The attacker only has to get it right once. The defender on other hand must be right 100% of the time
This adage and its different variations may be one of the most persistent misconceptions thrown around in the security world.
It’s commonly brought up following breaches and security incidents to justify their success in a bleak and twisted way. As if to imply that the attacker would have ultimately found a way to break into the company anyway. They always have the advantage. It was inevitable.
Never mind the nihilism implicitly acquiesced by such a line of thought—who wouldn’t be depressed to be in a line of work where their massive efforts amounts to zero—There is something deeply misleading about it. It omits an important assumption. The attacker only has to get it right once if you’re one vulnerability away from being completely destroyed.
If one flaw in your system breaks down your whole company. If your whole security posture rests on VPN isolation, a Web Application Firewall, or any other single defense hypothesis then yes, the attacker only has to poke a hole in that single layer to sink your business. But it does not have to be this way. The attacker only has the advantage because the company willingly surrendered it in the first place!
Let’s say the attacker finds an 0-day vulnerability in your VPN appliance. There is nothing you can do about that. It happens. Point 1 for the attacker.
In a well structured defense strategy though, that should not be the end of it. In fact the game has just started.
The attacker creates an account on the VPN with full access to all networks. That should be picked up by your monitoring system as an unusual event. Maybe they connect from a previously unseen country. Another red flag. They start scanning the network looking for vulnerable apps. They go through your shared drives for passwords. So much unusual activity from a single IP address that should make your security dashboard blow up like a volcano. Strong authentication forms protecting all your Web apps forces the attacker to bruteforce credentials on machines and Web apps. The number of failed authentication events should scream in your monitoring system. They inadverently scan a Canary machine or honeypot. If that’s not enough to rouse even the most complacent teams, nothing will.
Let’s say the attacker somehow evades these landmines and finds AWS/GCP/Azure credentials on a forgotten network drive that escaped your attention. Point 2 for the attacker. They have very restrictive rights because of decent hardening you did. They start doing some reconnaissance to figure out which permissions they have. Another precious detection pattern that should beep in your detection system: One user attempting access to dozen of services in a limited time window. That’s odd. They find their way to an S3 bucket holding data. They start downloading what they can. Of course you know that no single user should download more than 1000 documents an hour so they trigger yet another silent alarm…and the story goes on.
Every time they take a step in a given direction they either face a polished ice wall, or silently trip over a digital wire likely to expose them. The goal of a security team is to create as many hoops as possible for the attacker to jump through. Each hoop more difficult than the last. More treacherous. More devious. That’s defense in depth. Not stacking different Firewall vendors.
In such a scenario, it’s the attacker that has to get it right every damn time otherwise they will burn their access. True, the attacker has the upper hand when it comes to that first vulnerability, but once they are inside the network, it’s a completely different story. They don’t know the architecture, the apps, the data, the nominal behavior of users so they will necessarily stick out like a sore thumb, at least for a while. That’s your opportunity to flag them. Every protection and detection measure you put in place should force them toward a path that exposes them to your monitoring system. After all, it is your home. Your rules prevail.
A company that does not fully understand its system architecture, what normal traffic looks like nor has the ability to detect and protect its resources will obviously fail in this endeavor. They suddenly find themselves one vulnerability away from being fully 0wned, but it’s not the attacker that exploited some unfair advantage. It’s the company that surrendered any advantage it had.
And that…That’s a crucial difference.