This blog post stems from a recent conversation with a former colleague, David Bianco, on the “Defender’s Dilemma.” The Defender’s Dilemma is often cited by those without firsthand experience in investigating cybersecurity incidents. The premise is that hackers only need to succeed once, while defenders must be successful every time. This notion is flawed and reveals a fundamental misunderstanding of a typical cybersecurity attack.
Much of my current work these days centers around developing detection logic for various organizations. This involves detecting threat actors as early as possible through my own research as well as analyzing publicly known cybersecurity attacks. My focus is on identifying threats early in the kill chain, such as during payload delivery, detecting actions as they occur, and monitoring for activity post-exploitation. The goal is to identify threat actors at every possible stage of their attack. You can probably already start to see why this thinking is flawed…
Detection Can Occur in All But One Phase of the Cyber Kill Chain
When considering a cyber attack, it’s essential to view it comprehensively, from start to finish, through the lens of the Cyber Kill Chain. An attacker must succeed at each stage of the kill chain to evade detection by defenders.
For instance, if an organization monitors domain registrations and TLS Certificate Transparency logs, they might proactively identify an attacker’s infrastructure and take preventive actions to block or dismantle it before the attacker even attempts to deliver their payload.
During the delivery phase of an attack chain, their payload could be detected by an email security gateway, a Web Application Firewall (WAF), or a Network Intrusion Detection System. Once the payload reaches its intended destination, the act of execution can be detected, attempts to obfuscate or hide can be detected, persistence techniques can be detected, lateral movement techniques can be detected, and even actions on objectives—such as preparing to exfiltrate data and the actual act of exfiltration—can all be detected, meaning they must be correct each step of the way. As a defender, if my organization doesn’t detect a specific phase of the kill chain, we still have the opportunity to detect the adversary in each of the other phases.
An Attacker Doesn’t “Win” Just Because They Achieve Code Execution or System Access
When an attacker gains access to a system and achieves code execution, they still need to do something to achieve their objectives. While there are edge cases where data, such as passwords, is immediately stolen upon execution, these are typically just the early stages of a full attack chain. For instance, the stolen credentials might be used for further exploitation. It’s incredibly rare for adversaries to use multiple zero-days in an attack; even the most advanced malware, like Stuxnet, only utilized four distinct zero-day exploits. The idea that a threat actor would deploy a zero-day at every step to avoid detection is not only unrealistic, but it isn’t foolproof when it comes to organizations detecting on behaviors and with strong base lines across their networks.
Closing
Organizations should focus on mastering the basics before worrying about being targeted by attackers willing to use multiple zero-days. You’re more likely to be affected by simpler, more common threats like SQL Injection or malware executed on a system without EDR. Still unconvinced? Pull up any report from TheDFIRReport and look at any of the attack chains, how many different steps occur before something such as ransomware is deployed, and the various detection opportunities that are often included that could attack the threat actor nearly every step of the way.