Threat-informed or Threat-owned? Classic Practices Will Probably Save You!
Published in
2 min readAug 30, 2023
So, if you are too busy to read our amazing (duh!) new blog “Revisiting Traditional Security Advice for Modern Threats”, here are the key ideas from it.
- At some point, a “pre-owned” (compromised before you ever saw it) email security appliance, firewall, or a piece of software will show up in your environment (you no longer need to be this elite for it; it ain’t 2013).
- You will not detect this, in all likelihood. You really won’t, sorry, there is no shame in admitting it.
- This means you need to detect whatever the attacker does later on. Attackers’ second stage is really your first chance.
- Some good news! “Recent attacks teach us that while the initial exploits vary dramatically, attacker’s post-exploit operations are much more consistent.” (our blog has more details)
- So organizations should focus on secondary and post-compromise detections, such as credential abuse, internal network traffic, and data exfiltration.
- You can do this, using ̶p̶o̶w̶e̶r̶f̶u̶l̶ ̶A̶I̶ ̶v̶o̶o̶d̶o̶o̶ ̶m̶a̶g̶i̶c̶ many of the approaches and practices (our blog again has the details) that you should have started doing years ago, but most never did.
- Now, if you are threat-informed, you will start. Or, you will end up “threat-owned.”
Finally, if you can only remember one line, remember this: “Overall, recent attacks teach us that while the initial exploits vary dramatically, attacker’s post-exploit operations are much more consistent. This means that we have a more consistent post-exploit and secondary stage detection experience.”
Go read the blog, will ya? Don’t just read this blog about the blog, just read the blog.
Related blogs:
