[Veserv]

Yes. Any org. A few million dollars guarantees you unrestricted access to any network-connected system.

The upper bound of security is unable to make attacks with a 10 M$ return unprofitable. Raising the lower bar just raises the barrier to entry for new participants, it does not stop existing ones.

Most attacks do use basic techniques since a 10 M$ payout on 10 K$ cost is still better than 10 M$ payout on 1 M$ cost. No point wasting the good stuff when the basic and cheap stuff works just as well. But if you get rid of all the cheap ways in they will still attack using the more expensive stuff since the payout is still wildly profitable.

[Aerbil313]

I’d like to see evidence if this. Because it seems unrealistic, even a well protected org? Ok, say the employees are the weak chain. What about those with zero trust access policies?

[Veserv]

My knowledge derives from personal experience, but if you want digestible evidence you can go read the books: “Click Here to Kill Everybody” by well known cryptographer Bruce Schneier or “This Is How They Tell Me The World Ends” by the lead cybersecurity reporter of the New York Times, Nicole Perlroth.

[qaq]

I mean OKTA was breached, Mandiant was breached it doesn't get more protected than those.