My team tells the end-to-end attack story. We connect the dots between the different phases of an attacker kill chain to better understand the root causes of an attack, at a glance, while it’s happening.

We also copy attacker techniques and thinking.

Attackers approach the world in terms of objectives and sequences of activities. They chain different techniques together—it’s why we refer to these attack stories as “kill chains”—and move through pathways most beneficial to them. It’s not a linear process. We call it thinking in graphs.

As defenders, we must adopt the same mindset. We cannot condemn ourselves to think in lists, where we try to reassemble the entire jigsaw puzzle when an attack is underway. At a glance, we have to know how attackers gained access, how they’re moving laterally, what they’re working towards.

Defenders identify malicious activity more accurately when they understand the sequence of that activity together, not just individual techniques in isolation.

A great example is when we analyzed a recent series of financial fraud attacks and noticed how attackers were using a reverse proxy setup to bypass multifactor authentication (MFA). We noted the MFA bypass signals and drew communications to other instances where the emerging technique appeared. What we learned about credential harvesting from our ability to connect those dots allows us to respond earlier in the attack. It helps us be better defenders.

When asked what can be done to protect an organization better, I always say the same thing: Leveraging MFA consistently is critical. It’s one of the most important recommendations we provide. It’s one of the most essential things enterprises can do to defend themselves better, striving for that passwordless environment because that disables all the emerging attacker techniques. Using MFA properly makes attackers work harder. And if they can’t gain access to an identity and your org, launching an attack gets much more complicated.

Additional resources

To learn more about kill chains, business email compromise, and the modern attack surface, please look at the Microsoft resources below.

• The Anatomy of a modern attack surface threat brief
• The CISO Insider Issue 3: Cloud-centric security and how leading CISOs close coverage gaps report
• The Cyber Signals Issue 1: Identity is the new battleground report
• The Security is only as good as your threat intelligence threat brief featuring expert John Lambert