Many organizations currently
use audit and compliance, vulnerability assessments, and penetration testing to evaluate and measure risk to cyber-attack.
Why bother with anew, threat-focused approach?
Isn't the identification and mitigation of vulnerabilities enough?
To answer, you must understand how a threat-actor thinks and acts. Remember, a threat is really an intelligent person determined to cause harm. It is NOT
an exploit of a vulnerability, NOT apiece of malware, or NOT a phishing attack. These are merely the means a threat-actor may choose to achieve their end goal. The threat-actor assumes the target has a comprehensive security program and a suite of security tools (firewalls,
intrusion detection systems, antivirus, EDR, etc) deployed with the intent of stopping cyber-attacks. A good threat-actor will likely assume an organization
has deployed patches, conducted vulnerability assessments to reduce the exploit attack surface, and conducted penetration tests to identify attack paths. This understanding can significantly change the actions taken by a threat-actor. These actions can be quite different compared to the actions taken by a traditional security tester. Does the threat-actor fire up a port scanner and enumerate an entire network Does a threat-actor run a vulnerability scanning tool to find an exploit Attacks by threat-actors do not always follow the models adopted by traditional security testing. An attack is not scan -> exploit ->
profit. An intelligent threat-actor evaluates what a target presents and uses weakness not always discovered through traditional security tests. A "good" threat-actor will take several controlled steps
to gain access to a target, establish command and control,
establish persistence, perform situational awareness, to ultimately achieve their desired goal. The people charged with defending an organization often ignore or misunderstand the steps taken by a threat-actor. This misunderstanding often
leads to a focus on prevention, not detection. Defenders who do focus on detection may drown themselves in un-actionable default or vendor-generated logs and alerts. Have you ever heard a security operations analyst state, "
We have too many logs and alerts to respond!" or “
We are justtrying to keep up with ticket volume!”? Why do organizations log what they log Compliance In case they are needed Vendor’s advice Organizations are still missing
a key piece to all threats;
understanding their actions and TTPs.
Share with your friends: