Development and operations a practical guide

H
OMEWORK
ENGAGEMENT CULMINATION
S
ANITIZATION
AND
C
LEANUP
O
PERATOR
L
OG
V
ERIFICATION
P
RE
-R
EPORT
B
RIEFINGS
K
EY
C
HAPTER
T
AKEAWAYS
H
OMEWORK
ENGAGEMENT REPORTING
A
TTACK
F
LOW
D
IAGRAMS
O
BSERVATIONS
VS
. F
INDINGS
R
ISK
R
ATING
AND
M
ETRICS
R
ISK
M
ATRICES
C
OMPARISON
A
TTACK
N
ARRATIVE
K
EY
C
HAPTER
T
AKEAWAYS
H
OMEWORK
SUMMARY
CONCLUSION
APPENDIX A EXAMPLE TEMPLATES
APPENDIX B THOUGHT EXERCISES
A
DVERSARIAL
M
INDSET
C
HALLENGE
M
INDSET
C
HALLENGE
C
OMMENTS
AND
A
NSWERS
APPENDIX C DECOMPOSING A THREAT EXERCISE
D
ESCRIPTION
E
XERCISE
S
CENARIO
G
OAL
R
ESOURCES
B
EGIN
THE
E
XERCISE
C
REATE
A
THREAT
PROFILE
P
OSSIBLE
S
OLUTION
GLOSSARY OF TERMS

Introduction
Designing, deploying, and managing a comprehensive security program is complex and challenging and, therefore, not an easy task for most. Organizations are influenced and pressured from multiple,
often competing, sources. This pressure can come from customers, compliance, management, peers,
finance, public opinion, and publicly available news, just to name a few. Even when faced with these challenges, organizations are generally able to overcome these pressures and implement what is
considered to be a robust security program. Organizations can satisfy the various parties and, at least on paper, describe a security program designed to stop malicious cyber-attacks. As a result, audit and compliance checks pass, robust patch management systems are deployed, and vulnerability assessments and penetration tests are conducted. These are significant initial steps toward providing the means to defend a network from attack. Unfortunately, this often falls short in achieving the primary goal of preventing, detecting, and responding to real threats. Why What is missing The real question to consider is:
Are organizations truly building security programs designed to address the threat?
A security program includes many components such as staff, policies, procedures, tools, management,
oversight, incident response, etc. The program is designed and built with the assistance of members from several different divisions or job functions, all contributing their thoughts and security requirements. Security programs often use this strategy for ensuring a complete and holistic security program however, what or who is often missing Has anyone on the security operations team ever seen a bad guy Has anyone on the team attacked or compromised a network To what extent To quote Peter in the movie Office Space. "I can’t believe what a bunch of nerds we are. We’re
looking up money laundering in a dictionary.” Are teams designing defenses for an enemy they do not know or understand?
Is the threat included insecurity planning?
Good intentions by a group of intelligent people do not add up to understanding threats or how they operate. If the goal of security operations is to prevent, detect, respond, and recover against malicious actions, it only makes sense to include the opinions of those whom you are defending against.
Unfortunately, security design often excludes the threat or threat perspective. This omission often leads to the mitigation or acceptance of risks not fully understood or revealed during traditional security testing and auditing. The result is a severe false sense of security. Areal threat knows this and uses it to their advantage.
Consider This
Does a threat know a target has a robust security program?
Do threats perform actions that will trigger an alert or get them caught?

Are threats still successful?
If so, why are threats able to successfully achieve its goals and negatively impact an organization when that organization has a comprehensive security program To understand this,

Download 4.62 Mb.

Share with your friends: