David J. Bianco
Practically every security professional has run across “the defender’s dilemma” sometime in their career. It goes like this: “Defenders have to be right every time. Attackers only need to be right once.”
The idea that attackers have all the advantages and that defenders must be passive and wait for something to respond to is practically an axiom of cybersecurity.
It is also a lie.
Basing a security strategy around the defender’s dilemma harms your security program. Starting with an incorrect premise leads to bad decisions. You may waste money on products, services or capabilities you don’t truly need or underinvest in the ones you do. Your security staff becomes overwhelmed, demoralized and has trouble delivering good outcomes.
If you believe the lie of the defender’s dilemma, there are other lies you have to believe as well because the defender’s dilemma relies upon them. Let’s look at each of these lies in detail and discuss strategies you can use to negate their harmful effects and turn them into advantages for your team.
Lie No. 1: Defense and offense are separate
The defender’s dilemma implies that your security team is purely passive, sitting around waiting for attacks to happen. But thinking in terms of “defense” and “offense” is a false dichotomy.
The Pyramid of Pain shows that by consistently detecting and responding to threat actor activity quickly enough to stop attacks in their tracks, you can impose cost on that actor, turning defense into offense. By concentrating your detection development efforts on the top half of the pyramid, you may not be able to prevent attacks entirely, but you will make actors work harder to be successful. That changes the economics of their attacks and also buys you valuable time to respond.
Lie No. 2: Defenders must be on duty 24/7
Your defenses must operate around the clock, while attackers can carefully choose the timing of their attacks to occur on evenings, weekends or holidays. That doesn’t mean humans always have to be engaged for everything, though.
Automation and SOAR technology can turn IR playbooks into an automated response. Driving an incident to containment within seconds or minutes of detection and collecting basic IR data along the way improves time-to-containment and significantly decreases reliance on off-hours staffing.
Consider also what each side is doing in between attacks. While threat actors plan their next attacks, your team should not be sitting idle. Use the time between incidents to level up group capabilities and individual skills. Learn from past incidents to improve detection and playbooks. Take classes or learn new skills. Use threat hunting to identify new detection or IR techniques. What you might have fallen prey to yesterday could be something you detect and interdict tomorrow.
Lie No. 3: Defenders have to play fair
Defenders rightly expect attackers to lie and cheat to achieve their goals, but sometimes we forget that lying and cheating can work both ways. Security leaders should connect with their own inner liars and cheaters. Deception technology does this well.
Deception technology has existed for decades in one form or another. “The Cuckoo’s Egg” documents Clifford Stoll’s defensive deception efforts as early as 1986. He did it all manually, but today you can simply buy an appliance that will automate or semi-automate a range of different cheats and tricks. There are also numerous free, open source deception packages if that’s more to your taste.
Honeypots, honey tokens, honeynets, dark nets: You have a range of options, including tricking adversaries into attacking heavily monitored systems, tar-pitting scans instead of outright blocking them and seeding legitimate document caches with a few carefully placed fakes that your DLP systems know about.
All of these techniques force attackers to waste time, shifting it to you to use to your advantage. They also provide additional alerting opportunities you might not have had before. There are solutions for nearly every budget, time commitment and skill level.
Lie No. 4: You can’t defend against zero-day attacks
It’s easy to understand why some believe this. Creating detection for as-yet-undisclosed exploits is a tricky business at best. However, most defenses aren’t exploit specific. For example, firewalls and network ACLs are quite effective against many different attack techniques. The very concept of defense in depth shows that you needn’t know the exact entry vector in advance but can still mount effective defenses to prevent or slow down an attacker.
Similarly, try some non-exploit-specific detection strategies, such as looking for anomalies in authentication, network or other logs. Establishing baselines and then looking for significant deviations is a type of threat-hunting explicitly designed to be attack agnostic and uncover a wide range of threat actor activity.
In reality, many detective, protective and corrective security controls are not tied to specific exploits, techniques or vulnerabilities. Over-focusing on detecting specific exploits risks exposure to the latest zero-days. You’ll be better off with a more balanced, defense-in-depth approach to detection and prevention when the next inevitable mass exploitation event hits.
Lie No. 5: Defenders have to get it right every time
The final lie is the defender’s dilemma itself. It fundamentally mischaracterizes the idea of what an “attack” is. “Attackers only have to be right once” strongly implies that the attack encompasses a single event — the “one time” they have to be right. In reality, an attack is a sequence of events, from conception through initial access and continuing until the threat actor achieves their goal or you manage to stop them. The very fact that the idea of an attack lifecycle (such as the Lockheed-Martin Cyber Kill Chain) exists implies that attacks happen over time.
You have many chances to detect attacks over their lifetimes, not just during the initial beachhead. By ensuring that you have a robust set of detections that cover all (or most) phases of the Kill Chain, you’ll maximize the probability that you’ll notice at least part of the attack and be able to respond more quickly.
The truth: The attacker’s dilemma
By now, it should be clear that the defender’s dilemma is wrong. In fact, the exact opposite is true: Attackers have to get everything right throughout the entire attack lifecycle. They have to evade all the controls and avoid tripping any alarms. You only need to detect them once in order to engage your security team and wake the dragon.
This concept is known as the attacker’s dilemma (or sometimes the intruder’s dilemma). It’s a very powerful idea. A threat actor typically has many steps to carry out during an attack. Human nature being what it is, they will almost certainly make mistakes. Also, attackers usually operate with imperfect knowledge of their environment, figuring things out as they go, and this fumbling around is likely to set off alarms. From a single alert, you can investigate, interdict and uncover the details of an attack’s entire kill chain.
The attacker’s dilemma is beneficial
Structuring your security program around the attacker’s dilemma has many benefits. Instead of wasted resources, low morale and “inevitable” data breaches, you begin to identify and prioritize opportunities, perhaps based partly on how much cost they impose on your adversaries. These priorities typically lead to smarter, more effective resource allocation.
The positive energy that comes with flipping the tables on the attackers also greatly impacts morale. People want to feel like their work is making a difference. Motivated employees are more engaged and tend to stay longer, reducing turnover and allowing for more opportunities to improve. This magic combination of better resource allocation and more motivated employees makes it much easier to achieve good security outcomes on a regular basis. As your team sees security wins, their morale improves even further, feeding into a virtuous upward spiral.
No one should be paying attention to the defender’s dilemma anymore. Perhaps it was closer to the truth a couple of decades ago, in cybersecurity’s ancient times, but today it’s not only wrong but actively harmful. By adjusting your mindset and implementing some of the above strategies, you can begin building the attacker’s dilemma in your own organization, bringing real improvement to both security outcomes and the quality of life of your security team.
Comment