When Patience Becomes a Weapon
Imagine discovering that your server has been compromised—not yesterday, not last week, but six months ago. The attacker has been sitting there, waiting. Doing nothing except surviving every reboot, every patch, every security scan.
Welcome to the world of backdoor-as-a-service, where specialized crews break into your network, establish persistence and then sell that access on the dark web. Weeks or months later, when they find a buyer with a motive, the real attack begins.
In this episode of Threat Vector Investigates, David Szabo and Erez Levy, director of research at Palo Alto Networks, break down the most challenging domain in threat detection: finding attackers who operate on their own timeline.
Here's what makes this terrifying: most security tools are built to catch fast-moving threats like ransomware. They assume attackers have an end goal and the clock is ticking. But these adversaries? Patience is their weapon.
The Challenge Nobody Talks About
The research team at Palo Alto Networks faced a deceptively simple question: how do you find hackers who do nothing?
These aren't the smash-and-grab operators who encrypt your files and demand payment within hours. These are patient adversaries who specialize in one thing: surviving server reboots. They use creative techniques to ensure their backdoor persists through system restarts, hiding in plain sight as what looks like legitimate monitoring software or telemetry tools.
Finding them means detecting a "hay-colored needle in a haystack", malicious code that behaves almost identically to normal server processes.
When Crypto Miners Get Stealthy
While the backdoor marketplace remains relatively rare for now, the analytics team discovered something else: cryptominers using the exact same persistence techniques. Sometimes only consuming 20% of CPU cycles to stay completely unnoticed while quietly generating revenue for attackers.
These threats require what Levy calls "super sensitive detections" paired with "super smart analytics where that 1% accuracy up or down really matters."
The catch? High sensitivity means high alert volume. And, SOC teams drowning in false positives can't do their jobs.
How Do You Build Detection This Precise?
The answer involves a combination of statistical filters and behavioral analysis that most security vendors don't have the data to build. One filter flags processes that execute suspiciously close to system boot: something never seen before in that environment. Another looks for tell-tale signs in the executable itself: compressed code designed to evade disk-based scanners or bloated files stuffed with junk content to prevent scanning entirely.
But here's what makes it work: customer-specific baselines.
Generic detection rules create noise because different organizations behave differently. A developer running certain tools looks suspicious in a finance department. Normal activity in one environment triggers alerts in another. Cortex XDR's analytics build baselines specific to each tenant, each user, each host, understanding what's normal before flagging what's anomalous.
What You'll See in the Video
The analysis from David Szabo and Erez Levy reveals the technical architecture behind generic persistence analytics:
- How specialized dark web crews are monetizing initial access
- The creative techniques attackers use to survive server reboots
- Why traditional threat detection misses patient adversaries
- The dual-filter approach combining statistical analysis and behavioral detection
- How customer-specific baselines eliminate false positives at scale
- The role of global analytics in detecting novel attack patterns
- Why this shifts security teams from detection engineering to automation engineering
Watch the complete video breakdown
See how Cortex XDR detects threats that hide for months, without generating the alert fatigue that makes most behavioral analytics unusable in production.
Because the most dangerous attackers aren't the ones who move fast. They're the ones who know how to wait.