I was not able to find the original author for the quote “The attacker can exploit just one vulnerability to get in, while the defender needs to protect all ways in.” This line of thinking has long been used to sow depression and lower the morale of aspiring security professionals, tasked with protecting the enterprise IT environments and information. Furthermore, the ever-increasing complexity of our environments (adding cloud and mobile, while keeping mainframes and Windows XP) made the list of said “ways in” so much longer and thus the depression so much deeper. “More furthermore”, as millions new devices are connected and as organizations lose track of what is connected to what and what data moves where, the challenges with network defense look more and more daunting…
All of this hints at a hypothetical “Attacker’s Advantage” that affects security planning and architecture (defense in depth, layers, etc), risk management, threat assessment, monoculture thinking (example), etc. Of course, the same line of thinking made attackers [and pentesters] rejoice and have another beer at the expense of defenders everywhere
So, are we f*cked or what?
At this point, let’s briefly leave the cyber domain and visit the domain of warfare. Here, the long-quoted line is about the defender to attacker 3:1 force advantage which means that the defending force of 100 will be able to hold a force of 300 at bay (with some assumptions in place, of course). The entire 5000+ year history of warfare, teaches us about the unambiguous defender’s advantage. After all, defenders know the terrain and build the defenses on it [and thus know them even better], have a chance to prepare the plans and the armaments, train the troops in place – clearly that confers a non-trivial advantage to the defending side.
Where is the “Defender’s Advantage” in information / cyber security? I think it DOES EXIST, but many organizations choose to squander it. In theory, defenders should have the advantage because they control the terrain, but sadly, there are cases where the incoming attacker knows the locations of sensitive data better than the defenders, tasked with protecting that data (“… but we were planning that DLP data discovery deployment for 2015” – “guess what? the attacker owned your domain and then scanned all your servers for sensitive data. oops!”). Defender’s advantage here also stems from knowing the terrain [=your IT environment], building defenses [=such as monitoring] as well as planning for battle [=having IR plans and procedures].
At the risk of channeling Richard Bejtlich circa 2008, why are defensible networks so rare? To a large extent, this is because many defenders are obsessed with buying boxes (akin to buying tanks and fighters and parking them in one huge garage) instead of thinking about items like this:
- How to create the environment that we control – not the attacker?
- How to architect visibility across all systems and networks, so that we will know when the adversary is here?
- What may they want and how do we focus on those assets?
- How can we stop, delay, disrupt their activities – all the while we observe and learn from them?
- How do we draw the attacker’s attention in the direction we want and away from the area we don’t want?
- Ultimately, how to create and maintain the environment where the attacker will ultimately lose or at least get tired before he can win?
Time to start thinking like that – and to stop repeating that line about the attacker’s advantage…
Possibly related posts: