Symmetry and asymmetry is something we see a lot of in cyber security. We break symmetry with passwords and authentication – making it easy for us to access something and hard for others. We see this again in encryption, with symmetric and asymmetric cryptography. And we see it on a broad scale in cyber security, defenders have a bigger job than attackers, on a number of fronts.
Asymmetries
| Asymmetry | Defender | Attacker |
| Coverage | Need to defend all vulnerabilities. | Only need to exploit one vulnerability. |
| Targets | Need to protect all targets. | Only need to choose one target. |
| Infrastructure | Generally fixed and not easily moved. Defenders infrastructure needs to be available, the website needs to be up, staff need to be able to email each other, documents need to be accessible and printable etc. | Offensive assets are designed to move and be temporal. It can also often belong to someone else (botnets) so taking it down doesn’t hurt the attacker. |
| Human resources | Need to monitor and administer. | Traditionally attackers had les HR overhead, but this is changing as cyber crime industrialises. |
Principle of easiest penetration
An attacker will find the weakest point to attack. Think about a house. If you have a strong security door and a solid front door all locked up with a camera on your deck, but have left your side window open, where do you think the burglar is going? They aren’t wasting their time and effort on the front door. It’s the same with cyber.
I recently undertook some testing on a platform for a business with a global footprint. Let’s call them Neuvium (that’s not their real name, if there is a real neuvium, I did not hack them). My goal was to gain admin access to a system of one of Neuvium’s customers. I didn’t brute force or try to plant malware. I contacted Neuvium’s support team and pretended to be a staff member of their customer, and I was in. I’ll cover this in more detail in another post where I talk about Cyber Kill Chains. This is a good example of the asymmetry of attack: one person against a company with internal and external IT and dedicated cyber staff, low effort, time investment and big results.
Reflection
This may leave you thinking there is no hope against attackers. THe task is immense, but defenders have some advantages. Firstly, more and more resources are being put into cyber security, we can thank mandatory data breach reporting for that. Now that companies have to report breaches, there is a cost and they will consider it in their risk assessments.
Defenders also have a homeground advantage, so if your systems are well designed and protected, and the attacker doesn’t know how they are designed and protected – which they shouldn’t, do tell anyone – you are in a good position.
Lastly, we gain a sort of herd immunity from each new attack by sharing them. When a new attack is discovered, documented and shared, we all learn from it and can mitigate the vulnerability. We see this in software patches, attack life cycles, cyber kill chains and security playbooks. More to come in future blogs.
