>in principle, cybersecurity is advantage defender

I disagree.

The defender must be right every single time. The attacker only has to get lucky and thanks to scale they can do that every day all day in most large organizations.

▲

janalsncm 3 days ago | parent | next [-]

My understanding of defense in depth is that it is a hedge against this. By using multiple uncorrelated layers (e.g. the security guard shouldn’t get sleepier when the bank vault is unlocked) you are transforming a problem of “the defender has to get it right every time” into “the attacker has to get through each of the layers at the same time”.

	▲	mapontosevenths 2 days ago \| parent [-]
		It is a hedge, that said it only reduces the probability of an event and does not eliminate it. To use your example, if the odds of the guard being asleep and the vault being unlocked are both 1% we have a 0.0001 chance on any given day. Phew, we're safe... Except that Google says there are 68,632 bank branch locations in the US alone. That means it will happen roughly 7 times on any given day someplace in America! Now apply that to the scale of the internet. The attackers can rattle the locks in every single bank in an afternoon for almost zero cost. The poorly defended ones have something close to 100% odds of being breached, and the well defended ones how low odds on any given day, but over a long enough timeline it becomes inevitable. To again use your bank example. if we only have one bank, but keep those odds it means that over about 191 years the event will happen 7 times. Or to restate that number, it is like to happen at least once every 27 years. You'll have about 25% odds of it happening in any 7 year span. For any individual target, it becomes unlikely, but also still inevitable. From an attackers perspective this means the game is rigged in their favor. They have many billions of potential targets, and the cost of an attack is close to zero. From a defenders perspective it means realizing that even with defense in depth the breach is still going to happen eventually and that the bigger the company is the more likely it is. Cyber is about mitigating risk, not eliminating it.

▲

NegativeK 2 days ago | parent | prev | next [-]

The defender must be right every single time, and the attacker right only once.

Until the attacker has initial access.

Then the attacker needs to be right every single time.

▲

traderj0e 3 days ago | parent | prev | next [-]

Well, the attacker has something to lose too. It's not like the defender has to be perfect or else attacks will just happen, it takes time/money to invest in attacking.

▲

mapontosevenths 2 days ago | parent [-]

The cost to your average ransomware crew can be rounded down to zero, because it's pretty darn close. They use automated tools running on other peoples computers and utilizing other peoples connectivity. The tools themselves for most RaaS (ransomware as a service) affiliates are also close to zero cost, as they pay the operator a percentage of profits.

The time is a cost, but at scale any individual target is a pretty minor investment since it's 90%+ automated. Also, these aren't folks that are otherwise highly employable. The opportunity cost to them is also usually very low.

The last attacker I got into a conversation with was interesting. Turns out, he was a 16 year old from Atlanta GA using a toolkit as an affiliate. He claimed he made ~100k/year and used the money on cars and girls. I felt like he was inflating that number to brag. His alternative probably would have been McDonalds, and as a minor if he got caught it would've been probation most likely. I told him to come to the blue team, we pay better.

▲

traderj0e 2 days ago | parent [-]

At the end of the day, that guy is spending all of his finite hacking time setting up and maintaining these exploits and stolen infra. His marginal cost of breaching you is 0 if you're already vulnerable to the exact same exploit he already set up, but that's a big if, and someone else spent their finite time making toolkits. Otherwise you'd expect everything on the Internet that has any kind of vuln to be breached already.

Anyway I'm curious about the 16yo. Is it that he has special skills, or is it just that minors will do that dirty work for cheaper, given lower consequences and fewer other opportunities?

	▲	mapontosevenths a day ago \| parent [-]
		> m curious about the 16yo. Is it that he has special skills, or is it just that minors will do that dirty work for cheaper, given lower consequences and fewer other opportunities? I was only able to keep him talking for about 20 minutes, so I can only speculate, but he was using off the shelf RaaS tools that he had modified to make more convincing. I actually got him talking by pointing out that a trick he'd done with the spoofed email headers from "coinbase" was clever, so he was definitely skilled for someone so young. He also had done his homework and knew a bit about me. It's likely he was recruited just because he was too young for prison, but that he was relatively successful because he was clever.

▲

coldtea 2 days ago | parent | prev | next [-]

Not to mention an attacker motivated by financial gain doesn't even need a particular targer defender. One/any found available will do.

▲

tptacek 3 days ago | parent | prev [-]

The attacker and defender have different constant factors, and, up until very recently, constant factors dominated the analysis.