In 1994, I was dealing with a polymorphic virus.
Today, we deal with polymorphic attacks.
The difference?
Technology.
The similarity?
The principle.
Back then, the virus:
- changed its code,
- changed its form,
- tried to avoid detection.
Today, the attacker:
- changes techniques,
- changes entry points,
- changes behavior.
But the goal is the same:
Get inside.
Stay invisible.
The form changes, the mechanism remains
Companies still make the same mistake.
They try to catch a specific form of the attack.
A specific file.
A specific indicator.
A specific signature.
A specific technique that was seen yesterday.
But the real problem is not only the visible form of one attack.
The real problem is the mechanism behind it.
If you only search for the latest shape, you will always be late. The next version will look different. The next path will be adjusted. The next behavior will be slightly changed.
That is exactly the point.
Polymorphism is not only a technical trick. It is a strategy: change enough to avoid being recognized, while keeping the purpose intact.
What OneHalf taught me
When I was dealing with OneHalf, I was not only looking for one piece of code.
I was trying to understand how it worked.
How it changed.
How it hid.
How it affected the system.
How it avoided easy detection.
That mindset still matters today.
Modern incidents are different in scale, tooling and environment, but the analytical discipline is familiar.
If you only respond to the visible symptom, you are reacting.
If you understand the mechanism, you begin to control the situation.
Incidents are not only events
A security incident is not just an event that happened.
It is the result of a mechanism:
- how the attacker entered,
- how they moved,
- how they avoided detection,
- how they maintained access,
- how they selected targets,
- how they tried to achieve impact.
If you understand that chain, you can improve controls.
If you only remove the one visible artifact, the same mechanism may return in another form.
That is why threat analysis cannot be only a collection of indicators. Indicators are useful, but they expire quickly.
Understanding lasts longer.
The simple truth
Security is not only about catching the attacker.
It is about understanding how the attacker thinks.
That does not mean guessing motives or building dramatic stories. It means understanding the operating logic:
- what the attacker needs,
- what they are trying to avoid,
- where they are likely to move,
- what evidence they leave behind,
- what control would force them to change behavior.
This is where defense becomes stronger.
Not because it knows every possible form of every possible attack.
But because it understands the patterns behind change.
The question for companies
So the question is not only:
Which threats are we tracking?
The better question is:
Do we understand the mechanisms that create those threats?
Are you dealing with specific threats in your company?
Or do you understand how those threats are created, adapted and repeated?
That difference decides whether security is only chasing yesterday’s attack — or learning how tomorrow’s attack may work.