Practically every security professional has run across “the defender’s dilemma” sometime in their career. It goes like this: “Defenders have to be right every time. Attackers only need to be right once.”
The idea that attackers have all the advantages and that defenders must be passive and wait for something to respond to is practically an axiom of cybersecurity.
It is also a lie.
Basing a security strategy around the defender’s dilemma harms your security program. Starting with an incorrect premise leads to bad decisions. You may waste money on products, services or capabilities you don’t truly need or underinvest in the ones you do. Your security staff becomes overwhelmed, demoralized and has trouble delivering good outcomes.
Defenders rightly expect attackers to lie and cheat to achieve their goals, but sometimes we forget that lying and cheating can work both ways.
If you believe the lie of the defender’s dilemma, there are other lies you have to believe as well because the defender’s dilemma relies upon them. Let’s look at each of these lies in detail and discuss strategies you can use to negate their harmful effects and turn them into advantages for your team.
Lie No. 1: Defense and offense are separate
The defender’s dilemma implies that your security team is purely passive, sitting around waiting for attacks to happen. But thinking in terms of “defense” and “offense” is a false dichotomy.
The Pyramid of Pain shows that by consistently detecting and responding to threat actor activity quickly enough to stop attacks in their tracks, you can impose cost on that actor, turning defense into offense. By concentrating your detection development efforts on the top half of the pyramid, you may not be able to prevent attacks entirely, but you will make actors work harder to be successful. That changes the economics of their attacks and also buys you valuable time to respond.
Lie No. 2: Defenders must be on duty 24/7
Your defenses must operate around the clock, while attackers can carefully choose the timing of their attacks to occur on evenings, weekends or holidays. That doesn’t mean humans always have to be engaged for everything, though.
Automation and SOAR technology can turn IR playbooks into an automated response. Driving an incident to containment within seconds or minutes of detection and collecting basic IR data along the way improves time-to-containment and significantly decreases reliance on off-hours staffing.
Consider also what each side is doing in between attacks. While threat actors plan their next attacks, your team should not be sitting idle. Use the time between incidents to level up group capabilities and individual skills. Learn from past incidents to improve detection and playbooks. Take classes or learn new skills. Use threat hunting to identify new detection or IR techniques. What you might have fallen prey to yesterday could be something you detect and interdict tomorrow.