An attacker only has to get it right once ... and other lies we tell

“Companies have to get security right every time – an attacker only has to get it right once.”

This is probably one of the biggest lies that information security tells on a frequent basis, partially to get more money for ineffective security technologies and partially to maintain the illusion that perfect, long-term security is possible.

####Multiples levels defence has to fail

In truth, companies have to get it wrong at prevention, detection, and response levels a number of times before a breach does any considerable damage. Prevention has to fail at at least three consecutive levels for the attacker to “get it right once”:

  1. Initial infection (AND)
    1. Lateral movement (OR)
    2. Unauthorised system access (OR)
    3. Unauthorised data access (AND)
      1. Unauthorised data exfiltration (what are your proxies good for, if you don’t do traffic analysis?) (OR)
      2. Unauthorised changes (asset destruction)

Similarly, detection has to fail at three consecutive levels:

  1. Initial infection (AND)
    1. Lateral movement (OR)
    2. Unauthorised system access (OR)
    3. Unathorised data access (AND)
      1. Repeat inbound or outbound C&C traffic (OR)
      2. Outbound data leakage or unauthorised changes (asset destruction)

Response will not kick in until and unless there has been an identification of suspicious or abnormal activity. That is unlikely simply because most information security practitioners still install and configure security tools for prevention and not for detection of prevention failures.

####Attackers: exporers in hostile environments

The attackers have to do all that without the home ground advantage, flying blind and solo over an unknown environment for a long period of time to gain insight into the target network, all the while running the risk of exposure and/or denial of future access either through fluke or conscious activity.

Simple way to find out how much effort is needed for an attacker to gain foothold, let alone map a corporate IT environment: ask your friendly penetration testing company for a quote for external blackbox (i.e. no information given) test of your environment.