I read through a couple of very interesting blog posts and listened to some podcasts lately around how threat actors do not only map out network topologies (the thing many security people are most afraid of), but also map out people and business processes.

One of the mentioned threat actors was a group called FIN7, also known as the Carbanak group. The thing that is remarkable about their attacks is the amount of sophistication and perseverance in the ways they did research on the targeted users, but also reconnaissance in the targeted company.

Some commenters made the point, that the attackers find out more about the business processes of a company during that phase than what the company security team knows.

As security people we should be concerned about this, because our ultimate goal is not to protect technical systems and topologies, but the thing that makes money for our business and that is often business processes, data and intellectual property.

We need to do a better job of understanding those processes, understand the data flow and assess the systems having most risk and how those systems interact with each other and depend upon each other.