tag:blogger.com,1999:blog-7303400454979750101.post9071253095025128478..comments2024-03-28T06:49:56.390-07:00Comments on Learning by practicing: The importance of reconnaissance to the targeted threat actorNik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7303400454979750101.post-60062321756465089252017-03-29T13:17:37.052-07:002017-03-29T13:17:37.052-07:00well written and researched!
Would dedicate some ...well written and researched! <br />Would dedicate some summer mornings to read all your blogs!<br />:)Rajpreetnoreply@blogger.comtag:blogger.com,1999:blog-7303400454979750101.post-17456337815028505622017-03-29T12:58:15.139-07:002017-03-29T12:58:15.139-07:00There is nothing to disagree with what is postulat...There is nothing to disagree with what is postulated here. What can also be considered is the fact that we will always be short of resources to deal with security incidents, no matter what stage the ongoing attack is identified. With tonnes of incidents popping each hour, often we need to prioritize some over others. Each organization's security engineers should have their own way to prioritize.<br />With that said, I think with constant failures in maintaining security (obvious with incessant breaches happening every month) I think we are getting more towards the stage to adopt the approach of offensive defense.<br /><br />I think if we are focusing on the context of kill-chain, there can be a clear measure if we want to pick what is in there for Cyber Security personnel. Forcing the investigative thought on that, why the recon step can be given a part skip, in my lone-wolf opinion, is perhaps the fact that we should now let the bad guys do what they can from their side--and focus on what good guys can do from their side. There is little chance we can track reconnaissance. A good reconnaissance has often gone unnoticed. The fact that breaches are happening with increased frequency is an obvious comment that reconnaissance was successfully conducted in each case, and any attempt whatsoever (assuming there were some resources deployed to sense the initial recon activity) by the good guys failed. That may make one think that perhaps reconnaissance has taken too much of the scarce resources (time, money, human resources etc) we normally have.<br /><br />I think tasks for good guys should begin from any step subsequent to recon. We desperately need some actionable items in our kitty to be attentive and pick something to hunt with. We need that first phishing mail (recon done by this time), first slow web response observations by app guys (recon done and attack in a different stage now), first instance of odd flash drives reportedly seen in drive ways (recon done and items weaponized), first reporting of skeptical facebook links seen by marketing guys (recon done as Bob's facebook wall now has that bad link from his own friend who is the bait here) and so on. Tasks for good guys more often than not begins from this point. It is in this line of thought that we can say that let recon be skipped from meetings. Let's assume it will happen. To avoid it would mean ask employees to not use facebook, not use word, not surf online, etc etc. We know we have lost this part of battle already. Let's start what kill-chain says after the recon is done: what CCs are active if any, what malware signatures are floating now, what big chunks are being ex-filterated if any. We have visibility there. We have machines on our side on this and perhaps more. We can't see recon--especially socially engineered. And recon is also, to say in a cheeky tongue, boring as well :) We have more visibility only after the first step in kill-chain if the first step is recon; and we know very well that we can only secure what we can see. In the end, I can only say let bad guys do the reconnaissance. They are very good at it. Cyber history proves that, and bad guys have miserably failed at that, also proven. So let us do best what we can! <br />But one thing is for sure: bad guys would have recon as their first step, which they will always have; we, if we are good guys, would rather be waiting on them to finish with that so that we can start what we have learnt best in our approach to defend anything defendable.Unknownhttps://www.blogger.com/profile/11053716057394465817noreply@blogger.com