Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Five Lies & a Truth: Attacking the Defender's D...

David J. Bianco
October 25, 2022
Technology
0
63

Five Lies & a Truth: Attacking the Defender's Dilemma

There’s an old saying in security: “Attackers only have to be right once; defenders have to be right every time”. We call this “the Defender’s Dilemma”, and many organizations have built their entire security programs around it. But the Defender’s Dilemma is based on a very narrow slice of the attack lifecycle: the initial point of entry. When you look at the full scope of both the attacker’s and the defender’s activity, you see that the assumptions underlying the Defender’s Dilemma are misleading at best, and often entirely wrong. In this presentation, we’ll examine each of those assumptions and demonstrate that they are untrue. In fact, defenders have many advantages that they often fail to realize, and by exploiting them we can create a beneficial situation known as “the Attacker’s Dilemma”.

By the end of this session, attendees will not only realize the fundamental untruths of the Defender’s Dilemma and their negative impacts on security, but also understand how the Attacker’s Dilemma can increase morale, raise attackers’ costs, and improve the security posture of their organizations.

David J. Bianco

October 25, 2022
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
39
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
190
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
290
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
130
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
41
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
970
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
390
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
270
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
200
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
120
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
Taming you application's environments
salaboy
0
180
[FOSS4G 2019 Niigata] AIによる効率的危険斜面抽出システムの開発について
nssv
0
310

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
Designing Experiences People Love
moore
138
23k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Thoughts on Productivity
jonyablonski
67
4.3k
A better future with KSS
kneath
238
17k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
What's new in Ruby 2.0
geeforr
343
31k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
How STYLIGHT went responsive
nonsquared
95
5.2k
What's in a price? How to price your products and services
michaelherold
243
12k
BBQ
matthewcrist
85
9.3k

Transcript

  1. © 2022 SPLUNK INC. Five Lies and a Truth Attacking

    the Defender’s Dilemma David J. Bianco Staff Security Strategist SURGe by Splunk [email protected] @DavidJBianco

  2. © 2022 SPLUNK INC. About Me He/Him Staff Security Strategist,

    SURGe SANS Certified Instructor Security Researcher • The Pyramid of Pain • Threat Intelligence • Threat Hunting

  3. © 2022 SPLUNK INC.

  4. © 2022 SPLUNK INC. “Defenders have to get it right

    every time. Attackers only need to be right once.” – Literally everyone in security at one time or another The Defender’s Dilemma

  5. © 2022 SPLUNK INC. The Defender’s Dilemma: Actively Harmful Wrong

    Premise Bad Decisions Wasted Resources Bad Security Outcomes Demoralized Defenders

  6. © 2022 SPLUNK INC. Lie #1: Defense & Offense are

    Separate When you detect an adversary’s use of a particular indicator and respond to it quickly, you force them to expend effort to replace it. By imposing cost, you turn a defensive program into an offensive one! https://bit.ly/PyramidOfPain

  7. © 2022 SPLUNK INC. Lie #2: Defenders Must be on

    Duty 24/7 Kind of true… BUT! Automation and SOAR can mitigate the worst of this asymmetry. What is each side doing between attacks? • Attackers plan their next operation • Defenders learn skills and improve defenses

  8. © 2022 SPLUNK INC. Lie #3: Defenders Have to Play

    Fair There’s no such thing as cheating for the Blue Team! Attackers have needs, goals and habits. Take advantage of them. Deception technology makes it quite easy to lie and cheat at scale.

  9. © 2022 SPLUNK INC. Lie #4: You Can’t Defend Against

    0-Days An exploit is only a foothold. What comes after is the important bit. Look for exploits, but concentrate on behaviors! MITRE ATT&CK is a great start for cataloging behaviors.

  10. © 2022 SPLUNK INC. Lie #5: Defenders Have to Get

    it Right Every Time Attacks are not single events. Attack lifecycle models imply structure and time. You have a lot of chances to detect the attack over its entire lifetime. Attackers have to evade your detection at every phase! Lockheed-Martin Cyber Kill Chain

  11. © 2022 SPLUNK INC. Attackers have to get it right

    through their entire attack. Defenders only need to detect them once. The Truth: The Attacker’s Dilemma

  12. © 2022 SPLUNK INC. The Attacker’s Dilemma is Beneficial Correct

    Premise Good Decisions Efficient Use of Resources Better Security Outcomes Engergized, Empowered Defenders

  13. © 2022 SPLUNK INC. The Defender’s Dilemma Sits on a

    Throne of Lies Defense & Offense are Separate Defenders Must be on Duty 24/7 Defenders Have to Play Fair You Can’t Defend Against 0-Days Defenders Have to Get it Right Every Time

  14. © 2022 SPLUNK INC. Five Lies and a Truth Attacking

    the Defender’s Dilemma David J. Bianco Staff Security Strategist SURGe by Splunk [email protected] @DavidJBianco