TIPS #35: Posture Management is Opportunity Management

Issue: Companies often overfocus on how cybercrime incidents happen and miss why they were targeted, leaving the door open for adversaries.

When most companies and security teams think about cybercrime, especially after experiencing a data breach or business interruption, they tend to focus on how a breach or compromise occurred. It’s natural to want to understand the sequence of techniques and procedures that allowed the incident to occur.

“How?” is the wrong first question

However, asking how rarely leads to better security posture or improved risk management. Cybercrime is, by and large, opportunistic. Cybercriminals use utilitarian TTPs to take advantage of the weaknesses around a target at a given moment. As defenders, we can’t directly control or predict how (the means of attack) because attackers opportunistically adapt their techniques and procedures- vulnerability exploitation, social engineering, phishing, SIM swapping, malware, living off the land, and so on.

Overfocusing on how is like playing a never-ending game of whack-a-mole. It overlooks why your company was targeted in the first place and weakens your security posture. Even if you stop a specific attack from progressing to a breach or compromise, the opportunity that enabled it remains unaddressed, leaving your company at risk.

Ask “Why was I targeted?”

It’s critical to remember why cybercriminals perpetrate attacks. Cybercrime groups target high-value commodities- identity and data- for financial gain. They typically try to remain undetected as long as possible to meet their objectives, selling access to breached identities, data, and systems instead of directly going after target assets. Nation-state groups similarly target high-value identities, data, and access to meet objectives related to geopolitical value and espionage.

For example, cybercriminals often target professional services companies to take advantage of their level of access and trust. These companies often have access to their customers’ data rooms, financial accounts, and even networks and systems. An email from a trusted service provider, accountant, lawyer, or investor, or network traffic between your company and theirs, is expected and easy to overlook.

However, defenders can’t control why (the motive) any more than how (the means) because business-critical data and resources have inherent value that will attract criminal activity, though that value varies over time by its importance.

Means (How) + Motive (Why) + Opportunity (When) = Why your company gets breached or compromised

The most important question to consider is why the attack, breach, or compromise against your company succeeded.

Cybercriminals take advantage of weak security like a lack of patching, poor coordination between systems, and insufficient identity security measures. In other words, attackers are only able to succeed because there are gaps in security posture. Posture management is therefore about reducing the opportunity for crime. This is only thing defenders can directly control.

Unfortunately, most security teams implement security capabilities to address the means of attack (detecting specific techniques, behaviors, or malware signatures) rather than managing the opportunities for attacks to succeed (the security posture of the organization).

Impact: Unmanaged opportunities lead to reactive posture and greater impacts from breaches and compromises.

Focusing how first without the lens of why and when creates reactive security programs that are a step behind attackers and face higher incident response and recovery costs. Many security posture gaps are unaddressed, and the window of opportunity remains wide open for attackers.

Consider how a reactive approach misses the bigger picture and can lead to cascading effects:

• Malware alert: An antivirus alert triggers on a company device and indicates malware is present. The security team wipes the affected device following the alert, treating the malware as the problem.
• Ransomware deployment: Ransomware interrupts financial closing activities. After investigating, the security team restores data from backups, fixing the problems of inaccessible data and interrupted business operations. However, they miss the opportunities that allowed lateral movement (over-privileged service accounts) and exfiltration (unmonitored data flows).
• Fraud: The CFO discovers fraudulent wire transfers from a corporate account. They attempt to freeze the funds and IT resets the compromised user’s password. By treating this as a financial transaction and password problem, they miss the opportunities (weak IAM and a lack of multi-person integrity controls on high-value transactions) that allowed the fraud to occur.

Reacting to each of these incidents as it emerges and solving for howfails to address the bigger picture: a coordinated cybercrime successfully targeted and exploited your company for financial gain.

Consider the following real-world incidents in which attackers capitalized on unmanaged opportunities (identity exposure and trust), converting low-effort discovery into high-impact compromises.

Snowflake breach (2024)

In 2024, cloud-based data platform provider Snowflake experienced a significant breach (we recommend reading the CSA’s comprehensive breakdown of the incident for complete details). Attackers used exposed Snowflake credentials, previously stolen with infostealer malware, to access customer accounts that lacked enforced MFA and proper lifecycle governance. They were able to authenticate identities using valid credentials tied to legacy and unmanaged accounts, gaining direct access to sensitive data before detection.

Comprehensive identity posture management (including mandatory MFA), continuous account hygiene, and credential exposure monitoring would have removed viable access paths (the opportunities) and prevented the account compromises.

ConnectWise ScreenConnect vulnerability (2024)

In 2024, attackers exploited CVE-2024-1709, a vulnerability in internet-exposed ConnectWise ScreenConnect servers, after scanning for unpatched instances (read Huntress‘ analysis for a technical breakdown). The attackers ultimately gained administrative-level access to internal systems in numerous customer accounts, with free reign to move laterally, steal data, and deploy ransomware. These intrusions were possible due to unmanaged external remote monitoring and management (RMM) exposure paired with weak privileged identity access management (the opportunities).

Proper external and internal attack surface governance and privileged identity posture, including exposure minimization and access restrictions, would have eliminated the entry point and prevented downstream compromises.

Action: Manage opportunities for exploitation with comprehensive active/passive posture and horizontal/vertical security.

Opportunity management is founded on a simple truth: cybercrimes happen and your company could be targeted because its assets are valuable to attackers.

Fortunately, you have the ability to deny opportunities for exploitation by implementing a comprehensive security posture across both active/passive and horizontal/vertical domains.

1) Map your dependencies to uncover opportunities for exploitation

You can’t manage an opportunity you can’t see. Start by identifying your company’s interconnected dependencies and trusted relationships:

• Who manages your domain?
• Who controls your email and messaging services?
• Who facilitates your Internet access and network services?
• Who administers your data processing, storage, and computing services?
• What devices does your company and its employees use?

Uptycs provides unified visibility across cloud, endpoint, and network assets, helping you identify and close infrastructure attack opportunities before they are exploited.

Nudge Security helps you gain visibility into SaaS and AI sprawl, identifying unmanaged dependencies that create hidden opportunities.

Bishop Fox provides Continuous Attack Surface Testing to help you maintain visibility into vulnerable systems and routes of attack and compromise.

Constella Intelligence provides visibility into identity attack surfaces to help you strengthen identity posture, fuel threat intelligence, and reduce digital identity risk.

2) Horizontal security

Close cross-organizational security gaps around devices, networks, endpoints, applications, and identities. While the full breadth of horizontal security measures exceeds the scope of this blog (for an in-depth analysis of horizontal-vertical security dynamics, read TIPS #33), start by considering two key concepts: identity and trust.

When identity is the perimeter, security posture must deny attackers opportunities to steal and abuse credentials and trusted relationships.

1Kosmos eliminates the opportunity for password abuse with advanced identity proofing and passwordless MFA.

SPHERE identifies and eliminates over-privileged access and dormant accounts to remove opportunities for lateral movement.

3) Vertical security

Deny attackers opportunities to compromise valuable business assets and vertical processes, workflows, and functions.

Lumu Technologies‘ continuous compromise assessment platform contextualizes horizontal network signals with vertical relevance, helping you reduce gaps in your network.

Eliminate opportunities for data theft by strengthening your data security posture. Symmetry Systems helps you to map security posture to data’s value, manage data access controls, and detect vertical workflow anomalies.

4) Manage the full spectrum of active and passive security

Opportunity management must involve both active (preventative) and passive (reactive) security measures (revisit TIPS #10 for a full discussion on active and passive posture).

SolCyber delivers a curated offering of active and passive defenses that ensure a strong security posture to minimize opportunities.