Virtually all protections professional has encountered “the defender’s dilemma” at some point in his career. It goes like this: “Defenders must always be right. Attackers only have to be right once.”
The idea that attackers have every advantage and that defenders should be passive and wait for something to respond is practically an axiom of cybersecurity.
It’s also a lie.
Basing a security strategy on the defender’s dilemma harms your security program. Starting with an incorrect premise leads to bad decisions. You may be wasting money on products, services, or capabilities you don’t really need, or underinvesting in the products you do need. Your security personnel become overwhelmed, demoralized and struggle to get good results.
Defenders rightly expect attackers to lie and cheat to achieve their goals, but sometimes we forget that lying and cheating can work both ways.
If you believe the lie of the defender’s dilemma, there are other lies you must also believe, because the defender’s dilemma rests on them. Let’s take a closer look at each of these lies and discuss strategies you can use to negate their harmful effects and turn them into benefits for your team.
Lie No. 1: Defense and offense are separate
The defender’s dilemma means that your security team is purely passive, waiting for attacks. But thinking in terms of “defense” and “attack” is a false dichotomy.
The Pyramid of pain shows that by consistently detecting and responding to threat actor activity fast enough to stop attacks, you can impose a cost on that actor, turning defense into attack. Concentrating your detection development efforts on the top half of the pyramid may not completely prevent attacks, but it will make actors work harder to be successful. That changes the economics of their attacks and also gives you valuable time to respond.
Lie No. 2: Defenders must be on duty 24/7
Your defense has to work around the clock, while attackers can carefully choose the timing of their attacks to take place in the evenings, weekends or holidays. However, that doesn’t mean that people should always be turned on for everything.
Automation and SOAR technology can turn IR playbooks into an automated response. Containing an incident within seconds or minutes of detection and collecting basic IR data along the way improves time to containment and significantly reduces reliance on off-hours staff.
Also consider what each side does between attacks. While threat actors plan their next attacks, your team can’t sit still. Use the time between incidents to improve group skills and individual skills. Learn from past incidents to improve detection and response plans. Take classes or learn new skills. Use threat hunting to identify new detection or IR techniques. What you may have preyed on yesterday may be something you discover and forbid tomorrow.
