Read on Twitter
The sentiment of, "if we fixed issue X, we'd be secure", I think is a sign of what @JohnLaTwC calls list-based thinking.
"We have a list of problems, which progressively rely on each other, so therefore if we break that chain, we're secure."
a quick thread: https://twitter.com/curi0usJack/status/1384620859302744066
"We have a list of problems, which progressively rely on each other, so therefore if we break that chain, we're secure."
a quick thread: https://twitter.com/curi0usJack/status/1384620859302744066
Seeing an attack path as an attack "chain" can reasonably lead one to believe that breaking one link in that chain kills the entire attack path
But what pentesters and red teamers instinctively know is that while one attack path itself may look like a chain, in reality it's one path within the context of a map
As a defender, seeing your environment as a map of connected assets very quickly eliminates the "if we do this one particular thing we'll be safe" mode of thinking. It's not as comforting, but it'll help you make much better decisions about what to do about your security posture
For a more eloquent take on what I'm trying to say in this thread, read this blog post by @JohnLaTwC: "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." https://github.com/JohnLaTwC/Shared/blob/master/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs.%20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md
