk of missing false negatives. This layered approach helps ensure that true threats are detected while avoiding unnecessary noise.
In criminal justice, a crime is established by proving several key elements:
Action (actus reus): The physical act of committing the crime.
Intent (mens rea): The mental intent to commit the crime.
Concurrence: The requirement that both the intent and the action occur together.
Causation: Demonstrating that the act directly caused the harm.
Harm: Showing that the act resulted in damage or injury.
These elements mirror how threats are identified, classified, and addressed in DE.
Action (actus reus): Observing a concrete suspicious action is the first step in detection, such as unauthorized access or privilege escalation. If this action is unauthorized, it signals potential malicious behavior.
Example: A user executing a script that encrypts files on a corporate network represents a concrete suspicious action.
Intent (mens rea): Next, we determine whether the action was performed with malicious intent. Without intent, even a suspicious action might be interpreted as an error or legitimate access.
Example: The same user attempting to disable endpoint security tools before running the encryption script suggests a clear intent to bypass defenses and cause harm.
Concurrence: Both the action and intent must be present to classify an alert as malicious.
Example: The execution of an encryption script, combined with the deliberate disabling of security tools, signals concurrent malicious behavior.
Causation and harm: If the detected action directly results in harm or impact, such as a data breach or service disruption, the alert is treated as critical.
Example: Encrypting critical business files and then posting a ransom note demanding payment for decryption demonstrates clear causation and harm.
By taking these various legal elements into account, DE can more effectively prioritize alerts, enhance classification accuracy, and implement appropriate responses tailored to the potential threat and its impact.
While intent focuses on understanding the motive behind actions, attribution is about identifying who performed those actions. Although they’re different, intent and attribution are often interconnected:
Motivation and identity: Understanding the intent behind an action can help narrow down potential actors. For instance, a pattern of financial gain could indicate the involvement of criminal groups, while espionage-related intent might point to nation-state actors.
Contextual clues: The context in which an action occurs (such as timing, target, or method) can provide clues about the actor’s identity. If the intent aligns with known tactics, techniques, and procedures (TTPs) of specific threat groups, it aids in attribution.
Purpose and response: While attribution answers who performed an action, intent answers why. Both are important in determining the appropriate response, whether it's legal action, further investigation, or security mitigation.
By combining intent analysis with attribution efforts, DE teams can develop a more complete understanding of threats, which helps SOC teams take proportionate, targeted actions.
A crucial aspect of DE is to design systems that classify alerts based on their likelihood of malicious intent. Just like how a prosecutor categorizes crimes based on severity and intent, a tiered system can be applied to alert classification:
Negligence-based alerts: Low-risk anomalies that may indicate misconfigurations or user errors. These alerts can typically be resolved with minimal intervention.
Reckless behavior alerts: Indicators of potential security risks, such as repeated failed login attempts that could suggest brute force activity. While these alerts may not immediately indicate an active attack, they warrant closer scrutiny.
Intentional malicious activity: High-confidence alerts where multiple signals (e.g., privilege escalation, data exfiltration) confirm an active attack. These should be prioritized for immediate response.
By structuring alert classification through a legal lens, DE helps SOC teams reduce noise and prioritize threats that exhibit clear intent and harmful potential.
One of the most challenging aspects of DE is having to rely on others (i.e., SOC) to distinguish true positives from false positives. Many detection systems err on the side of caution, resulting in alert fatigue and inefficient security operations. By leveraging the principles of criminal justice—examining means, motive, and opportunity—we can refine detection models to improve true positive rates.
For example, in assessing whether a suspicious login attempt is genuinely malicious, let’s consider:
Means: Does the user have the capability to execute an attack? (e.g., are they using compromised credentials from the dark web?)
Motive: Is there a reason for this action? (e.g., is there an insider threat scenario?)
Opportunity: Are conditions favorable for an attack? (e.g., is this occurring outside normal business hours?)
This triad of evaluation mirrors investigative processes in criminal justice, leading to more accurate detection and response strategies.
Viewing DE through a legal investigative lens opens up new avenues that could significantly enhance our ability to detect, classify, and mitigate threats with greater precision and effectiveness. The concept of burden of proof provides a structured way to analyze confidence in detection outcomes, while legal classification frameworks help prioritize alerts with greater accuracy.
In DE, accurately assessing both the action and intent behind security events is key to improving the effectiveness of our response. Just as criminal law requires the analysis of both mens rea and actus reus to determine the seriousness of a crime, detection engineers must evaluate not just suspicious activity but also the underlying motivations. By integrating these legal principles into our alert classification process, we can better prioritize high-risk threats, reduce false positives, and respond more efficiently to real incidents.
As DE continues to evolve, applying frameworks that help us better understand the why behind actions will be crucial to building more accurate, reliable, and actionable detection models.
Thanks to Jonathan Johnson (@jsecurity101) and Chris Hecker for their help in reviewing this blog post.
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.