Busting the myth that security teams must get it right 100% of the time when attackers only have to be right once

Disclaimer

All the opinions and views discussed here are mine and do not necessarily represent the views of my employer. I am not an expert; I am just sharing my views on topics that interest me the most, and I’m open to other perspectives.

I was never a fan of the expression “security teams must get it right 100% of the time, attackers only have to be right once”, and I do get to hear it a lot, primarily by vendors. These vendors that, on purposely, overhyping every security issue to push their agenda. They claim that their product can defeat any threat, and it will be the only solution that any organization will ever need. Such narratives become especially problematic when they are fed directly to decision-makers (CISO/CTO/Director) which they then set unrealistic expectations for their security teams.

First of all, let’s get a couple of things straight, threat actors have to jump through multiple hoops to meet their objectives. On the other side, defenders do not have to get it right all the time to detect/prevent a threat when defence in-depth is applied. If we look at the current, most used Tactics Techniques and Procedures (TTPs) that threat actors are mostly using to get a foothold inside the network, multiple steps need to be followed to achieve their goals. Each phase has its own detection risk. Even if attackers manage to compromise a host inside the network, defenders have plenty of opportunities to detect and kick them out.

To further my point, I will include two example attack scenarios that every security team sees daily. I will concentrate on the initial access as this is where most vendors are making the absurd claim “security teams must get it right 100% of the time, attackers only have to be right once”. I will also provide detection opportunities based on these realistic scenarios. Mitre ATT&CK is a great place to learn more about known TTPs and any related resources a defender would need to detect an attack at any stage.

Attack: Phishing email

Attacker:

1. Identify targets
2. Generating the payload
3. Sending out the emails from a clean domain
4. Setting up the infrastructure to facilitate the multi-staged attack

Detection opportunities:

1. Secure Email Gateway inspecting suspicious emails based on a range of criteria
2. AV on the email server for scanning attachments
3. Sandboxing technologies can help identify malicious attachments by”detonating” them looking for malicious patterns of execution.
4. IDS/IPS systems that could pick up malicious traffic
5. AV/EDR on endpoints as one of the last lines of defence.
6. Alerts based on event log correlation regarding this activity (example Sigma rule for detecting this activity: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_office_shell.yml)

As you can see in this first and most common example, it is not one, not two, but six different detection opportunities for defenders. Admittedly, defenders are expected to have some of these relevant resources to combat this threat.

Attack: Exploit Public-Facing Application

Attacker:

1. Identify vulnerable targets via reconnaissance.
2. Exploit vulnerable systems
3. Maintaining access on the exploited host

Detection opportunities:

1. IDS/IPS/WAF detecting or preventing the exploitation attempts
2. AV/EDR detecting and preventing subsequent malicious payloads
3. Alerts based on event log correlation regarding this activity (example Sigma rule for detecting this activity: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_webshell_spawn.yml
4. IDS/IPS to further detect scanning or lateral movement if the above detections failed.

In this example, we as defenders have again multiple opportunities to detect the malicious activity. I could include other detection methods, such as detections based on the high volume of incoming traffic from a specific external IP from firewall appliances. However, this is not very realistic due to the noise. Many IPs are scanning the world; some are benign (e. g. shodan, security researchers) and others malicious.

Assuming that attackers make it inside the network, similar detection opportunities would apply to detect evil. Defenders should consider applying proper network segmentation, logging, and patching at the minimum. On top of that, a proactive approach using threat intelligence, threat hunting, and continuous monitoring can provide more opportunities for defenders to detect suspicious activities on the network.

I have wanted to make this post for some time now because irrational claims like this are very common from vendors. It is imperative to proactively educate our business decision-makers before an aggressive sales/marketing team does so with false claims. Threat intelligence can also help bring down the hype and focus on what is important for the organization to reduce risk.

References:

• The Myth of Adversary Advantage - Great article from the team at Dragos that explains this problem so elegantly
• Forcing attackers to be 100% right - Another great, myth-busting article.
• https://attack.mitre.org
• http://thedfirreport.com - Checkout the steps attackers are taking in real life intrusions and get detections that will help you defend your network.

If you have any comments or questions, feel free to reach out to me directly:

Kostas (@Kostastsale) / Twitter