Improsec has recently expanded its #Blueteam advisory services with detections and aspire to be the preferred partner providing independent advisory in this area.
Detecting threats is paramount in today’s threat landscape. According to Mandiant’s latest 2020 M-Trend report, the initial discovery of compromise took 56 days on average. We can - and must - do better.
Preventing threats has historically been the focus for many companies. That is still the case today, and though it is important, detecting and timely response has proven to be even more important.
Recent events have shown, that even the best security companies in the world get hacked. Compromise is inevitable. Now what? By accepting that compromises will happen, you are free to re-write the rules of the game. Instead of being stuck in an old and outdated paradigm of trying to “prevent compromises” at all cost, your goal should be to “prevent adversary success” instead. Remember: The game is not over when you get compromised/breached. That is just the beginning. The real game has only just begun – stopping the adversary from getting what they want.
An often overlooked tool in the defensive toolbox is looking at threats from a kill chain perspective. Breaking things down into what happens post-exploitation using MITRE’s ATT&CK framework and mapping these to your controls, detections and processes can be an eye-opener and give you insight into your weaknesses and blind spots in stopping an adversary from reaching his objective.
There are also times, when preventive controls are not possible. You might not be able to implement proper hardening due to legacy components that doesn’t support it, or policies that outright prevent you from doing it.
In other instances, there might be some architectural dependencies making prevention difficult or even impossible. An example of this is the Windows registry database, which are party writeable to regular users by design. This leaves you vulnerable to COM Object Hijacking among other things.
In both cases, detection can provide valuable mitigation opportunities.
Security should be viewed from a business perspective. After all, it is the business we are trying to protect. As such, looking to implement the most cost-effective mitigations of threats, detections should be high on your agenda.
For further information about our service offerings, please visit: Services Overview — Improsec | improving security