I’ve had it. It is time to retire some of the old, worn-out cybersecurity clichés polluting the landscape. Clichés are painful to hear. At the top of the list is the ‘defender’s dilemma’. This platitude states that breaches occur because attackers only have to be right once, whereas defenders have to get cybersecurity right every single time. I’ll admit, I’ve used this cliché myself, but no longer! This adage places organizations at a distinct disadvantage. Following this to its logical conclusion, it implies that no matter what you do, you are bound to fail. This seems to be a theme in many cybersecurity discussions, but it is a subject for another day.
The problem with the defender’s dilemma is that both parts of the statement are flawed.
Saying an attacker only needs to get it right once sounds like the idiom, “Even a blind squirrel finds a nut every so often.” The implication is that attackers do not need to work hard to breach security defenses. This is the exact opposite of reality. Attackers work at their trade. The MITRE ATT&CK knowledge base of adversary tactics and techniques explains the variety of activities required to successfully execute a cyberattack campaign.
Attackers must research their targets and conduct reconnaissance to determine the best entry point. Cybercriminals then need to compromise their target to gain a foothold. Next, they work to elevate privileges and compromise additional systems to facilitate lateral movement. Just like a physical thief, they search for valuables to steal in order to collect their payoff. To be successful, all of these activities must go undetected, otherwise the operation will be exposed. When that happens, it is back to the beginning. This is not a job for a blind squirrel.
On the defender’s side, by saying you must be right all the time is tantamount to advocating for perfect security. Perfect security is a fool’s errand – it isn’t going to happen. As Franz Kafka implied in his short story, “A Hunger Artist,” the search for perfection is, ultimately, the inability to accept reality for what it is. Absolute security fails because it creates an unwillingness to compromise as well as a crippling fear of failure. Defenders must realize that they can execute everything flawlessly, but still succumb to attacks or breaches when zero-day vulnerabilities are in play.
Thwarting attackers takes skill, determination and flexibility. You need to be meticulous and use the capabilities available to you. You also must not be satisfied with some level of success, but must be constantly vigilant.
Frameworks, Risk Management and Defenses
Security professionals should not fall into the defender’s dilemma trap. It is a false narrative. Attackers work hard to make breaches happen. They scrutinize the attack surface for vulnerabilities. They have their share of failures, but they persevere. Cybercriminals don’t appear to pay attention to the supposed inevitability of successful attacks. Defenders, however, take as gospel that they will lose, even though many tools are available that can discover and ward off adversarial intrusions.
The first step in burying the cliché is establishing a risk management program that aligns with established processes, such as the NIST Cybersecurity Framework (CSF). A CSF is important, as it provides guidelines, standards and best practices that allow organizations to create a security infrastructure that can identify and mitigate cybersecurity risks. It also is valuable to integrate threat modeling, quantifying the seriousness of threats and vulnerabilities and prioritizing attack mitigation resources, into the framework. The MITRE ATT&CK attack map is very useful when creating risk scenarios.
In addition to creating a strong risk management program using frameworks and threat modeling, organizations can use many technologies that reduce the available attack surface (e.g. security hygiene), create barriers (e.g. anti-malware and firewalls), identity controls (e.g. privileged identity management), visibility (e.g. IDS/IPS), segmentation (e.g. zero-trust), deception (e.g. honeypot) and analytics (e.g. SIEM). Finally, the defender’s dilemma bromide is ultimately defeated by security awareness and practice. Run security awareness tabletop exercises, conduct penetration testing and red and blue team operations and stay current on existing threats and attacker operations.
The bottom line is that the defender’s dilemma cliché should no longer be viable. Successful breaches are not the result of the attacker being right just once; they have to be correct multiple times. Anything that disrupts the attack chain will lead to their failure. The defender has many opportunities to thwart penetration attempts. Operating a comprehensive risk management program, supported by people, policy and technology works without the unattainable burden of perfect security.