Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Five Lies and a Truth: Attacking the Defender's Dilemma

David J. Bianco
December 09, 2021
Technology
0
230

Five Lies and a Truth: Attacking the Defender's Dilemma

There’s an old saying in security: “Attackers only have to be right once; defenders have to be right every time”. We call this “the Defender’s Dilemma”, and many organizations have built their entire security programs around it. But the Defender’s Dilemma is based on a very narrow slice of the attack lifecycle: the initial point of entry. When you look at the full scope of both the attacker’s and the defender’s activity, you see that the assumptions underlying the Defender’s Dilemma are misleading at best, and often entirely wrong. In this presentation, we’ll examine each of those assumptions and demonstrate that they are untrue. In fact, defenders have many advantages that they often fail to realize, and by exploiting them we can create a beneficial situation known as “the Attacker’s Dilemma”.

By the end of this session, attendees will not only realize the fundamental untruths of the Defender’s Dilemma and their negative impacts on security, but also understand how the Attacker’s Dilemma can increase morale, raise attackers’ costs, and improve the security posture of their organizations.

David J. Bianco

December 09, 2021
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
20
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
160
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
37
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
38
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
940
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
370
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
アクセス制御にまつわる改善 / Improving access control
itkq
0
510
MySQL の SQL クエリチューニングの要所を掴む勉強会
andpad
2
6k
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
490
ユーザーストーリーのレビューを自動化したみたの
bun913
1
410
Databricks における 『MLOps』
databricksjapan
2
170
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
100
生産性向上チームの紹介
cybozuinsideout
PRO
1
860
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
520
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
開発パフォーマンスを最大化するための開発体制
ham0215
2
180
JAWS-UG Bedrock Claude Night
yamahiro
3
540
現代CSSフレームワークの内部実装とその仕組み
poteboy
8
3.6k

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Building Applications with DynamoDB
mza
88
5.6k
How to name files
jennybc
65
93k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
Practical Orchestrator
shlominoach
182
9.7k
Being A Developer After 40
akosma
57
580k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Producing Creativity
orderedlist
PRO
337
39k
Documentation Writing (for coders)
carmenintech
60
3.9k

Transcript

  1. © 2021, David J. Bianco Five Lies and a Truth

    Attacking the Defender’s Dilemma David J. Bianco [email protected] @DavidJBianco

  2. SANS Instructor Principal Engineer, Cybersecurity Target Corporation Incident Detection &

    Response Researcher • The Pyramid of Pain • Threat Intelligence • Threat Hunting About Me

  3. “Defenders have to get it right every time. Attackers only

    need to be right once.” 3 Defenders Attackers

  4. 4

  5. The Defender’s Dilemma is Actively Harmful 5 Wrong Premise Bad

    Decisions Wasted Resources Tired, Demoralized Defenders Bad Security Outcomes

  6. Lie #1: Defense & Offense are Separate 6 When you

    detect an adversary’s use of a particular indicator and respond to it quickly, you force them to expend effort to replace it. By imposing cost, you turn a defensive program into an offensive one! https://bit.ly/PyramidOfPain

  7. Lie #2: Defenders Must be On Duty 24/7 7 Kind

    of true… BUT! Automation and SOAR can mitigate the worst of this asymmetry. What is each side doing between attacks? • Attackers plan their next attacks • Defenders learn skills and improve defenses

  8. Lie #3: Defenders Have to Play Fair 8 There’s no

    such thing as cheating for the Blue Team! Attackers have needs, goals and habits. Take advantage of them. Deception technology makes it quite easy to lie and cheat at scale.

  9. Lie #4: You Can’t Defend Against 0-Days 9 An exploit

    is only a foothold. What comes after is the important bit. Look for exploits but concentrate on behaviors! MITRE ATT&CK is a great start for cataloging behaviors.

  10. Lie #5: Defenders Have to Get it Right Every Time

    10 Attacks are not single events. Attack lifecycle models imply structure and time. You have a lot of chances to detect the attacker over its entire lifetime!

  11. The Truth: The Attacker’s Dilemma! 11 Defenders Attackers “Attackers have

    to get it right through the entire attack. Defenders only need to detect once.”

  12. The Attacker’s Dilemma is Beneficial 12 Correct Premise Good Decisions

    Efficient Use of Resources Energized, Empowered Defenders Better Security Outcomes

  13. A Throne of Lies 13 Defense & Offense are Separate

    Defenders Must be On Duty 24/7 Defenders Have to Play Fair You Can’t Defend Against 0-Days Defenders Have to be Right Every Time. Attackers Only Have to be Right Once.

  14. Attacking the Defender’s Dilemma Questions? David J. Bianco [email protected] @DavidJBianco