As defenders, it is our job to make the attackers’ lot in life harder. Push them up the “pyramid of pain“. Be a hard target so they move on to a softer/easier one.
As we released the new “Attackers” dashboard feature in EventTracker 8.0, we found a lot of excitement that “threats” could be visualized on a global map, as they were detected in security data. Visualization is a key requirement for security analysts who often pore through mountains of data to uncover bad actors. As our SIEM Simplified team began to use this feature internally, one piece of feedback was immediately obvious — in very short order, the analysts lost interest in the “attackers” and started to focus on the targets instead.
Analysts said, we care much less about the identity of the attacker (attribution is interesting to management — we are being attacked by bad guys in Beijing, Moscow, etc. — but pretty useless to defenders). After all, even the mighty U.S. Government dithers on proportionate response, even with their knowledge of attackers. So what is expected at our company that has far less resources?
In other words, focus on assets, not threats. Know more about attack methods — which port, application, vulnerability is being attacked — rather than if it’s Lee from Beijing or Ivan or Moscow or whoever.
In keeping with this focus, EventTracker 8.0 offers a filter to “pair” attackers with targets and a Targets Dashboard, which is now the favorite starting point for security analysts.
This is what an effective security buyer does. After all, if attackers can simply switch attack vectors, they will. If they have to switch targets, you have disadvantaged them and pushed them up the pyramid of pain.