What the tools are built to observe¶

The following categories are collected as a matter of routine operation. There is no minimum threshold of concern required before observation begins. Observation is the default state, which is entirely standard for security tools of this kind and completely unrelated to anything else in this report.

Network traffic patterns¶

Volume, timing, routing, and destination. Two organisations that do not publicly acknowledge a commercial relationship will still have network traffic between them if the relationship is real. The traffic does not share their reservations about disclosure.

Communication pathways¶

Not necessarily the content of communications, but who speaks to whom, how often, and by which route. The structure is frequently more informative than the content. A financial institution in frequent late-night contact with its legal advisors is communicating something the content of those messages does not need to supply.

System configuration¶

What is running, what versions, what has changed. This tells you what a client is doing and where they are exposed. Under this arrangement, both kinds of value flow to the same recipient, which the MCLU notes is a coincidence of unusual convenience.

File integrity¶

What exists on the system, what has been modified, and when. For a guild, this encompasses membership records and financial ledgers. For any organisation, it is a timeline of internal activity that no audit trail was designed to make available to external parties, and yet here we are.

Behavioural baselines¶

What is normal for this client. The Seamstresses’ Guild has a different normal than the Engravers’ Guild. To hold an accurate behavioural baseline is to hold a detailed and operationally intimate portrait of how an organisation actually functions, as opposed to how it presents itself as functioning. Building one takes months of continuous observation.

In aggregate and directed outward, these categories constitute something the MCLU would characterise differently from a security stack. We are working on a characterisation that is both accurate and survivable in court.