Cybersecurity threat intelligence is key to surveying the landscape and determining the best path forward. This is true for both the defender and the attacker. When an attacker has questions about the defensive posture of a would-be target the attacker uses systematic goading to determine location, type, effectiveness, and strength of defenses. This probing by the attacker can take on many forms so let’s discuss a couple of cybersecurity goads. An attacker may change a configuration (or series of configuration that escalate in visibility) to determine configuration control maturity. An attacker may add a series of (publicly known) malware from most obvious to most proprietary across systems to determine the detection threshold. The final example for this post is an attacker that sends malicious traffic to (or from) a network to determine the detection threshold of flow capabilities. Yes, finding malware and an attacker presence is key and yes eradication and remediation are important. But, as part of the lessons learned, (or even after that) someone should look for other potentially much-less obvious signs of activity because what was caught might just have been meant to be caught. Don’t be goaded into revealing your security capabilities, solutions, and posture, make sure you find the root cause and all correlating activity that was previously overlooked or is being staged for malicious deployment. Don’t be goaded into tipping off the attacker.
ANTHKOAndrew Kosakowski’s Official Digital Presence