RC RANDOM CHAOS

Count Binface breaks your correlation rule

Count Binface names a detection-pipeline attack: targeted noise injection exploits data-aggregation bias to bury true positives and poison UEBA baselines.

· 7 min read
Count Binface breaks your correlation rule

Count Binface is a novelty candidate who stands in UK parliamentary elections. Registered on the ballot, counted by the returning officer, tallied in the same column as candidates running funded national campaigns. The count does not weight for intent. It aggregates. A protest ballot and a considered ballot are one unit each, because the aggregation step holds no field for seriousness. That property - identical handling of signal and noise inside a reduction - is the subject here. Detection pipelines share it. Attackers already build against it.

Correlation is aggregation. A SIEM correlation rule reduces many discrete events to one verdict. Five Windows Security 4625 failures followed by one 4624 success collapses into a single credential-access notable. A chain of Sysmon Event ID 1 process creations with an anomalous parent becomes one behavioral detection. UEBA compresses a week of activity into a risk score between 0 and 100. Each is a reduction of high-dimensional telemetry to a low-dimensional decision. The reduction is the product. It is also the defect, because reduction discards the fidelity that separated the malicious event from the benign one.

The bug class is not memory corruption. It is statistical. Detection at scale runs into the base-rate fallacy. The true malicious rate on a large fleet is minuscule against benign volume. A detection that fires on a rare true positive across millions of benign events produces an alert queue dominated by false positives, no matter how clean it looked in a lab. The math is unforgiving. High recall against a rare event guarantees a queue the SOC cannot fully clear. The analyst adapts. The working prior becomes: this rule is noisy, close and move on. That prior is a control surface. Whoever can move it moves detection.

Precision is the number that governs analyst trust, and it is fragile against volume. A rule at 99.9 percent precision sounds strong. Against ten million daily events with two hundred true malicious among them, a false-positive rate of one in ten thousand still yields a thousand false alerts for two hundred real ones. The analyst sees a five-to-one noise ratio on a good day. Push the benign volume up with injected events and the ratio moves further. There is a point at which the queue is functionally unread. Cloudflare and Meta run detection at a scale where these ratios are daily operational reality, and the tuning pressure they create is not optional. It is the only way to keep the queue finite.

Stateful correlation makes it worse. Sequence rules - Elastic EQL sequences, Sentinel scheduled analytics, Splunk ES correlation searches - hold state across a time window and fire when an ordered pattern completes. The window is bounded, usually minutes to hours, for cost reasons. State is evicted when the window closes. An operator who paces actions to straddle window boundaries breaks the sequence without hiding a single event. Each event is logged. The pattern that made them a detection never assembles. The aggregation had a memory limit, and the activity was written past it.

The first weaponised mechanism is burial. Correlation engines deduplicate and suppress. Events that share a key - same process name, same rule ID, same host class - collapse into one cluster so the analyst sees a count, not a thousand rows. Activity that produces telemetry inside an already-noisy cluster inherits that cluster’s triage verdict. A malicious rundll32 execution lands in the same bin as the ten thousand benign rundll32 executions the fleet emits daily. The aggregation counted it. It counted it as noise.

The second mechanism is baseline poisoning. UEBA and anomaly models learn a normal band over a rolling window, often 7 to 30 days. Behavior introduced slowly across that window is not flagged as anomalous. It is absorbed into normal. Sanctioned-looking activity, drip-fed under valid credentials, shifts the learned baseline until the eventual malicious action sits inside the accepted band. This is data poisoning of the detection model. Not evasion of a static signature. Corruption of the statistic the signature depends on.

The poisoning target is the feature vector. UEBA scores deviation across features: logon hours, data volume moved, hosts touched, process lineage, geo. Each feature has a learned distribution. Move one feature slowly and the model widens the accepted variance for that feature. A user who begins touching three new hosts a week, under valid credentials, inside business hours, trains the model to accept lateral reach. By the time the reach is malicious, the deviation score is inside tolerance. No single day’s behavior was anomalous. The anomaly was distributed across the training window, below the model’s per-sample sensitivity.

Both mechanisms map to MITRE T1562, Impair Defenses. The family is usually read as disabling - killing the agent, clearing the channel, stopping the service. Noise injection degrades without disabling. Nothing is turned off. The pipeline ingests, correlates, ranks, and reports. It reports the wrong ranking. Add T1036, Masquerading, for shaping an event to resemble the benign cluster, and T1070, Indicator Removal, for the residue. T1078, Valid Accounts, supplies the identity that makes injected noise look sanctioned in the first place.

The enabling condition is already in production. Living-off-the-land binaries - regsvr32, mshta, rundll32, PsExec under T1569.002 - generate telemetry indistinguishable at the aggregation layer from legitimate administration. Detection teams tune these rules down because they fire constantly on real admin work. The rule is not defeated. The tool the rule was forced to forgive is used instead.

The same shape appears at the human decision layer. MFA request generation, T1621, is noise injection against a person. An operator holding valid credentials floods push prompts until the user approves one to stop the noise. Okta and other identity providers saw this pattern drive real intrusions through 2022. The aggregation there is a human deciding that the tenth prompt is the same as the first. It is not. One of them was the operator.

In telemetry the failure is invisible by design. Every injected event fires. Ingestion stays nominal. The SIEM dashboard is green because volume is healthy and rules are matching. Sysmon 1, 3, 10, and 11 all populate. 4688 process-creation logging is intact. Nothing is missing. The blind spot is not absence. It is rank. The true positive exists in the index, correctly parsed, correctly tagged, sitting at position four thousand in a queue the analyst clears to position two hundred. Detection succeeded. Triage never reached it. The gap lives between the event being recorded and a human acting on it, and no standard pipeline-health metric measures that gap.

EDR platforms bucket detections into categories - credential access, defense evasion, execution, lateral movement - and surface them by severity. Severity is computed, not observed. It is a function of the same aggregation. An event shaped to land in a low-severity category inherits low-severity handling regardless of intent. The console shows the detection. It shows it at informational. Nothing escalated because the scoring function, fed a benign-looking feature set, returned a benign score. The detection fired and self-suppressed.

One further blind spot compounds it. Suppression-rule and tuning changes are rarely privileged telemetry. A rule quietly moved from alert to log, or a threshold raised during a noise wave, often generates no notable of its own. The change that blinds the sensor is itself unmonitored.

There is no patch boundary. This is not a version range. It is an architectural consequence of reducing telemetry to verdicts under a hostile base rate. Post-tuning exposure equals pre-tuning exposure, because tuning is the objective, not the obstacle. The residual risk sits in three places: per-event enrichment discarded before aggregation, suppression logic that trusts an event identity the attacker controls, and baseline models with learning windows longer than an attacker’s patience.

For operators under SOCI obligations, detection integrity is not only an efficiency problem. Log and monitoring integrity for critical infrastructure is a regulated expectation under Australian law, and a pipeline that records but never surfaces a compromise fails that expectation quietly.

The control is not more alerts. It is provenance preserved through aggregation, suppression changes treated as privileged actions, and baselines that assume the training window is contested. A team watching a correlated false-positive flood hit one specific rule should treat the flood as the signal and escalate it to detection engineering, not tune it away. The tuning is the attack completing.

Count Binface won no seats. He was never trying to. He demonstrated that a system which counts everything equally can be fed anything. Detection pipelines count everything equally. That is the vulnerability, and it does not have a CVE.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.