Framing an Assessment

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 51 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
welcome to Lesson three, module one within the Attack based Stock assessments training course. In this lesson, we're going to talk about how you should frame an assessment before actually running one. And if you look at our methodology, this is really the first step to kicking off an attack based stock assessment here. You want to make sure that
00:18
when you're running the assessment before running the assessment, you're on the same page as the sock that you're running it for
00:25
our objectives. For this lesson, our number one. After walking through this lesson, you should be able to identify when you should and should not run an attack based stock assessment
00:35
and to you should know how to ensure that the socks understand and want an assessment before running. One.
00:44
So the first part of framing an attack based stock assessment is really to just make sure your level setting expectations. The attack framework has seen a ton of popularity lately, and this has resulted in some folks treating it as kind of a silver bullet where sometimes folks have skewed expectations where they think that Hey, if I perform an attack based stock assessment,
01:06
I'm just going to totally revamp my security posture,
01:10
and and this is a great thought, right? Using attack is great, but it's not necessarily the case. And so this has led to a few myths. You know, that aren't necessarily
01:19
the right way to look at Attack based stock assessment.
01:23
The first one is that sometimes folks might think, Hey, it's enough for me to just run an assessment for me to be using the attack framework,
01:32
and it's great to run an assessment, but really, they only provide a glimpse into your current attack coverage. One assessment isn't a long term plan and isn't the best way to say that you're really using it on a day to day basis.
01:46
Another myth is that the results from an assessment are perfectly accurate and exist in perpetuity, and and this is a great thought. But really most assessment methodologies, even those that are hands on their rapid where, and they only provide you with an estimated snapshot in time.
02:04
You know they're useful for the next
02:06
month or even a few months from now, but they're subject to change, and they're likely, you know,
02:12
estimates they're not. They don't have pinpoint accuracy
02:16
Another myth is that running an attack based stock assessment will improve your security posture. And I'm a big fan of of running attack based stock assessments. I think they're great and a great way to help you improve your security posture. But just running them isn't enough to do so. Instead, the reality is that you need to follow up after an assessment
02:36
to improve your security posture.
02:39
And lastly, the assessment will tell me very specific gaps about very specific components I have in my network. This is something like saying, Hey, I've got these five network devices and these 30 workstations. I want a heat map for each and every one of them showing exactly how an attacker can jump from device to device,
02:59
constructing, saying attack graphs throughout my network
03:01
and this is a super great thing to have you know it. It would be very useful to see that kind of information. But attack based stock assessments don't always provide you with that much granularity, really a hands off assessment. In particular, it's really designed to only paint broad strokes of what your security posture looks like and give you an indication of where
03:22
generally your gaps lie.
03:24
The bottom line here is that if you're bringing attack into into your sock, it's very important that you set the right expectations with all stakeholders, particularly if you're running an attack based stock assessment.
03:37
Another important aspect of framing an assessment is messaging
03:43
Running something like an assessment can often come across as antagonistic folks might hear. Oh, hey, this is an attack based stock assessment. Someone's going to come in here and actually evaluate me and, you know, assessment, you know, kind of like a performance evaluation, and this can be troublesome for a variety of reasons.
04:00
First, you might just get staff not complying much with the process.
04:03
You know, they might think, Oh, this could negatively impact me. So I'm gonna not necessarily produce the right documentation or be particularly forthcoming during the interviews. Now, if this happens, your assessment is going to require more effort and more when more time to run.
04:19
Another potential downside is that staff might worry about how the results will be used here if they think they're being evaluated and that evaluation might be of themselves personally, they might start nitpicking, small details wordsmithing the report Really doing these minor things to to kind of derail the assessment a little bit
04:38
and don't get me wrong. It's great to get feedback throughout the process,
04:42
but you want to kind of toe the line between feedback and just say wordsmithing
04:47
personnel might also misrepresent or exaggerate their current capabilities here. The concern is that if folks think they're personally being evaluated, then they might want to say, Hey, I'm doing wonderfully
05:00
This is, of course,
05:02
a good thing if they are doing wonderfully. But if they aren't and they're being encouraged to exaggerate their capabilities, then your assessment is going to produce
05:11
fairly inaccurate results. And your ultimate recommendations are not going to be the right things for the stock to do.
05:18
And lastly, your leadership receiving the assessment, they might end up overreacting to the results. You don't want to turn over an assessment, say, here are all these problems. Everything is bad, you know. Then you're gonna end up likely just causing damage and not necessarily good. It's important that when you're running an assessment, you don't say, Hey,
05:38
I'm coming in here to evaluate you and you're doing poorly.
05:42
You come in there saying, Hey, I'm doing an assessment, but my goal is to help you,
05:46
and that leads to kind of the bottom line here, which is that when you're running an assessment, it's important to make sure you position yourself as an ally to the sock, not as someone who is a critical evaluator or an assessor or someone who is running like a performance evaluation.
06:01
And then the third key part of framing an assessment is knowing when an assessment is the right thing to do. A lot of organizations
06:11
want to run an assessment, but they're not always well suited for one. Some examples are organizations that are interested or committed to a follow up plan. Here you're just going to run an assessment, and then you might not necessarily get that improvement afterwards.
06:27
Organizations that don't have socked
06:30
a sock proper or personnel who perform sock like functionality. Those can also be kind of a bad fit for an assessment where when you're running the assessment, you may not be able to run through all the stages or might not have a lot of stuff to analyze.
06:45
Another potential issue is is socks that want an assessment but don't have visibility into key data sources necessary to detect techniques.
06:54
A good example here is a sock that say,
06:57
or rather, a defensive organization that only can monitor email.
07:00
That's great. It's super important as part of a broad security posture to monitor email. But an assessment might not be the right thing, since the majority of the attack framework would be out of scope.
07:13
Another potential potential bad fit for assessments would be an organization that really want a turnkey or no maintenance attack solution. Here, an assessment is just wrong.
07:24
They're only going to provide you with the heat map of your current coverage. It's not going to be a proper attack solution.
07:29
And, lastly, organizations that already have a good understanding of attack in their environment those might not be the right fit for an attack based stock assessment. The reason here is that if they already understand how attack applies to their environment, the broad strokes that are offered by an assessment might not be all that helpful.
07:47
The bottom line here is that really assessments are best for organizations that are looking to improve, but also those that are looking to start branching into threatened form defense. As long as you meet those two boxes, you're going to have a good assessment.
08:03
So a couple of tips to help frame and stage attacks based stock assessments
08:09
number one
08:09
Somewhat simple. But consider using a phrase other than assessment.
08:13
You can kind of gauge the response of the sock when you're using the word and maybe start revisiting how you refer to the activity 11 that I like to recommend is using, say, an attack based socks study where you're not necessarily assessing. But you're just doing this collaborative effort to study the sock
08:31
to understand what their coverages
08:35
number two make sure leadership understands the point of the assessment and, more importantly, that the assessment aligns with their goals. This is just part of getting everybody on the same page and making sure that the assessment is right for the organization.
08:48
Another tip is to position the assessment as a stepping stone to improvement, not as a as a way to gauge performance. This is really critical for attack based stock assessments, where you want to make sure that the ASAC understands that the follow up is one of the key parts of running the assessment
09:07
Number four ensure that the socks staff know that they personally are not being evaluated, but rather the socks policies, their procedures. They're tooling and really just the sock as a whole. That's the thing that is being assessed as long as you communicate that you're going to get a lot more people on board with running the assessment.
09:28
And, lastly, always prepared to follow up after running an assessment. This isn't just, say, making sure the sock is ready to follow up. But be prepared to offer those recommendations in ways that the sock can improve and always keep an eye out for it when you're talking to the sock about the assessment.
09:46
So to wrap up this lesson, a few summary notes and a couple of takeaways first always set expectations with the sock. When you're framing an assessment, both the technical staff and the leadership staff should know what the assessment entails and be on board with running it.
10:01
The second recommendation and take away here is to position yourself as an ally to the sock, not never as an enemy, and never is someone who is antagonistic.
10:11
Sometimes you might want to consider a phrase other than assessment and always let the sock know that the assessment is a stepping stone to future improvement.
10:18
And lastly, attack based stock assessments are not always the right solution. It is critically important that when running an assessment and framing an assessment, you make sure that the sock is on board to run an assessment that they're ready to use and adopt the attack framework
10:35
running an assessment by itself. It's not always the right solution, but it can often help when it is.
Up Next
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training

This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students should will gain a better understanding of how modern security operations can align with ATT&CK® and how to better their operations to leverage a threat-informed defense.

Instructed By