Attack playbooks is the thing to look for
Oct 19th, 2018 by Jesper Kråkhede
How do you evaluate your security functions and how do you decide what security to invest in? Is an IDS the way to move forward or implementing the recommendations from NIST Digital Identity? Better stick with the IDS because it´s a thing you can implement so it is easier to measure the progress of the number of IDS flows you could integrate into the SOC. They might be encrypted and useless but at least they cost a lot of money and it is measurable. Who would care about better credential hygiene? How do you measure the effectiveness of a password of 16 characters instead of 8?
This is where attack playbooks join the match. An attack playbook is a description of how an attack works. There are a number of those that can be used to measure if an security mechanism actually does its work.
The simple theorem is this:
Break all known attack playbooks and add monitoring and response functions. After that you can invest in what ever security you have but don´t spend a single penny before you have managed all attack playbooks. Do reach out to you resident security architect for tips how to do this.