I’ve had it. It is time to retire some of the old, worn-out cybersecurity clichés polluting the landscape. Clichés are painful to hear. At the top of the list is the ‘defender’s dilemma’. This platitude states that breaches occur because attackers only have to be right once, whereas defenders have to get cybersecurity right every single time. I’ll admit, I’ve used this cliché myself, but no longer! This adage places organizations at a distinct disadvantage. Following this to its logical conclusion, it implies that no matter what you do, you are bound to fail. This seems to be a theme in many cybersecurity discussions, but it is a subject for another day.
The problem with the defender’s dilemma is that both parts of the statement are flawed.
Saying an attacker only needs to get it right once sounds like the idiom, “Even a blind squirrel finds a nut every so often.” The implication is that attackers do not need to work hard to breach security defenses. This is the exact opposite of reality. Attackers work at their trade. The MITRE ATT&CK knowledge base of adversary tactics and techniques explains the variety of activities required to successfully execute a cyberattack campaign.
Attackers must research their targets and conduct reconnaissance to determine the best entry point. Cybercriminals then need to compromise their target to gain a foothold. Next, they work to elevate privileges and compromise additional systems to facilitate lateral movement. Just like a physical thief, they search for valuables to steal in order to collect their payoff. To be successful, all of these activities must go undetected, otherwise the operation will be exposed. When that happens, it is back to the beginning. This is not a job for a blind squirrel.
On the defender’s side, by saying you must be right all the time is tantamount to advocating for perfect security. Perfect security is a fool’s errand – it isn’t going to happen. As Franz Kafka implied in his short story, “A Hunger Artist,” the search for perfection is, ultimately, the inability to accept reality for what it is. Absolute security fails because it creates an unwillingness to…