Why should we care about understanding what an adversary does and how it does it?
First of all, the simplest answer is because exploring the attacker’s perspective helps to identify and qualify the nature of risk to the organization, be it digital, physical or human. It is a simple thing (in theory) that has been around for a long time:
“One who knows the enemy and knows himself will not be endangered in a hundred engagements. One who does not know the enemy but knows himself will sometimes be victorious. Sometimes meet with defeat. One who knows neither the enemy nor himself will invariably be defeated in every engagement.” — Sun Tzu
So, essentially, if you rely only on a good defense you might be somewhat protected against certain attacks but some others will be able to get you. However, if you have a good defense and proactively try to understand and simulate your adversaries, you will be able to build a stronger and more resilient defense (resilient being the key, more on that soon).
The first thing that becomes clear once you begin adding Red Teaming to your security planning, is that a good and capable defense can only be established once you know how it will be attacked. In other words, rely only on the standards or on the checklists of certifications and you’ll be able to cover some basics. Actively test those standards and checklists and you’ll be able to identify what actually works and what needs to be strengthened. Again, look at Sun Tzu’s quote.
Remember a simple fact: the attacker ALWAYS has the advantage, he needs to succeed only once. The defender? Well, he needs to succeed ALL the time.
Add to this the fact that attackers don’t play by any rules (or company policies), generally are free to experiment with attack techniques that the defenders aren’t even aware of… You get the picture.
In 2016, factor in Red Teaming. Bring a good team of attackers to test your security. Let them become your worse adversary. Let them show you how to be more secure.