Building a Detection Foundation: Part 1 - The Single-Source Problem

This article argues against single-source telemetry reliance and illustrates the point with a CACTUS ransomware incident where attackers disabled EDRs (using a signed anti-cheat driver), conducted lateral movement, staged rclone for exfiltration, and deployed encryptors and C2. It recommends building a layered Windows logging foundation—security event auditing, PowerShell/script logging, and Sysmon—to preserve forensic visibility and enable detection even when endpoint agents are blinded.