We have all heard the mantra:
“Attackers only have to be right once; defenders have to be right every time.”
It is, of course, complete nonsense and something only people who don’t understand how compromising computers actually works. The more accurate statement is:
“Attackers have to be right every time, and in series.”
To draw a simple analogy, imagine you are about to enter a house that is not yours. You can see the outside of the house and the door into the house, but inside the house it is pitch black. You’ve been inside the same style of house before so you have a rough idea of where the walls and doors and stairways are, but you don’t know what furniture is where and what modifications to the actual house might have been made. To get from the foyer to a bedroom with a treasure chest in the closet involves you taking tiny steps and moving your hands around in front of you in the hopes that you don’t trip on a shoe or knock over a lamp — something that would let the owner of the house know you were there.
Extending the analogy a bit, you worry that the homeowners are not dead asleep. You worry that they have motion sensors installed around the house. That there are infra-red cameras watching you stumble around. That they own night vision goggles and are handy with a shotgun. These are all things that would bring your hunt for treasure to a quick halt and all things that could be deployed against you without your knowledge.
In the never-ending debate over the relative advantages of offense over defense, or vice versa, the trend recently has been to promote defender advantages. Attackers aren’t all that because this is your house! Nobody ****s with you in your house!
The problem of course is that you might live in the metaphorical house, but you also might have no earthly idea how to use it to your advantage. If you’ve owned several houses in different parts of the country over the course of several decades, this is all old hat, but the new homeowner (so to speak) lacks a great deal of your knowledge and experience.
Take recent events in Texas as an example. People who live in the northern part of the country know exactly what to do when the temperatures drop below a certain level in order to prevent their water pipes from freezing. If you’ve only ever lived in Texas and never experienced epic cold relative to the region, you’re going to have a bad day. The temperatures may be back to normal, but the cost, suffering, and inconvenience associated with those rare days lingers.
There is a growing chorus of defenders who are piling on the suffering and woe of other defenders (sometimes “defenders”) because the latter are not taking advantage of the benefits ‘home ownership’ affords. This is a special kind of arrogance considering:
- You have no idea how complicated someone else’s network is.
- You have no idea how skilled or knowledgeable another defender is.
- You have no idea what resources that defender has (or doesn’t).
- You have no idea what competing priorities that person has to contend with.
If you’re only responsible for defending yourself, or your home lab, or a relatively simple IT enterprise, or deal in research and theory, your opinion about what someone else woulda/coulda/shoulda done isn’t particularly useful. It is, in fact, divisive and detrimental.
At some point in your career you were the person who was under the gun. Who was at a loss. Who didn’t know how they were going to get themselves out of the fix they were in. At that point in time you would have given anything for someone to extend you a hand and help shoulder the burden. There are times when the best thing one can do for cyber defense has nothing to do with technology and everything to do with empathy.
Or keep throwing drowning men bricks and see where that takes the community.