Bad actors are constantly looking for new ways to attack the enterprise. There are many known patterns of execution that are still very effective such as phishing, BEC scams, vulnerability searches on exposed websites/systems, lack of hardened systems, and misconfigurations left unaddressed/unscreened before releasing to production, leaving company’s assets exposed. In the cloud-oriented world, where many new services are getting released every day, it is hard to keep up with the speed of a business who wants to use those services to gain a competitive advantage over competitors to stay viable, requiring security to move faster.
While understanding possible attack vectors is crucial, threat management starts with proper architecture and hygiene that needs to be wrapped around it with automated processes and an ability to instantly report and fix what is required. IR and forensics processes must also be well understood and embedded in everyday activities. It is also very rare to see a maturity level within the security department where threat modeling is one of key steps in designing a protection over organizational assets.
We often preach that visibility is one of the most important capabilities in the security space, but understanding your attack surface is high on that list too. Knowing what you need to protect, where it is, why, and how to protect it is usually isn’t very hard to address. Even so, it’s fascinating that security teams always seem to miss steps prior to releasing specific systems or services, which leads to exposures. Is this a process problem, a lack of quality resources, poor project/program management execution, or can it be a little bit of all of these?
As a bad actor, you look for exposed devices and identities first. This method is stil