Getting the best ROI on asset protection

What if the best way to protect a key asset is actually nothing directly related to it?

Suppose we have application X, which allows users to make large payments. Application X is considered a critical asset by the organization that owns it and a number of people are dedicated to ensuring its security. Perhaps they conduct a penetration test to explore the application's attack surface and possible routes to exploit that system. Perhaps they patch any issues they find and engage with the application's developers to implement a secure development process to reduce the likelihood of issues appearing in the future. However, when the organization performs (or is subjected to) a red-team-type engagement, the red team are still able to access the application with ease. Why? The red team did not exploit anything.

This isn't a new concept to most people in security. As application and platform security improves and become less of an appealing target for attackers, it is often much easier for them instead to attack the application’s users who have the necessary access and use their accounts. As a consequence, if we look at an attack end to end, the majority of attacks follow very similar steps:

Step 1: Phishing email

Step 2: Host compromise & persistence

Step 3: Attack positioning/Lateral Movement, typically via Active Directory

Step 4: Objective reached

In practice, rather than just application X, an organization will have applications A-Z, all considered important. From MWR’s experience of performing Attack Path Mapping exercises (white box exercise to enumerate the most likely end-to-end paths an attacker will take to achieve an objective), Targeted Attack Simulations (black box exercises to simulate a real attack on an objective) and investigating real-world incidents as part of its Incident Response service, the vast majority of attacks are currently following these broad steps.

However, applications or assets are typically considered only as standalone projects (step 4) and are not kept in mind when considering the larger attack process (steps 1-4). This often means the earlier stages of an attack are far easier to inflict than they should be, as the controls in place around the asset are largely ineffective as the attacker is not exploiting anything.

Another essential question for an organization to ask itself is how confident is it that it has a comprehensive view of the ways an attacker could achieve an objective? For example, if their objective is obtaining information, can the organization be sure its most sensitive information is only in the places it knows for certain? Controls at step 4 may be rendered useless if the information can easily be retrieved from an employee’s inbox as well.

This is not to say focusing on the end goal is not important; pen testing should still be part of the security process. However, if we are considering the bigger picture, it is unlikely to be where organizations receive the best return on investment.

When trying to protect applications A-Z, a single control focused on Steps 1, 2 or 3 will provide security on all applications. Controls focused on step 4 provide security only on one.

To explore this further, the key questions for an organization to ask itself when evaluating its security profile are:

  • Does it know what it considers to be its most critical business assets?
  • Does it know the paths threats are most likely to take to compromise those assets?
  • Has it identified the controls that provide the biggest improvements to either preventing or detecting those paths?




As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.