$30 off During Our Annual Pro Sale. View Details »

Five Lies and a Truth: Attacking the Defender's Dilemma

David J. Bianco
December 09, 2021
Technology
0
200

Five Lies and a Truth: Attacking the Defender's Dilemma

There’s an old saying in security: “Attackers only have to be right once; defenders have to be right every time”. We call this “the Defender’s Dilemma”, and many organizations have built their entire security programs around it. But the Defender’s Dilemma is based on a very narrow slice of the attack lifecycle: the initial point of entry. When you look at the full scope of both the attacker’s and the defender’s activity, you see that the assumptions underlying the Defender’s Dilemma are misleading at best, and often entirely wrong. In this presentation, we’ll examine each of those assumptions and demonstrate that they are untrue. In fact, defenders have many advantages that they often fail to realize, and by exploiting them we can create a beneficial situation known as “the Attacker’s Dilemma”.

By the end of this session, attendees will not only realize the fundamental untruths of the Defender’s Dilemma and their negative impacts on security, but also understand how the Attacker’s Dilemma can increase morale, raise attackers’ costs, and improve the security posture of their organizations.

David J. Bianco

December 09, 2021
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
11
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
150
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
25
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
37
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
920
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
350
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
急成長スタートアップにおける技術的負債とトレードオフ・スライダー / Technical Debt and Trade-off Sliders in Fast-Growing Startups
codenote
2
2.2k
イベント企画設計における「フロントエンド」な考え方とその魅力
kgsi
1
1.9k
SOLID Is Dead, Long Live SOLID
lemiorhan
2
180
なぜコピペで使うコンポーネント集を利用するのか?
mottox2
6
4.6k
LINEでのコミュニケーションにマスコットキーホルダーを使ってみる / LINEを使ったLT大会 #5
you
PRO
0
100
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
850
第21回Ques シフトレフトにおけるシナリオテストの適用事例
moritamasami
1
380
Railsアプリをコスパよく読むための環境整備
ikumatadokoro
1
130
eBPF for the rest of us - Golab 2023
fedepaol
0
280
LLMエンジニアリングを加速させるソフトウェアアーキテクチャ
tkikuchi1002
0
310
Kotlin製のGraphQLサーバーをNode.jsでモジュラモノリス化している話
hokaccha
1
2.1k
The future is already here – Mastering the challenges of the coming years
ufried
0
230

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k
Being A Developer After 40
akosma
52
580k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
KATA
mclloyd
13
11k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
656
120k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Done Done
chrislema
178
15k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
Pencils Down: Stop Designing & Start Developing
hursman
115
11k

Transcript

  1. © 2021, David J. Bianco
    Five Lies and a Truth
    Attacking the Defender’s Dilemma
    David J. Bianco
    [email protected]
    @DavidJBianco

    View Slide

  2. SANS Instructor
    Principal Engineer,
    Cybersecurity
    Target Corporation
    Incident Detection &
    Response Researcher
    • The Pyramid of Pain
    • Threat Intelligence
    • Threat Hunting
    About Me

    View Slide

  3. “Defenders have to get it right
    every time. Attackers only need to
    be right once.”
    3
    Defenders
    Attackers

    View Slide

  4. 4

    View Slide

  5. The Defender’s Dilemma is Actively Harmful
    5
    Wrong
    Premise
    Bad
    Decisions
    Wasted
    Resources
    Tired,
    Demoralized
    Defenders
    Bad Security
    Outcomes

    View Slide

  6. Lie #1: Defense & Offense are Separate
    6
    When you detect an
    adversary’s use of a
    particular indicator and
    respond to it quickly, you
    force them to expend effort
    to replace it.
    By imposing cost, you turn
    a defensive program into
    an offensive one! https://bit.ly/PyramidOfPain

    View Slide

  7. Lie #2: Defenders Must be On Duty 24/7
    7
    Kind of true… BUT!
    Automation and SOAR can mitigate the worst
    of this asymmetry.
    What is each side doing between attacks?
    • Attackers plan their next attacks
    • Defenders learn skills and improve
    defenses

    View Slide

  8. Lie #3: Defenders Have to Play Fair
    8
    There’s no such thing as
    cheating for the Blue Team!
    Attackers have needs, goals
    and habits. Take advantage of
    them.
    Deception technology makes it
    quite easy to lie and cheat at
    scale.

    View Slide

  9. Lie #4: You Can’t Defend Against 0-Days
    9
    An exploit is only a
    foothold. What comes
    after is the important bit.
    Look for exploits but
    concentrate on behaviors!
    MITRE ATT&CK is a great
    start for cataloging
    behaviors.

    View Slide

  10. Lie #5: Defenders Have to Get it Right Every Time
    10
    Attacks are not single events.
    Attack lifecycle models imply
    structure and time.
    You have a lot of chances to detect
    the attacker over its entire lifetime!

    View Slide

  11. The Truth: The Attacker’s Dilemma!
    11
    Defenders
    Attackers
    “Attackers have to get it right
    through the entire attack.
    Defenders only need to detect
    once.”

    View Slide

  12. The Attacker’s Dilemma is Beneficial
    12
    Correct
    Premise
    Good
    Decisions
    Efficient Use
    of
    Resources
    Energized,
    Empowered
    Defenders
    Better
    Security
    Outcomes

    View Slide

  13. A Throne of Lies
    13
    Defense & Offense are Separate
    Defenders Must be On Duty 24/7
    Defenders Have to Play Fair
    You Can’t Defend Against 0-Days
    Defenders Have to be Right Every Time. Attackers Only Have to
    be Right Once.

    View Slide

  14. Attacking the Defender’s Dilemma
    Questions?
    David J. Bianco
    [email protected]
    @DavidJBianco

    View Slide