Case Study - Hidden in Plain Sight - The Gap Between Visibility and Detection
Source: NSB Cyber
The Scenario
A large professional services firm in Australia experienced a significant cyber security incident resulting in data exfiltration, operational disruption, and a notifiable data breach.
At the time of the incident, the organisation had invested in several security controls, including centralised logging across multiple systems, network and perimeter monitoring and some monitoring on endpoints across key assets.
Security events were being captured. Activity was being logged. But critically, the organisation did not have real-time alerting configured or active log monitoring in place.
What Happened
The incident originated from the exploitation of a known vulnerability that had not been patched within the organisation’s environment.
Once initial access was achieved, the threat actor began operating within the environment over a sustained period.
Early threat-actor activity included:
Internal reconnaissance and network scanning
Use of legitimate access mechanisms to move laterally
Execution of scripts to establish persistence
Deployment of tooling to extract credentials and escalate privileges
Over time, the threat actor was able to:
Gain elevated access across multiple systems
Maintain persistent access to the environment
Re-enter the environment on multiple occasions
Exfiltrate a significant volume of sensitive data
All of this activity was captured in system logs. However, no alerts were generated due to a lack of configuration.
Why It Was Missed
This incident highlights a common gap we see across organisations.
Some level of system monitoring was in place. Logging was in place. But detection was not.
While the existing security tools recorded the threat actor’s activity, the absence of appropriately configured real-time alerting, effective event correlation, and active monitoring and investigation meant the activity remained invisible from an operational perspective.
In effect, the organisation had visibility without awareness.
The Outcome
The incident ultimately resulted in:
A ransom demand from the threat actor
Significant data loss and confirmed exfiltration
A notifiable data breach
Substantial response and recovery efforts
Despite having security tooling in place, the organisation did not detect or respond to the attack in time to prevent these outcomes.
How MDR Would Have Changed the Outcome
Had a Managed Detection and Response (MDR) capability been in place, the outcome of this incident would likely have been significantly different.
An effective MDR capability would have:
Monitored activity across systems in real time
Correlated events across endpoints, identities, and infrastructure
Identified patterns of attacker behaviour, rather than isolated events
Generated actionable detections early in the attack lifecycle
This would likely have enabled:
Early identification of reconnaissance and lateral movement
Detection of abnormal authentication and access patterns
Identification of privilege escalation and persistence mechanisms
Rapid investigation and containment before data exfiltration occurred
In short, the incident may have been contained before data was exfiltrated, and it became a breach.
How Our MDR Goes Further
While many MDR services improve response to alerts, our approach focuses on something different. Earlier detection.
NSB Cyber’s MDR is a modernised Security Operations Centre (SOC) model, focused on identifying and disrupting threats early in the attack lifecycle.
In a scenario like this, our MDR likely would have:
Analysed weak signals and behavioural indicators across the environment
Correlated seemingly low-risk activity into a single high-confidence detection
Enriched activity with real-world threat intelligence and known attacker techniques
Prioritised the activity based on risk, not alert volume
This means that activity such as, network scanning, unusual RDP usage, script execution for persistence and credential access behaviours would not sit as isolated log entries. They would form a connected detection.
This is the difference between seeing activity and understanding it as an attack.
The Key Takeaway
This case highlights a simple but critical point – visibility into an environment alone is not sufficient. Without continuous monitoring, meaningful detection, and experienced analysis, important signals can be missed even when visibility exists.
Our MDR solution helps to close this gap by turning data into understanding and understanding into action. It provides the visibility, context, and active management required to identify and disrupt threats before they escalate, ensuring organisations are not just collecting data, but are actively protected.
Because the difference between a contained incident and a reportable breach is often not what you can see, but what you can recognise, and respond to, in time.