The notion that cybersecurity defenders are at an inherent disadvantage—the so-called defender's dilemma—is incorrect and counterproductive. Instead of focusing solely on how we respond to attackers’ tactics, we can identify and use the advantages inherent in our position as defenders. This article explains what a defender-oriented mindset entails and how it can help you strengthen your security program.
For many years, security professionals have used the “defender’s dilemma” to claim that we are at a disadvantage when protecting enterprises from cyberattacks. It goes something like this:
“The defenders are at a disadvantage because we must be right all the time, but the attacker needs to be right just once.”
According to this perspective, defenders need to spread our attention across all possible attack paths and protect against all of them. We must make difficult choices regarding which attack paths to focus on (this is the dilemma), which puts us at a disadvantage. Our disadvantage is also, presumably, due to the need to respond to every attack on all fronts, which means we will sometimes miss an attack.
The notion of the defender’s dilemma is not only demoralizing but also incorrect. Defenders can gain an advantage over the attackers. Let’s explore this.
The defender’s dilemma is folly in part because it oversimplifies the complexity of cyberattacks. Consider the MITRE ATT&CK framework, which illustrates the multi-step process attackers must follow to achieve their objectives. According to ATT&CK, attackers typically start with Reconnaissance, progress to Resource Development, then Initial Access, and from there must still push past several additional stages to achieve their objective.
The attacker must complete each stage successfully to fulfill their mission. It’s sufficient for the defender to interfere with just one step in that chain to foil the attack, requiring the attacker to adjust tactics. Industry veteran Richard Bejtlich observed this back in 2009 in the context of intrusion detection, coining the term “the intruder’s dilemma.” He pointed out:
“Defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise.”
David J. Bianco, another respected cybersecurity professional, expanded on this idea in 2023 and proposed the term “the attacker’s dilemma.” In addition to pointing out that “attackers have to get everything right throughout the entire attack lifecycle,” he noted that:
“Attackers usually operate with imperfect knowledge of their environment.”
Our inherent strength–the defender’s advantage–is our ability to develop a better understanding of our environment than the attackers. With some foresight and planning, we can create a security architecture that changes how we engage with attackers.
The defender’s dilemma assumes that defenders are waiting for attacks to happen and then respond. This reactive stance allows attackers to define the terms of engagement and puts the defenders in the position of always playing catchup. Seeking to change such dynamics, industry analysts are highlighting the need for defenders to practice “proactive security.” Eric Parizo from Omdia uses this term to encourage enterprises to:
“Seek out and mitigate likely threats and threat conditions before they pose a danger to the extended IT environment.”
According to Forrester’s Erik Nost, practicing proactive security means controlling security posture and reducing breaches through strong visibility, prioritization, and remediation. This process begins with a solid understanding of our environment so we know the resources to protect and the security weaknesses to address.
Knowledge of the terrain is not exclusive to cybersecurity; the concept applies to attackers and defenders on a variety of fields, including the battlefield itself throughout history. For example, during the Battle of Agincourt in 1450, the English positioned themselves in a narrow field flanked by woods, funneling the French knights into a confined space. By narrowing the front, the English army defeated a much larger French force.
Much like the Battle of Agincourt, creating a choke point in cybersecurity defenses, as historical defenders have done, is one way to establish the defender’s advantage. For instance, funneling SaaS logins through a Single Sign-On (SSO) provider allows organizations to apply reliable security measures such as 2FA and anomaly detection. SSO forces attackers to pursue SaaS targets through a choke point controlled by the defenders, putting them at a disadvantage.
More broadly, to gain the defender’s advantage, we should:
To gain the defender’s advantage, start by thoroughly knowing your environment, which allows you to identify and mitigate weaknesses, deploy automated response measures, and design an architecture that funnels attacks to well-fortified aspects of your environment. Minimize attack path opportunities by reducing the attack surface and prioritizing security improvement opportunities. Oversee remediation efforts to ensure progress. Turn the attacker’s advantage on its head by shifting from a reactive to a proactive mindset.
Click to Open Code Editor