Philosophies & Perspectives
Conventional Wisdom in Defense
|Traditional Defenders||Modern Defenders|
|Defend a list of assets||Defend a graph of assets|
|Manage incidents||Manage adversaries|
|Minimize risks by keeping incidents secret||Maximize learning by sharing with trusted outside peers|
|View pentest results as a report card||View pentest results as an input|
|Think about stopping attacks||They think about increasing attacker requirements|
Security Vocabulary for Non-Security Executives
|ATT&CK Tactic||Explain it to a non-security person||Objective||ATT&CK Layer|
|Initial Access||Get into your environment||Gain access||Layer 1|
|Execution||Run malicious code||Follow through (steal/break)||Layer 1|
|Persistence||Maintain foothold||Keep access||Layer 1|
|Privilege Escalation||Gain higher level permissions||Gain (more) access||Layer 2|
|Defense Evasion||Avoid detection||Keep access||Layer 2|
|Credential Access||Steal logins and passwords||Gain access||Layer 3|
|Discovery||Figure out your environment||Explore||Layer 3|
|Lateral Movement||Move through your environment||Explore||Layer 4|
|Collection||Gather data||Follow through||Layer 4|
|Exfiltration||Steal data||Follow through||Layer 4|
|Command and Control||Contact controlled system||Contact controlled systems||Layer 5|
Vocabulary Use: The adversary is trying to Objective by Tactic using Technique.
Example: The adversary is trying to gain access by stealing logins and passwords using credential dumping.
Example: The adversary is trying to keep access by avoiding detection using process hollowing.