Failure Pattern
Logging systems or pipelines aggregate data from many workloads without verifying identity. Attackers exploit this to poison attribution.
What We See in the Field
Logging systems misrepresent which workload performed an action. Attackers inject false telemetry. Analysts rely on corrupt data, leading to incorrect conclusions.
Underlying Causes
Identity-blind logging agents
Log forwarding based on metadata
Shared certificates or tokens
No tamperproof identity in logs
Multi-hop pipelines where identity is lost
Trust-Native Network Resolution
DTL embeds ground truth identity into every session. Log data includes verifiable identity anchored to a TrustKey, eliminating false attribution.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.