Stopping initial compromises should be your top goal. Talk to successful penetration testers and they'll tell you that once they have initial access, the rest is gravy. Getting that first access is most stressful for hackers, but once they're acquired, it's usually pretty easy to move laterally and vertically, get the keys to the kingdom, and pwn the environment.
Understanding the two major types of attacks will make you a better defender. For example, right now most of the security world is very concerned about pass-the-hash (PtH) attacks, where the attacker gains access to intermediate credential representations and uses them to move throughout the environment. We can't ignore PtH attacks; every sophisticated attacker is using them.
But focusing on movement might make you lose sight of the bigger problem. In order to accomplish PtH attacks, the attacker must have already gained initial, superelevated, authenticated access. In Microsoft Windows, the attacker must already be local Administrator or Domain Administrator (on a domain controller) in order to access the password hashes or Kerberos tickets. Once they have that sort of privileged access, what can't they do?
There are now tools and techniques to substantially decrease the risk of PtH attacks, raising the possibility that in the next few years, we will defeat them. That won't stop attackers in the slightest -- they already have very privileged access. If we take away PtH attacks, they'll turn to other options, such as key logging, to get the access they need.
If we're going to minimize malicious hacking over the long term, we need to focus more on stopping initial compromises, because different types of movement attacks will develop as the attackers need them. Shut down one movement attack and they will invent another. It's computer security evolution.
But initial compromises don't change all that much. Malware, social engineering, password guessing, and buffer overflows have been around for decades. Minimize initial compromises and you'll do more to lower your risk.
The best step you can take in your environment to stop initial compromises is to better patch your software and prevent social engineering. The best way to stop movement is to separate your networks (logically or physically) and minimize credential reuse between systems.
Everything else is relatively minor compared to these two defenses in each of the attack types. Focus, focus, focus.
This story, "To build the best defense, know which attack is which," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.