“Many tabletop exercises focus exclusively on bottom-up technical elements (and) over-index on dramatic breaches rather than realistic adversarial tactics,” Stauffer says, adding that regardless of the size of the attack, most cybercriminals prefer subtle tactics that are often not expected.
“Attackers often succeed through subtle behaviors such as lateral movement or silent data infiltration that are not adequately simulated,” Stauffer says. Attackers are going to use “all the methods that will give them access to the objective, usually the crown jewels, an entire compromise of an Active Directory, identity servers, PII, etc. They can start very slowly and methodically to avoid detection, or they can use well-meaning but generally less alarm-raising techniques for initial access, like phishing or credential harvesting.” Once they gain a foothold in the environment, they can move quickly and silently using the knowledge they have gained about the environment, observed tools, etc. to avoid causing alarm.
However, the testing he sees most enterprise cybersecurity teams doing is quite different.
