There’s an old bogus saw in IT that goes something like attackers only need to be successful once yet defenders always have to succeed.
As you can probably tell I really dislike such thinking.
The reverse is actually well known and practiced often. Defenders benefit from efficiency that comes through “defense in depth”. It’s a pervasive practice that completely invalidates nonsense about attackers needing just one success.
History shows us many examples of building designs that had not just one wall, but many layers plus other measures. Attackers since the beginning of time have been forced to run expensive campaigns to have chances of success… given defenders are even a little bit thoughtful about threats.
Maginot’s line is the counter-example of great infamy that also proves this point.
The actual man Maginot (a French WWI veteran with literal tunnel vision) could not think of anything other than spending exorbitant sums of money on dumb walls with passages beneath them.
Meanwhile threat models of WWI worth noting were about rapid mobility, such as powerful engines of emerging airplanes and trucks/tractors that could go right around those walls. Had Maginot’s campaign been tempered against France (and Britain) leading the world in combustion engine innovations, Nazi General Rommel would have been more quickly exposed for his greed/incompetence.
Another way of expressing this is in basic economics, which is to say investing in inexpensive controls that increase cost of attacks tend to be highly effective prevention measures.
Investing in expensive controls that attackers can bypass easily… that’s the opposite of defense, that’s insider threat as demonstrated by America First’s Wall Fraud.
Seriously, America First (a continuous hate platform since it was started by the KKK 1915) campaigned to divert security funds away from sensible use at air and sea ports instead into stretches of empty desert where no real threats existed. And in reality the money went into pockets, leaving America less safe — ergo, insider threat.
With that background and context, lately I’ve been asked quite often why Russia’s big hacker threat failed to materialize.
The simple answer is that Russia did attempt to attack, but it’s overblown reputation for hacking ability was based on a history of petty crimes more than anything.
It’s a bit like saying why didn’t the pickpockets of Moscow’s buses manage to jump into a mostly automated tank and roll through Kiev streets victorious.
A lot of things stood in the way, not least of all repetition of history: simple and inexpensive defensive measures stood up in Ukraine to rushed and complex attacks of low integrity.
Russia since 2014 had been attempting rather loud sustained cyber warfare against Ukraine, leaving nothing to surprise. This created a heavily defended environment with critical data resilient through support of widespread (e.g. distributed) technology allies.
As a tangent, I don’t mean to throw any more water here on the popular tactic of security consultants lighting fires in critical infrastructure to win funding.
Honestly it’s not that expensive to increase the security levels in most environments. In fact, it’s downright shameful how inexpensive better security can be when experts get involved. This actually feeds into attacker motives as they tend to whine about “these lazy people deserve to be hacked” if you ever monitor such forums.
I dislike victim shaming and I dislike fear-based fundraising. Both unfortunately tend to mix into a debate about why bankers (accountants who tend to operate critical infrastructure risk management in market-based countries) starve defense budgets until they essentially transfer wealth to attackers or overly animated and expensive “saviors”.
Back to the point, Russian hackers have now been indisputably proven a paper bear as they couldn’t put up a fight. I tend to explain this in three related ways.
1) Russian hackers (and those they trained) like domestic abusers actually tend to be very risk-adverse predators who exploit known and easy weakness for quick personal gains. That equation tends to be trivial to change by security professionals.
2) The first point is compounded by organization. Even a petty thief becomes highly dangerous when acting in a mule role under coordinated criminal syndicates. That equation is non-trivial to change. Yet security professionals as well as political scientists have much history success to draw upon here. NYC Mayor LaGuardia didn’t have an airport named after him for nothing.
3) In both points above we’re still talking financial motivations more than social or even cultural let alone religious or racial. As I’ve spoken and written here for many years, disrupting financially-motivated hackers is the least difficult level of defense given a law enforcement paradigm for MEECES (or MICE).
In conclusion, post-2015 efforts and certainly late 2021 basic defense measures in Ukraine (VERY inexpensive measures) made Russian hackers fail and run.
It’s been such a non-issue headlines went from “America isn’t prepared for what’s coming” to… crickets.
Russia’s biggest mistake in 2022, similar to Putin’s KGB job to breed Nazi terror cells in 1980s Germany, therefore seems to be a plan to roll into fights on an assumption everyone and everything in their path would be just a coin-operated fraud (like themselves).
Higher orders of defense (efficient ones especially) tend to toss such looming threats off the day of actual battle, even despite spending just a little time and money instead of a lot.
