I wanted to post again a link to Richard’s Digital Situational Awareness Methods article. It’as n old but it is still relevant and good. He wrote about this also back in 2007: Asset-Centric vs Threat-Centric Digital Situational Awareness. Also a good read.
Here I would like to describe ways that an enterprise can achieve digital situational awareness, or a better understanding of their security posture. What is interesting about these methods is that they do not exclude each other. In fact, a mature enterprise should pursue all of them, to the extent possible allowed by technical and legal factors.
- External notification is the most primitive means of learning the state of the enterprise’s security posture. If all you do is wait until law enforcement or the military knock at your door, you’re basically neglecting your responsibilities to your organization and customers.
- Vulnerability assessment identifies vulnerabilities and exposures in assets. This is necessary but not sufficient, because VA (done by a blue team) typically cannot unearth the complicated linkages and relationships among assets and their protection mechanisms. You have to do it however, and knowing your vulnerabilities and exposures is better than waiting for a knock on the door.
- Adversary simulation or penetration testing identifies at least one way that an adversary could exploit vulnerabilities and exposures to compromise a target or satisfy a related objective. AS (done by a red team) shows what can be done, moving beyond the theoretical aspects of VA. Many times this is the only way to really understand the enterprise and prove to management that there is a problem.
- Incident detection and response shows that real intruders have compromised the enterprise. If you think it’s bad to see your red team exfiltrate data, it’s worse when a real bad guy does it. Knowing that intruders are actively exploiting you is almost the best way to achieve digital situational awareness, and it’s usually the highest form an enterprise can practice since it’s closest to the ground truth of the state of the enterprise.
- Counterintelligence operations are the ultimate way to achieve digital situational awareness. As I wrote in The Best Cyber Defense, this means finding out what the enemy knows about you. I covered this extensively in the referenced post, but now you can see where counterintelligence fits in the overall digital situational awareness hierarchy.