Over the years, I’ve worked on investigating and cleaning up many breaches, and in nearly every single instance, the IT team that designed and managed the environment had no concept that their system could be exploited in the manner it was. Another commonality is that nearly all of those breaches resulted from a chain of weaknesses, some of which were consciously “accepted”. I argue that it is difficult to design a system resilient to attack if one does not know the tactics adversaries use, and it is equally difficult to assess risks without understanding how controls help block adversarial techniques.
For National Cyber Security Awareness Month, my hope is that people responsible for designing and assessing IT environment take time to learn about adversarial tools and techniques to design more robust environments and processes. This is, unfortunately, not a one-time event, though: techniques change over time, and we need to keep up with the latest trends.
The downside, I suppose, to this advice is that red team can be quite addictive and we’ll lose many competent IT people to the pen test puppy mill.