The notion that cybersecurity defenders are at an inherent disadvantage—the so-called defender's dilemma—is incorrect and counterproductive. Instead of focusing solely on how we respond to attackers’ tactics, we can identify and use the advantages inherent in our position as defenders. This article explains what a defender-oriented mindset entails and how it can help you strengthen your security program.

What’s the Defender’s Dilemma?

For many years, security professionals have used the “defender’s dilemma” to claim that we are at a disadvantage when protecting enterprises from cyberattacks. It goes something like this:

“The defenders are at a disadvantage because we must be right all the time, but the attacker needs to be right just once.”

According to this perspective, defenders need to spread our attention across all possible attack paths and protect against all of them. We must make difficult choices regarding which attack paths to focus on (this is the dilemma), which puts us at a disadvantage. Our disadvantage is also, presumably, due to the need to respond to every attack on all fronts, which means we will sometimes miss an attack.

The notion of the defender’s dilemma is not only demoralizing but also incorrect. Defenders can gain an advantage over the attackers. Let’s explore this.

The Folly of the Defender’s Dilemma

The defender’s dilemma is folly in part because it oversimplifies the complexity of cyberattacks. Consider the MITRE ATT&CK framework, which illustrates the multi-step process attackers must follow to achieve their objectives. According to ATT&CK, attackers typically start with Reconnaissance, progress to Resource Development, then Initial Access, and from there must still push past several additional stages to achieve their objective.

The attacker must complete each stage successfully to fulfill their mission. It’s sufficient for the defender to interfere with just one step in that chain to foil the attack, requiring the attacker to adjust tactics. Industry veteran Richard Bejtlich observed this back in 2009 in the context of intrusion detection, coining the term “the intruder’s dilemma.” He pointed out:

“Defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise.”

David J. Bianco, another respected cybersecurity professional, expanded on this idea in 2023 and proposed the term “the attacker’s dilemma.” In addition to pointing out that “attackers have to get everything right throughout the entire attack lifecycle,” and noted that:

“Attackers usually operate with imperfect knowledge of their environment.”

Our inherent strength–the defender’s advantage–is our ability to develop a better understanding of our environment than the attackers. With some foresight and planning, we can create a security architecture that changes how we engage with attackers. 

Gaining the Defender’s Advantage

The defender’s dilemma assumes that defenders are waiting for attacks to happen and then respond. This reactive stance allows attackers to define the terms of engagement and puts the defenders in the position of always playing catchup. Seeking to change such dynamics, industry analysts are highlighting the need for defenders to practice “proactive security.” Eric Parizo from Omdia uses this term to encourage enterprises to:

“Seek out and mitigate likely threats and threat conditions before they pose a danger to the extended IT environment.”

According to Forrester’s Erik Nost, practicing proactive security means controlling security posture and reducing breaches through strong visibility, prioritization, and remediation. This process begins with a solid understanding of our environment so we know the resources to protect and the security weaknesses to address.

Knowledge of the terrain is not exclusive to cybersecurity; the concept applies to attackers and defenders on a variety of fields, including the battlefield itself throughout history. For example, during the Battle of Agincourt in 1450, the English positioned themselves in a narrow field flanked by woods, funneling the French knights into a confined space. By narrowing the front, the English army defeated a much larger French force.

Much like the Battle of Agincourt, creating a choke point in cybersecurity defenses, as historical defenders have done, is one way to establish the defender’s advantage. For instance, funneling SaaS logins through a Single Sign-On (SSO) provider allows organizations to apply reliable security measures such as 2FA and anomaly detection. SSO forces attackers to pursue SaaS targets through a choke point controlled by the defenders, putting them at a disadvantage.

More broadly, to gain the defender’s advantage, we should:

  1. Understand our environment: Maintain a continuously updated inventory of all assets, including hardware, software, SaaS platforms, and user accounts. Understand the business purpose of each resource. This foundational step allows us to know exactly what needs protection and where potential security improvements might be.
  2. Minimize the attack surface: Regularly patch vulnerable software, turn off unneeded systems, disable or decommission unneeded services, and enforce SSO to reduce entry points. These actions collectively reduce the number of potential attack vectors.
  3. Prioritize remediation by considering the context: Assess the risk of each vulnerability based on system criticality, business processes, and sensitivity. Focus on addressing the most significant risks first. This targeted approach ensures that resources are allocated effectively to address the highest priority areas.
  4. Remediate in a measured way: Develop and execute a remediation plan, making changes in a controlled and practical way. Monitor the progress and effectiveness of remediation efforts, using metrics to track improvements and intervene if needed. This ensures that the security improvement projects achieve the expected outcomes.

To gain the defender’s advantage, start by thoroughly knowing your environment, which allows you to identify and mitigate weaknesses, deploy automated response measures, and design an architecture that funnels attacks to well-fortified aspects of your environment. Minimize attack path opportunities by reducing the attack surface and prioritizing security improvement opportunities. Oversee remediation efforts to ensure progress. Turn the attacker’s advantage on its head by shifting from a reactive to a proactive mindset.

Updated August 14, 2024

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more