$30 off During Our Annual Pro Sale. View Details »

Five Lies & a Truth: Attacking the Defender's Dilemma

David J. Bianco
October 25, 2022
Technology
0
25

Five Lies & a Truth: Attacking the Defender's Dilemma

There’s an old saying in security: “Attackers only have to be right once; defenders have to be right every time”. We call this “the Defender’s Dilemma”, and many organizations have built their entire security programs around it. But the Defender’s Dilemma is based on a very narrow slice of the attack lifecycle: the initial point of entry. When you look at the full scope of both the attacker’s and the defender’s activity, you see that the assumptions underlying the Defender’s Dilemma are misleading at best, and often entirely wrong. In this presentation, we’ll examine each of those assumptions and demonstrate that they are untrue. In fact, defenders have many advantages that they often fail to realize, and by exploiting them we can create a beneficial situation known as “the Attacker’s Dilemma”.

By the end of this session, attendees will not only realize the fundamental untruths of the Defender’s Dilemma and their negative impacts on security, but also understand how the Attacker’s Dilemma can increase morale, raise attackers’ costs, and improve the security posture of their organizations.

David J. Bianco

October 25, 2022
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
11
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
150
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
200
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
37
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
920
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
350
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
260
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
KarateによるBDDベースのAPIテスト / BDD based API-Testing with Karate
takanorig
1
210
Is Serverless Safe? ~Hacking AWS Lambda~
pict3
0
120
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
760
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
240
AWS re:Invent 2023に参加してきた ~Amazon Inspectorのアップデートを添えて~ / AWS re:Invent 2023 Participation Bulletin with Amazon Inspector Updates
yuj1osm
0
330
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
5.3k
pmconf 2023 プロダクトと事業を無限にスケールするための最強のロードマップの作り方 / The Greatest Roadmap for Unlimited Scaling your Business and Products
yamamuteki
18
10k
PKSHAでアルゴリズムを 社会実装する楽しみ
pkshadeck
1
170
Micro Frontends for Java Microservices - SF JUG 2023
mraible
PRO
1
240
Bedrock & Amazon Q のアプデ、結局これって○○でいう××のこと?? 生成AIトレンドを俯瞰しながら解説!
minorun365
PRO
0
330
go-ldap Contribution
kazamori
0
120
2023년의 딥러닝과 LLM 생태계
inureyes
PRO
0
1.4k

Featured

See All Featured
How to Ace a Technical Interview
jacobian
272
22k
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Building a Scalable Design System with Sketch
lauravandoore
453
32k
KATA
mclloyd
13
11k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
1
1.1k
Scaling GitHub
holman
455
140k
Done Done
chrislema
178
15k
Unsuck your backbone
ammeep
660
56k
[RailsConf 2023] Rails as a piece of cake
palkan
17
3.2k

Transcript

  1. © 2022 SPLUNK INC.
    Five Lies and
    a Truth
    Attacking the Defender’s Dilemma
    David J. Bianco
    Staff Security Strategist
    SURGe by Splunk
    [email protected]
    @DavidJBianco

    View Slide

  2. © 2022 SPLUNK INC.
    About Me
    He/Him
    Staff Security Strategist, SURGe
    SANS Certified Instructor
    Security Researcher
    ● The Pyramid of Pain
    ● Threat Intelligence
    ● Threat Hunting

    View Slide

  3. © 2022 SPLUNK INC.

    View Slide

  4. © 2022 SPLUNK INC.
    “Defenders have to get it
    right every time.
    Attackers only need to
    be right once.”
    – Literally everyone in security at
    one time or another
    The Defender’s Dilemma

    View Slide

  5. © 2022 SPLUNK INC.
    The Defender’s Dilemma: Actively Harmful
    Wrong Premise Bad Decisions
    Wasted
    Resources
    Bad Security
    Outcomes
    Demoralized
    Defenders

    View Slide

  6. © 2022 SPLUNK INC.
    Lie #1: Defense & Offense are Separate
    When you detect an
    adversary’s use of a
    particular indicator and
    respond to it quickly, you
    force them to expend effort to
    replace it.
    By imposing cost, you turn
    a defensive program into an
    offensive one! https://bit.ly/PyramidOfPain

    View Slide

  7. © 2022 SPLUNK INC.
    Lie #2: Defenders Must be on Duty 24/7
    Kind of true… BUT!
    Automation and SOAR can mitigate the worst of this
    asymmetry.
    What is each side doing between attacks?
    ● Attackers plan their next operation
    ● Defenders learn skills and improve defenses

    View Slide

  8. © 2022 SPLUNK INC.
    Lie #3: Defenders Have to Play Fair
    There’s no such thing as
    cheating for the Blue Team!
    Attackers have needs, goals
    and habits. Take advantage
    of them.
    Deception technology
    makes it quite easy to lie and
    cheat at scale.

    View Slide

  9. © 2022 SPLUNK INC.
    Lie #4: You Can’t Defend Against 0-Days
    An exploit is only a foothold.
    What comes after is the
    important bit.
    Look for exploits, but
    concentrate on behaviors!
    MITRE ATT&CK is a great
    start for cataloging behaviors.

    View Slide

  10. © 2022 SPLUNK INC.
    Lie #5: Defenders Have to Get it Right Every Time
    Attacks are not single events.
    Attack lifecycle models imply
    structure and time.
    You have a lot of chances to detect
    the attack over its entire lifetime.
    Attackers have to evade your
    detection at every phase!
    Lockheed-Martin Cyber Kill Chain

    View Slide

  11. © 2022 SPLUNK INC.
    Attackers have to get it
    right through their
    entire attack.
    Defenders only need to
    detect them once.
    The Truth:
    The Attacker’s Dilemma

    View Slide

  12. © 2022 SPLUNK INC.
    The Attacker’s Dilemma is Beneficial
    Correct Premise
    Good
    Decisions
    Efficient Use of
    Resources
    Better Security
    Outcomes
    Engergized,
    Empowered
    Defenders

    View Slide

  13. © 2022 SPLUNK INC.
    The Defender’s Dilemma Sits on a Throne of Lies
    Defense & Offense are Separate
    Defenders Must be on Duty 24/7
    Defenders Have to Play Fair
    You Can’t Defend Against 0-Days
    Defenders Have to Get it Right Every Time

    View Slide

  14. © 2022 SPLUNK INC.
    Five Lies and
    a Truth
    Attacking the Defender’s Dilemma
    David J. Bianco
    Staff Security Strategist
    SURGe by Splunk
    [email protected]
    @DavidJBianco

    View Slide