Source: The Red Canary Blog: Information Security Insights
Author: Brian Donohue
URL: https://redcanary.com/blog/testing-and-validation/pentesting/
ONE SENTENCE SUMMARY:
Effective defense disrupts multi-stage attack chains by prioritizing high-fidelity, intent-rich behaviors, not exhaustive detection of every atomic action.
MAIN POINTS:
- Breaches result from campaigns of sequential actions, not single attacker successes.
- Detecting any critical step can hinder adversaries, evict threats, and prevent incidents.
- Depth and redundancy help, but complete coverage of all behaviors isn’t required.
- Testing is often misused as an exhaustive scorecard demanding alerts for every action.
- Real threats are adaptive, persistent campaigns; emulations are usually partial and constrained.
- Defensive focus should be “detect to disrupt” by breaking the attack chain early.
- Early or mid-chain detection can outperform noisy reconnaissance detection in outcomes.
- Isolated atomic events lack context; patterns reveal malicious intent and progression.
- High-fidelity TTPs like LSASS dumping and persistence provide reliable intervention points.
- Over-alerting to catch everything increases false positives and reduces analyst effectiveness.
TAKEAWAYS:
- Measure success by stopping attacker objectives, not by maximizing alert counts.
- Prioritize chokepoints and intent-rich techniques that reliably indicate malicious progression.
- Treat pentests and red teams as validation inputs, not comprehensive real-threat replicas.
- Use contextual correlation to distinguish benign activity from adversary behavior patterns.
- Expand coverage thoughtfully to scale, avoiding alert floodgates that bury true threats.