"We only have to be lucky once, you will have to be lucky always"
This phrase comes from IRA after a failed attempt at Margaret Thatcher’s life. I know, not a classy citation, but it delivers.
The meaning is simple: when stakes are high, repeatable attempts compound risk. This is the attacker’s advantage.
The attacker’s advantage
You received an email, and you correctly identified it as spear phishing.
Someone is targeting your organization, but you saved the day by recognizing the threat. Well done!
Now, ask yourself:
- Will you identify all future attempts from the same source?
- Will all the personnel of the company do the same, every time?
This is the attacker’s advantage: he only has to succeed once, he is only limited by determination and will.
Yes, at some point he will give up and move to another prey, but someone else will take his place.
The odds are clearly stacked against you. ONE mistake can spell disaster, and humans commit mistakes.
And this is just phishing, there are multiple techniques an attacker can employ to breach your perimeter, techniques that you or your peers might not be even aware of and have no tools to defend against.
The key point here is, no matter how good the defenses are, you can only roll the dices that many times before luck runs out. And you're playing Russian Roulette!
The defender’s advantage
While an attacker has potentially unlimited attempts at breaching the perimeter, once inside the the situation is reversed: now it’s the defenders having the advantage.
Breaching the perimeter is just one step of the killchain, now the attacker has to move laterally and escalate the privileges, and do so unseen. If the intruder is detected, he will be cut out before hitting the objective.
This is the dwell time and it’s of uttermost importance. It can span from hours to months, lasting on average 10 days, days in which the roles are reversed.
Failing to capitalize on this is a massive blindspot - and it’s unforgivable.
Yet, the capabilities to detect an intruder in the SMB sector are uncommon to say the least.
When you hear that company XYZ was hit by a ransomware, it doesn’t just mean that the Antivirus failed (and they do, a lot!), it means the whole security strategy was flawed or non existent. It means they let an intruder lurk in their network for days without a clue of what was already happening - not about to happen.
The Takeaway
A good defense has to be layered, with measures in place to increase friction and therefore the time it takes an attacker to reach the objective. Time that has to be used to detect and stop the threat.
While prevention is critical, as avoiding is always better than remediating, having a single line of defense is a grave mistake. A mistake that can cost millions in damage.
A good security posture doesn’t have to be expensive either, but it has to be strategical and thought from the perspective of how threat actors really operate, not what security vendors promise during sales.
It has to be both aware of the advantages and disadvantages each player can leverage and planned accordingly.