I don't care if I pass your test, I don't care if I follow your rules. If you can cheat, so can I. I won't let you beat me unfairly—I'll beat you unfairly first.

—Andrew Wiggin, Ender's Game

The goal of an operation is usually straightforward to determine. Indeed, this is what the media focuses on: the number of stolen credit cards, the amount of cash taken from ATMs, this or that product design, and so forth.

The means of an operation can also be recovered. It is not always easy, but a team of skilled forensic analysts can ordinarily determine how an organization was compromised. This is what security companies tend to focus on: the initial vulnerability exploited, the signatures of the programs used, the communication protocols employed, the addresses of the command and control servers, and if possible, who the Attackers are.

What's historically been missing from these analyses is an understanding of how Attackers systematically create and leverage the means to achieve their goals. The strategy is absent.

This is for good reason. Attackers actively obscure their strategy, not to mention their budgets and staffing levels. You can find and analyze the proverbial “pointy end of the spear” sticking into the gut of your organization, but that sheds little light on the location of the iron ore mine, the steel forging process, and the soldier training regimen that allows Attackers to fashion and wield that spear so effectively.

Unless, of course, you ...