Red team assessment, penetration testing, and even purple team assessments are all designed to answer these questions.
As attacks get more complex, these assessments struggle to provide comprehensive answers.
These assessment services typically test defenses against ten to twenty attack techniques, and only use one variations of each technique.
Each technique can have thousands or millions of variants.
It's hard to understand if an organization is truly protected or was just prepared for the specific technique variant the red team used.
As a result, many organizations have begun to embrace purple teaming, where red and blue teams work together to take a more comprehensive and collaborative approach to security assessments.
In my mind, a more comprehensive way to evaluate defenses is to test them against a representative sample of attack technique variants.
Obviously testing each variant of an attack technique - like that one where I found 2.4 million variants - is not practical.
First, teams should decide which techniques they want to test for, then catalog the variants of those attacks to the best of their ability, and finally, pick a representative sample of those variants.
A narrow sample leaves out more variants - and provides less information on how their defenses will fare against the range of potential techniques an adversary might use.
Picking a representative sample of attack techniques is difficult because there's no good system in cybersecurity for cataloguing the variants of an attack.
Traditionally in cybersecurity, attack techniques are broken down into three levels - tactics, techniques and procedures.
A technique, like Credential Dumping, can be accomplished with many different procedures, like Mimikatz or Dumpert.
The last four allow teams to account for this mass variation and exposes the reality that a single technique could have tens or hundreds of thousands of variants that are all technically unique.
Tactics - Short-term, tactical adversary goals during an attack.
Techniques - The means by which adversaries achieve tactical goals.
Process Injection and Rootkit are both techniques for accomplishing the Defensive Evasion tactic mentioned above.
Sub-techniques - More specific means by which adversaries achieve tactical goals at a lower level than techniques.
Either way, this five or six-layered model captures the complexity of attack techniques better and can help defenders select more diverse test cases.
Assessment services offer a powerful way to validate security posture, but they must address the challenge of attack technique variation if we expect them to be comprehensive.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Thu, 11 Jan 2024 06:13:05 +0000