Blog post

On “Defender’s Advantage”

By Anton Chuvakin | May 09, 2014 | 5 Comments


I was not able to find the original author for the quote “The attacker can exploit just one vulnerability to get in, while the defender needs to protect all ways in.” This line of thinking has long been used to sow depression and lower the morale of aspiring security professionals, tasked with protecting the enterprise IT environments and information. Furthermore, the ever-increasing complexity of our environments (adding cloud and mobile, while keeping mainframes and Windows XP) made the list of said “ways in” so much longer and thus the depression so much deeper. “More furthermore”, as millions new devices are connected and as organizations lose track of what is connected to what and what data moves where, the challenges with network defense look more and more daunting…

All of this hints at a hypothetical “Attacker’s Advantage” that affects security planning and architecture (defense in depth, layers, etc), risk management, threat assessment, monoculture thinking (example), etc. Of course, the same line of thinking made attackers [and pentesters] rejoice and have another beer at the expense of defenders everywhere 🙂

So, are we f*cked or what?

At this point, let’s briefly leave the cyber domain and visit the domain of warfare. Here, the long-quoted line is about the defender to attacker 3:1 force advantage which means that the defending force of 100 will be able to hold a force of 300 at bay (with some assumptions in place, of course). The entire 5000+ year history of warfare, teaches us about the unambiguous defender’s advantage. After all, defenders know the terrain and build the defenses on it [and thus know them even better], have a chance to prepare the plans and the armaments, train the troops in place – clearly that confers a non-trivial advantage to the defending side.

Where is the “Defender’s Advantage” in information / cyber security? I think it DOES EXIST, but many organizations choose to squander it. In theory, defenders should have the advantage because they control the terrain, but sadly, there are cases where the incoming attacker knows the locations of sensitive data better than the defenders, tasked with protecting that data (“… but we were planning that DLP data discovery deployment for 2015” – “guess what? the attacker owned your domain and then scanned all your servers for sensitive data. oops!”). Defender’s advantage here also stems from knowing the terrain [=your IT environment], building defenses [=such as monitoring] as well as planning for battle [=having IR plans and procedures].

At the risk of channeling Richard Bejtlich circa 2008, why are defensible networks so rare? To a large extent, this is because many defenders are obsessed with buying boxes (akin to buying tanks and fighters and parking them in one huge garage) instead of thinking about items like this:

  • How to create the environment that we control – not the attacker?
  • How to architect visibility across all systems and networks, so that we will know when the adversary is here?
  • What may they want and how do we focus on those assets?
  • How can we stop, delay, disrupt their activities – all the while we observe and learn from them?
  • How do we draw the attacker’s attention in the direction we want and away from the area we don’t want?
  • Ultimately, how to create and maintain the environment where the attacker will ultimately lose or at least get tired before he can win?

Time to start thinking like that – and to stop repeating that line about the attacker’s advantage…

Possibly related posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Lucas says:

    Good post Anton. By applying an intelligence-driven defense model (, attackers are actually at a disadvantage. All their behaviors, hacking tools, etc are used to detect their presence and prioritize hardening priorities. An attacker would literally have to reinvent their TTPs and human habits to pull off an attack successfully.

  • Doron says:

    Usage of DECOY network systems enables the defenders to identify the progress of the attackers and to make decisions whether the attack should be mitigated immediately or it is better to collect intelligence on the attacker’s methods and goals.

  • @Lucas

    >By applying an intelligence-driven defense model
    >(, attackers are actually at a disadvantage

    Sure, of course – an excellent point indeed. The problem? Very, very, very few people actually get it operationally [I mean ‘get it beyond rattling off the words “kill chain”‘ :-(], and in fact even conceptually…


    Sure, honeypots and other deception works – if you can make it work 🙂

  • Tal Be'ery says:

    Hi Anton,
    Great Entry. I really like utilizing the knowledge that mankind had gathered over centuries and millennia (such as warfare) to young domains (in that case, cyber warfare).
    I think that one of the reasons that we talk about “attacker advantage” in cyber warfare and not the “defender advantage” is because of the defensive side defines the wrong goals and as a result it invests in the wrong places.
    If you define that your goal is to stop the adversary at the gate, you are very likely to lose, as the adversary has the advantage of surprise and can choose where and when to hit you. To eliminate the advantage of surprise, a smart defense strategy must use the depth element and contain the invaders until other forces arrive.
    In the cyber warfare that means to shift the focus from the protection of the endpoint, to the protection of the data center. Even if an endpoint is breached, it’s not the end of the world. But it’s very important to contain the intruder from moving deeper into your network and steal your critical data from the data center.

  • Thanks for the comments.

    >one of the reasons that we talk about “attacker advantage” in cyber
    >warfare and not the “defender advantage” is because of the defensive
    >side defines the wrong goals and as a result it invests in the wrong

    This does make sense – plenty of defenders define goals as “be secure” (ie presumably “never hacked”); I guess the warfare copy of that would be “never be attacked”