I will fully admit that I sometimes finding myself parroting standard industry tropes. For example, I can’t recall how many times I’ve said in presentations and interviews:
The defender needs to be perfect all the time. The attacker only needs to succeed once.
And yes, it’s totally true. But we spend so much time harping on it that we forget how we can turn that same dynamic to our advantage.
If all the attacker cares about is getting in once, that’s true. If we only focus on stopping that first attack, it’s still true. But what if we shift our goal to detection and containment? Then we open up some opportunities.
As defenders, the more barriers and monitors we put in place, the more we demand perfection from attackers. Look at all those great heist movies like Ocean’s 11 – the thieves have to pass all sorts of hurdles on the way in, while inside, and on the way out to get away with the loot.
We can do the same thing with compartmentalization and extensive alert-based monitoring. More monitored internal barriers are more things an attacker needs to slip past to win. Technically it’s defense in depth, but we all know that term has turned into an excuse to buy more useless crap, mostly on the perimeter, as opposed to increasing internal barriers.
I am not saying it’s easy. Especially since you need alert-based monitors so you aren’t looking at everything by hand. And let’s be honest – although a SIEM is supposed to fill this role (at least the alerting one) almost no one can get SIEM to work that way without spending more than they wasted on their 7-year ERP project. But I’m an analyst so I get to spout out general philosophical stuff from time to time in hopes of inspiring new ideas. (Or annoy you with my mendacity).
Stop wishing for new black boxes. Just drop more barriers, with more monitoring, creating more places for attackers to trip up.
Reader interactions
One Reply to “Force Attacker Perfection”
That “the defenders need to be perfect all the time” is just a convenient but largely unsubstantiated axiom from the security industry. I do not agree at all with that statement. Defenders do not need to be perfect to have effective defensive security, they just need to be disciplined and agile risk managers assigning proper investment weight and attention to the multiple fronts they cover at the right times.
It is also untrue that “the attacker only needs to succeed once”, that is just an over simplification of the attacker’s posture and goals. Even untargeted attacks combine multiple steps and stages these days.
Rather than “defense in depth” I’d use the concept of “security mesh” that Nate Lawson proposed years ago. The former is usually thoughts of a series of security barriers places in sequentially along a radial axis with the protected goods in the center, the later hints at a set of parallel and redundant mechanism that must all fail simultaneously to facilitate compromise. Also, talking about “barriers” in the context of infosec is an anachronism and perpetuates the medieval paradigm (moats, castles, bastion hosts, etc) that have been shaping the community’s practices and technologies for decades.
Here is Nate’s “security mesh” posts from 2007:
http://rdist.root.org/2007/03/26/building-a-mesh-versus-a-chain/
http://rdist.root.org/2007/03/29/chain-defense-in-depth-and-mesh-models-again/