At the Armed Forces Communications and Electronics Association\u2019s Defensive Cyber Operations Symposium last year, DISA Director LTG Alan R. Lynn described a shift in attackers\u2019 operations. Lynn stated that it\u2019s become \u201csnatch and grab\u201d rather than following traditional intelligence techniques of using good tradecraft (the set of an attacker\u2019s operational techniques and tools) to compromise, monitor, and accomplish the mission while avoiding detection.\nIn essence, while an attacker might have evaded detection in the past by operating in a way that avoids triggering network security sensors, a modern attacker is more likely to throw caution to the wind and hope to accomplish their mission quickly and decisively before your IT staff has a chance to react.\nWhile I can see the tactical benefits of each (and we make use of both sets of tactics on our penetration tests), I would hesitate to say that the game has changed. Attackers vary in sophistication, motivation, and targeting. An attacker that is targeting a large number of companies, for the purposes of direct profit, and with a common attack technique is more likely to choose the path of \u201csmash and grab\u201d.\nThe truly dangerous attackers, however, that have specifically targeted you, have the goal of stealing your data or impacting your operations. They will dedicate the resources and time needed to do so, and will not throw that mission away with quick and easily detected action. Time is on their side, and they will patiently take advantage of it.\nWhen your organization becomes the target, the attackers are likely to realize the benefits of not showing their cards too soon. Knowing that breaches, on average, aren\u2019t detected for months (if they are detected at all), the attacker will have time to make the most of their access and will not invite trouble by operating quickly or loudly. More likely, they will operate at the pace of your business. By watching you via your workstations, email, scanned documents, voice-over-IP phones and other communications, they could accomplish their goals without attacking your more closely-watched systems.\nAnother statement made by Lynn: \u201cthey\u2019re going after senior leaders at their offices and at home\u201d, leading up to the point \u201cit\u2019s a different world\u201d. This brings the message back around to a very real and uncomfortable truth I\u2019ve been putting in front of IT leaders for some time. Your attackers will take advantage of you or your employees in truly detestable and unfair ways.\nWhen performing our penetration tests, our ethical standards and legal boundaries prevent us from blackmailing staff to gain access, entrapping them into a course of action we define. A malicious attacker has no such limitation and will manipulate and attack your associates and families directly, in their homes, outside the scope of your company. At this point, an otherwise trustworthy employee becomes, unwillingly but silently, the \u201ccompromised node\u201d. Launching the rest of their attack through access gained in this way, the attacker\u2019s mission of stealing intellectual property, disrupting operations, or publicly leaking embarrassing information becomes much easier. This is the critical conversation we have with clients when describing the significance and importance of internal penetration tests. We know that malicious attackers will gain access to your network. We must quickly identify, respond, mitigate, and remediate cybersecurity threats and incidents.\nA common misconception is that a cyberattack will \u201clight up\u201d the sensors, alerts, and level of traffic that network security staff spends so much time observing. In reality, your most dangerous cyberattackers are likely to be operating under your radar. Does your organization have the resources, capability, and mandate to identify advanced attackers operating on their own terms and timeline?