Having worked in with the FBI, the Department of Homeland Security and US CERT, Andre McGregor and Chris Hallenbach have been involved in the investigation of countless breaches against a wide variety of different targets.They spoke at the AISA Conference on the issue of breach fatigue. I caught up with them after their presentation.\u201cYou can get to the point where you\u2019re playing fireman, just going from fire after fire and you just get burnt out. Or, from the user side, you\u2019re inundated with security messaging,\u201d says McGregor.That level of overload results in people not really knowing what to do about their security. McGregor and Hallenbach have worked with a large number of people and developed a model for dealing with, what they call, breach fatigue.Their approach involves creating networks of people from different issues who share meaningful information and develop networks that extend beyond their own vertical sectors.Hallenbach says it\u2019s little surprise there\u2019s fatigue around this. With so many breaches reported, companies see the theft of data as being a regular occurrence. This is what drive them to leave law enforcement and government and take up their current olds at Tanium.\u201cInstead of going from fire to fire, let\u2019s build fire-resistant material,\u201d says Hallenbach.McGregor says he has presented to many companies and uses a standard presentation titled \u201cI\u2019ve seen it before\u201d. This is to highlight to the executives and boards he speaks to that, despite their perception that they attacks they\u2019ve suffered are usually categorised as sophisticated and unique, they are usually the same vulnerabilities they\u2019ve seen elsewhere using phishing attacks or breaking into unmatched servers.\u201cIt may have been a sophisticated attacker but it was not a sophisticated attack,\u201d says McGregor.\u201cIt might be new to them but it\u2019s not new to us,\u201d adds Hallenbach.Although there are some similarities in the tools and methods used by attackers, Hallenbach says the threat actors are often focussed on specific verticals. This is because they need specialised Knowledge in order to not only get into systems but to successfully and stealthily exfitrate stolen data.One other things they pointed out was the concept of the \u201cdirty pond\u201d. In many cases, when an attack is detected companies focus on responding that threat. However, they say, in many cases a single detection is just the start with many other threat actors laying low and waiting for their optimal moment to attack.\u201cThat was the number one Runkle we had as incident responders,\u201d says McGregor. \u201cWe asked for all the data from the victim. And if we didn't see signs of more than one intruder in there we knew we were missing data\u201d.That\u2019s a nuance that is often missed in security reports. In addition, McGregor says the very vast majority of incidents reported occurred when a previously reported and patched vulnerability was either ignored or misused by the victim.While some companies try to stay abreast of new vulnerabilities, no one is doing it especially well, they say.Doing the basics, such as regular and punctual patching and limiting administrative access go a long way to making the threat surface smaller. One of the issues, they say, is companies often don't know what assets they have, making it impossible to know if they\u2019ve been breached.This is why threat actors don\u2019t always need to use zero day exploits. They can simply walk in the front door.This often occurs because humans tend to drift away from approved processes designed to put controls in place. This is why automation is crucial. As environments grow in size and complexity, it becomes increasingly difficult for people to keep up. In addition, they can start to short cut processes for expedience.Similarly, there\u2019s \u201ctool fatigue\u201d says Hallenbach. Many companies invest in tools only to either under-utilise them or lose expertise in how to use them when staff members leave the organisation. Also, there\u2019s siloed data as the tools don't work together, creating blindspots.