Reference : Network Attacks and Exploitation by Matthew Monte
False Asymmetries
Cost
Cost alot for both of attackers and defenders.
Attribution
Cyber Attribution is the process of tracking, identifying and laying blame on the perretrator of a cyber attack or other hacking exploit. Finding the target and catching the attacker is pretty much the same. And even penalties different via countries.
True Asymmetries Advantage for attacker
Motivation:
Attacker: costs but there is a huge payoff potential and little risk. Gains are immediate and tangible
Defender: Nothing to gain, only something to lose. Loss is often intangible from nothing to catastrophic.
This diffrerence creates an imbalance in motivation even if the law comes in, monotony makes defender less motivated than attacker.
Initiative:
Is ability to make threats or take actions that require your opponent to react. Motivation : mental States. Initiative : measures ability. Attacker acts and Defender reacts —> means that the Attakcer can stay one step ahead.
Focus:
Attacker: has a sigle mission and point of focus. Has a feedback coming from the accomplishments and failures
Defender: Split focus between securing the network and running it. Lack positive feedback. Cannot prove a negative.
Effect of failure:
Preventing an attack may have no effect wthasoever on the attacker
Honeypot is a computer network designed to entice attackers in to trick them into exposing a larger cadre of tools and methods in the hopes of inflitcing a cost; histrically been expensive.
Attacker: loss almost non-existent; time and small amount of cost. May apply the failure to make the next step
Defender: a lot. No idea how would be the next step be.
Knowledge of Tech:
Attacker : There are but a limited number of typical setups and the Attacker has seen them all. Full time spending studying offense and even defense. Urgency for defender is different.
Defender: must learn defensive methods and tech to stay current and to maintain compliance.
The gap comes from the motivation and eagerness on learning more stuff.
Analysis of opponent:
On general, Attackers can acquire, analyze, and test against solutions of security software before deploying their attack tools,
Attacking tools cannot be purchased, but must be captured. Must detect and capture tool for analysis, but need to analyze it to detect and capture.
Tailored Software:
Attackers have an advantage in creating and deploying pointy-end software. The development cycle can be condensed and it is under their own control. However, this advantage is not inherent.
The defensive security market is actively researching and developing defensive architectures that can be
quickly tailored to specific environments under the buzzword adaptive defense. Results so far have been muted, but it is in the early stages. If and when a true adaptive defense is achieved, the Attackers’ advantage will dissipate.
Rate of Change
When software is updated, if new features are added, there’s a decent chance new vulnerabilities will be introduced.
The rate of change and the resultant shaky foundation it creates offers a renewing stream of vulnerabilities that is to the Attacker’s advantage.
True Asymmetries Advantage Defender
Network Awareness
Defender: has full access to every details such as switch, router, firewall…
Attacker: cannot acquire the same level of detail with the same level of Defender’s effort
Network Posture
microsacle ig. Address Space layout Randomization (ASLR)
Defender: has full right to construct the Network attributes from policy to technological.
Attacker: harder to target the moving object.
Advantage Indeterminate for both
Time
Attacker: time to do overall operation. However it may allow them to be exposed. It may help but hurt at the same time.
Defender: Overall maintance, upgrade, RECON, …
Efficiency
Attacker: Cost of Acquiring Information vs Value of Information Acquired
Defender: Cost of Securing Information vs Value of Information Secured
