You're doing it wrong

%3CLINGO-SUB%20id%3D%22lingo-sub-56619%22%20slang%3D%22en-US%22%3EYou're%20doing%20it%20wrong%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56619%22%20slang%3D%22en-US%22%3E%3CP%3EThere's%20a%20%3CA%20href%3D%22http%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fprioritizing-threats-why-most-companies-get-it-wrong%2Fa%2Fd-id%2F1328473%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Egood%20article%3C%2FA%3E%20in%20Dark%20Reading%20today%26nbsp%3Bby%20Michael%20A.%20Davis%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22We've%20all%20seen%20them%20%E2%80%94%20you%20might%20even%20have%20one%20open%20right%20now%3A%20an%20Excel%20spreadsheet%20with%20red%2C%20greens%2C%20and%20yellows%20that%20tell%20you%20where%20your%20risk%20is.%20You%20probably%20follow%20the%20simple%20convention%20of%20focusing%20on%20low-hanging%20fruit%20first%20and%20then%20drill%20down%20as%20hard%20and%20as%20fast%20as%20you%20can%20on%20the%20critical%20and%20high%20items.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESorry%20to%20say%20this%2C%20but%20you've%20been%20doing%20it%20wrong.%20You%20see%2C%20attackers%20are%20opportunistic%20and%20scrappy%2C%20yet%20we%20don't%20seem%20to%20work%20in%20those%20variables%20onto%20our%20sea%20of%20reds%20and%20yellows.%20I%20refer%20to%20this%20as%20the%20%22single%20versus%20multivariable%20risk%20assessment%20problem.%22%20We%20have%20single%20rows%20with%20risk%20assigned%20and%20work%20them%20as%20if%20they%20are%20singular%20risks.%20Attackers%2C%20on%20the%20other%20hand%2C%20chain%20risks%20together.%20They%20leverage%20a%20low%20risk%20on%20a%20Web%20server%20and%20a%20low%20risk%20on%20a%20database%20server%20to%20get%20access%20to%20high-risk%20data.%20Two%20lows%20can%20equal%20a%20high%3F%20Yes%2C%20but%20your%20prioritization%20process%20doesn't%20think%20that%20way.%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%26nbsp%3Bhas%20a%26nbsp%3Bsimilar%20themes%20to%20blog%20posts%20we%20published%20previously%20on%20%3CA%20href%3D%22https%3A%2F%2Fblogs.microsoft.com%2Fmicrosoftsecure%2F2016%2F11%2F28%2Fdisrupting-the-kill-chain%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edisrupting%20the%20attacker's%20kill%20chain%3C%2FA%3E%20and%20how%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fjohnla%2F2015%2F04%2F26%2Fdefenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edefenders%20think%20in%20lists%2C%20but%20attackers%20think%20in%20graphs%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-56619%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-81464%22%20slang%3D%22en-US%22%3ERe%3A%20You're%20doing%20it%20wrong%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-81464%22%20slang%3D%22en-US%22%3EIn%20general%2C%20we%20need%20to%20understand%20the%20threat%20model%20within%20a%20domain.%20For%20example%2C%20in%20a%20company%20when%20we%20are%20assess%20threats%20for%20finance%20department%2C%20protecting%20Excel%20and%20financial%20software%20consider%20higher%20priority%20and%20we%20might%20set%20policy%20in%20excel%20for%20that%20department%20to%20block%20all%20codes%20and%20extensions.%20While%20in%20the%20same%20company%20for%20developers%2C%20we%20never%20set%20such%20policy%20and%20we%20concentrate%20more%20on%20protection%20codes%20and%20prevent%20running%20malicious%20scripts.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20also%20depends%20on%20the%20how%20employees%20learn%20about%20threats%2C%20in%20social%20engineering%20attacks%2C%20you%20could%20just%20do%20a%20smart%20data%20mining%20on%20social%20media%20and%20pretend%20to%20be%20head%20of%20IT%20and%20contact%20company%20and%20ask%20credential%20of%20employees%20directly.%20We%20need%20to%20understand%20threats%20in%20each%20environment%20and%20create%20defend%20model%20for%20each%20attack%20model%20and%20keep%20updating%20it.%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

There's a good article in Dark Reading today by Michael A. Davis:

 

"We've all seen them — you might even have one open right now: an Excel spreadsheet with red, greens, and yellows that tell you where your risk is. You probably follow the simple convention of focusing on low-hanging fruit first and then drill down as hard and as fast as you can on the critical and high items.

 

Sorry to say this, but you've been doing it wrong. You see, attackers are opportunistic and scrappy, yet we don't seem to work in those variables onto our sea of reds and yellows. I refer to this as the "single versus multivariable risk assessment problem." We have single rows with risk assigned and work them as if they are singular risks. Attackers, on the other hand, chain risks together. They leverage a low risk on a Web server and a low risk on a database server to get access to high-risk data. Two lows can equal a high? Yes, but your prioritization process doesn't think that way."

 

It has a similar themes to blog posts we published previously on disrupting the attacker's kill chain and how defenders think in lists, but attackers think in graphs.

 

 

1 Reply
Highlighted
In general, we need to understand the threat model within a domain. For example, in a company when we are assess threats for finance department, protecting Excel and financial software consider higher priority and we might set policy in excel for that department to block all codes and extensions. While in the same company for developers, we never set such policy and we concentrate more on protection codes and prevent running malicious scripts.

In also depends on the how employees learn about threats, in social engineering attacks, you could just do a smart data mining on social media and pretend to be head of IT and contact company and ask credential of employees directly. We need to understand threats in each environment and create defend model for each attack model and keep updating it.