The majority of attacks that result in successful data breaches are simply not that complex. Many rely on well-known, tried-and-true methods. Indeed, the Verizon DBIR has for many years reported that upwards of 90% of attacks were successfully executed because of unpatched and known variabilities or misconfigured systems.

If we can only learn a few lessons from the latest attacks:

  • WannaCry – ransomware attack via unpatched vulnerabilities
  • Verizon – misconfigured server
  • Equifax – unpatched vulnerability
  • Dow Jones – misconfigured server

The lack of knowledge or lack of actionable intelligence to deal with these very preventable intrusions still boggles the mind. If you are wondering where your security focus should be, let’s review the options.

Many are focused on detecting the latest malware, often deploying a number of new technologies or what I call shiny objects. Granted, they are shiny for a reason and may be sufficient. However, if cyber-security is your focus, then we should focus on technologies and processes that have stood the test of time. How do these attacks happen? Who is performing them? What are their behaviors?

Whether it’s a lack of knowledge or skilled practitioners, not focusing on cybercrime behavior or (only concentrating on checking for the latest piece of malware) constitutes a missed opportunity to shore up the enterprise security posture.

Aghast, many organizations have lacked the time and expertise to develop the security content – the breach detection rules and configuration hardening policies – needed to deter attacks or identify breaches in a timely manner.

Fortunately, there are repositories of attack data available to analyze and build hardening and detection rules to preempt attacks. One such repository is the MITRE Corporation ATT&CK™ – Adver­sarial Tactics, Techniques & Common Knowledge community. Some refer to this data simply as tactics, techniques, and procedures (TTP). By supercharging (Read more...)