Saturday, May 23, 2009

Defender's Dilemma vs Intruder's Dilemma

This is a follow-up to my post Response for Daily Dave. I realized I had a similar exchange three years ago, summarized in my post Response to Daily Dave Thread. Since I don't seem to be making much progress in this debate, I decided to render it in two slides.

First, I think everyone is familiar with the Defender's Dilemma.

The intruder only needs to exploit one of the victims in order to compromise the enterprise.

You might argue that this isn't true for some networks, but in most places if you gain a foothold it's quickly game over elsewhere.

What Dave and company don't seem to appreciate is that there is a similar problem for attackers. I call it the Intruder's Dilemma.

The defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise.

What's interesting about this reality is that it applies to a single system or to a collection of systems. Even if the intruder only compromises a single system, the variety of indicators available make it possible to detect the attacker. Knowing where and when to look, and what to look for, becomes the challenge. However, as the scope of the incident expands to other systems, the probability of discovery increases. So, perversely, the bigger the incident, the more likely someone is going to notice.

Whether or not you can actually detect the intruder's presence depends on the amount of visibility you can achieve, and that is often outside the control of the security team because the security team doesn't own computing assets. However, this point of view can help you argue why you need the visibility to detect and respond to intrusions, even though you can't prevent them.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.


Rocky DeStefano said...

"intruder's Dilemma" is one of my favorite posts in a long time, not just because I agree with the Enterprise Visibility concept, but more so, because it puts a positive spin on the opportunities we face.

Finding solutions in the face of all of the obstacles we face as practitioners makes the job challenging and at times extraordinarily frustrating, but at the end of each incident it is satisfying to know you made a difference.


kurt wismer said...

of course the intruder's dilemma is similar to the defender's dilemma - it's a special case of the defender's dilemma. the intruder must defend his intrusion in order to improve the chances of success.

grecs said...

Of course we are getting attacked all the time so it may be difficult to figure out which attacks to focus on...

gamsec said...

As I like to say - for water to come out of the bucket, it only needs to find one single hole, but for us to stop the water from coming out of the bucket we need to fix ALL holes.

The same with security. We need to secure all our flaws because the hacker will only need one in order to turn us from users to victims.