“Many tabletop exercises specifically focus on the technical elements from the bottom up [and] over-index on dramatic breaches rather than realistic adversary tactics,” Stoffer says, adding that, regardless of the size of the attack, most cybercriminals prefer subtle tactics that are often not anticipated.
“Attackers more often succeed through subtle behaviors like lateral movement or quiet data exfiltration that don’t get simulated enough,” Stoffer says. Attackers are “going to use whatever methods will get them access to the objective, usually the crown jewels, complete compromise of an Active Directory, identity server, PII, etc. They may start very slowly and methodically to avoid detection, or they may use well-worn but generally less alarm raising techniques for initial access like phishing or credential harvesting. Once they have established a foothold in the organization, they can move quickly and quietly using the knowledge they’ve gained in the environment, the observed tools, etc., to avoid triggering alarms.”
What he sees most enterprise cybersecurity teams testing, however, is quite different.