Speakers
Synopsis
Prevention is an uphill battle for defenders: attackers only need to succeed once. And restoring data doesn’t negate downtime or the consequences of a data breach.
Defenders need a much broader window to catch and stop ransomware before the damage is done and take necessary actions that can alert your team to the intrusion including command and control communications, lateral movement, and data staging & exfiltration.
This presentation introduces the concept of the cybersecurity "midgame" using Chess as an analogy and proposes methods to detect and prevent attackers further to the left of the Killchain.
So much focus is placed (and budget spent) on trying to stop attackers getting in (the opening) or detecting the executable to stop a ransomware attack (the endgame) - but the central part of an attack where the threat actor moves through the different stages of the Cyber Killchain (the midgame) are largely missed - despite this being a very rich hunting ground with bountiful fruits for a defender with the right visibility. The presentation shows how complementing existing security visibility provided by EDR and SIEM (or XDR) with network visibility can provide the complete picture for defenders. With the right visibility and knowledge we can turn the "Defenders Dilemma" ("Defenders have to be right 100% of the time, but attackers only have to be right once") into the "Intruders Dilemma" ("once inside the intruder does not know the network as well as the defender should, so any misstep can be detected and the attack stopped").
To do this, the session breaks down an example investigation from the DFIR report to show the various actions taken by the threat actor before they reach their "Actions on Objective" to complete their attack. As a final call to action, we urge the audience to become more familiar with the tactics and techniques used by attackers in the midgame by reviewing investigation case studies, so collectively we can make the Intruder's Dilemma a reality.
