The Cyber “Security Dilemma”

The concept of the security dilemma and its supporting offense-defense theory explores the relationship between attacker and defender and some of the causes that can lead to an escalated arms race and conflict in international relations and traditional military conflict.

The offense-defense theory explores two constructs. First is whether an attacker has the advantage. Second is whether the offense or defense behavior is distinguishable – that is, can one tell if a nation’s military expansion is specifically for defensive purposes or offensive purposes? Based on this, Table 1 shows a way to explore whether the security dilemma is less severe or more severe.

Security dilemma: less severe	Security dilemma: more severe
Defense advantage	Offense advantage
Offense-defense behavior distinguishable	Offense-defense behavior not distinguishable

A situation where the security dilemma is more severe typically leads to an arms race, an escalated state of tension and possible all-out conflict. Lately, some of these concepts have been adapted to the world of cyber conflict and cyber warfare. Looking at this from a cybersecurity perspective, offense holds the advantage in the realm of cyberspace. An attacker holds this advantage for various reasons, many of which I discuss in this video on reversing the attacker-defender asymmetry.

At the same time, in many situations cyber intrusions that may be purely defensive in nature — for example for the purposes of reconnaissance, by their very definition as intrusions, can be construed as offensive actions. This puts the world of cyber conflict squarely as one that makes the dilemma doubly dangerous or more severe. What this translates to is that we will increasingly live in a world of heighted cyber threat, risk and potentially escalating risk rhetoric.

To dial back risk, we have two options to consider

1. See whether offense-defense behavior in the world of cybersecurity can be made distinguishable
2. Attempt to revert the advantage back to the defender

Next, I will focus on the second option.

As long as a cyber defense strategy is weighted towards preventing an attacker from making an initial intrusion, there will always be a struggle with reversing the advantage back to the defender. The surface area of potential attacks for most organizations is so vast that the cost of defending against all possible breaches is simply too high. In other words, the cost of carrying out an incursion is far less than the cost of defending against all possible incursions. In the case of cyber defense, this cost advantage favors an attacker due to the surface area to be protected, as well as the democratization of malware.

At its core, our cyber defense strategy needs to fundamentally change. The best approach I feel is to augment the prevention-weighted strategy with one that is heavily weighted towards detection.

We must start with the assumption that the attacker is already inside our infrastructure. Only by this shift in thinking, are we provided with an opportunity to reverse the advantage. Once inside our infrastructure, a defender knows the landscape far better than the attacker. While the attacker is attempting to move laterally or exfiltrate data, an attacker must evade all forms of detection while the defender must find one footprint to lead to the attacker.

The analogy that I believe resonates best is when someone has a large home with cash, jewelry, art and other valuables in the home. If a thief were to breaks in to the home, it takes them a good amount of time to find all the valuables, load the car and get away. If it takes the thief an hour to do all of this, and if we can detect and nab the thief within the hour, we will have done well. The same goes with cyber criminals.

To successfully make a transition to a detection-weighted mindset, we need to think of our cyber security systems similarly to a human immune system, which works from within. You still need to exercise good hygiene practices like multi-factor authentication and network and resource segmentation. Despite those efforts, however, threats can break through and that’s where the immune system kicks in via detection and containment.

Visibility is at the core of building such a reliable detection and response system. Visibility is the lifeblood of a cyber immune system. A network that is instrumented at all key places to detect anomalous behavior will make it much harder for the bad attacker to carry out their malicious activities, thereby forcing them to take further unnatural steps, which will then make detection easier.

Visibility is the key for rapid detection to lead to rapid containment and ultimately reversing the offense advantage. The idea of reversing the offense advantage is explored in more detail in the whitepaper, A New Model for Network Security: The Defender Lifecycle Model.

The sooner we as an industry start making this shift, the better our chances of shifting the cybersecurity dilemma to a less severe state and avoiding escalating risk rhetoric, spiraling cybersecurity costs and a growing shift in the nature of cyber attacks.