Failure Pattern
Legacy logging systems accept log entries without verifying the origin workload. Attackers inject logs to corrupt investigations.
What We See in the Field
Attackers add false log entries to hide malicious behavior. Logs appear authentic because identity is inferred, not verified.
Underlying Causes
Legacy logging without origin verification
Shared logging credentials
Metadata-based identity assumptions
No cryptographic signature per workload
Log ingestion pipelines trusting all sources
Trust-Native Network Resolution
DTL attaches signed workload identity to every session. Logs contain verifiable origin identity, preventing forgery.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.