Philosophies & Perspectives
Last Modification
Conventional Wisdom in Defense
Source: MITRE ATT&CKcon 2018, John Lambert, Microsoft, - Keynote Presentation
| Traditional Defenders | Modern Defenders |
|---|---|
| Defend a list of assets | Defend a graph of assets |
| Manage incidents | Manage adversaries |
| Minimize risks by keeping incidents secret | Maximize learning by sharing with trusted outside peers |
| View pentest results as a report card | View pentest results as an input |
| Think about stopping attacks | They think about increasing attacker requirements |
Risk
Source: Unknown
Security Vocabulary for Non-Security Executives
Source: MITRE ATT&CKcon 2018, Elly Searle, Lead Content Strategist, CrowdStrike
| ATT&CK Tactic | Explain it to a non-security person | Objective | ATT&CK Layer |
|---|---|---|---|
| Initial Access | Get into your environment | Gain access | Layer 1 |
| Execution | Run malicious code | Follow through (steal/break) | Layer 1 |
| Persistence | Maintain foothold | Keep access | Layer 1 |
| Privilege Escalation | Gain higher level permissions | Gain (more) access | Layer 2 |
| Defense Evasion | Avoid detection | Keep access | Layer 2 |
| Credential Access | Steal logins and passwords | Gain access | Layer 3 |
| Discovery | Figure out your environment | Explore | Layer 3 |
| Lateral Movement | Move through your environment | Explore | Layer 4 |
| Collection | Gather data | Follow through | Layer 4 |
| Exfiltration | Steal data | Follow through | Layer 4 |
| Command and Control | Contact controlled system | Contact controlled systems | Layer 5 |
Vocabulary Use: The adversary is trying to Objective by Tactic using Technique.
Example: The adversary is trying to gain access by stealing logins and passwords using credential dumping.
Example: The adversary is trying to keep access by avoiding detection using process hollowing.
