From DarkReading:
Deconstructing the Cyber Kill Chain
Damn good article by Giora Engel. He's got it right, focusing too much on Steps 1 - 6 will only address a very narrow set of attacks. In addition to the examples he's listed consider these. Reconnaissance is near impossible to detect. Weaponization only addresses direct attacks, i.e. malware attacks, not the other methods an attacker can use. Neither of these are something a security professional can control. In fact, it is best that a security professional works under the presumption that these attacks are already in progress or have been successful.
Instead think outside the box for Indicators of Compromise (I blogged about them earlier today) that will let you know that you've been compromised. Things like anomalous outbound traffic, SSH or RDP on port 80 or 443, multiple failed logins for a domain admin account are much better at threat detection. Once you know you're compromised you can begin the remediation effort & address any blow back that may arise.
No comments:
Post a Comment