Measuring the Attack/Defense Balance

“Who’s winning on the internet, the attackers or the defenders?”

I’m asked this all the time, and I can only ever give a qualitative hand-wavy answer. But Jason Healey and Tarang Jain’s latest Lawfare piece has amassed data.

The essay provides the first framework for metrics about how we are all doing collectively—and not just how an individual network is doing. Healey wrote to me in email:

The work rests on three key insights: (1) defenders need a framework (based in threat, vulnerability, and consequence) to categorize the flood of potentially relevant security metrics; (2) trends are what matter, not specifics; and (3) to start, we should avoid getting bogged down in collecting data and just use what’s already being reported by amazing teams at Verizon, Cyentia, Mandiant, IBM, FBI, and so many others.

The surprising conclusion: there’s a long way to go, but we’re doing better than we think. There are substantial improvements across threat operations, threat ecosystem and organizations, and software vulnerabilities. Unfortunately, we’re still not seeing increases in consequence. And since cost imposition is leading to a survival-of-the-fittest contest, we’re stuck with perhaps fewer but fiercer predators.

And this is just the start. From the report:

Our project is proceeding in three phases—­the initial framework presented here is only phase one. In phase two, the goal is to create a more complete catalog of indicators across threat, vulnerability, and consequence; encourage cybersecurity companies (and others with data) to report defensibility-relevant statistics in time-series, mapped to the catalog; and drive improved analysis and reporting.

This is really good, and important, work.

Tags: , ,

Posted on July 30, 2025 at 7:07 AM14 Comments

Comments

Clive Robinson July 30, 2025 8:33 AM

@ Bruce,

With regards,

“Who’s winning on the internet, the attackers or the defenders?”

Is a question with actually a simple answer,

“Neither and both, like a pendulum and flywheel that both balance, and provide momentum toward advancement.”

I’m known for saying,

“Technology is agnostic to use a directing mind puts it to, whether that is seen as good or bad by an observer depends on their point of view at any given moment in time”

Thus the three important elements of the advancement are,

1, The using / directing entity.
2, The judging / observing entity.
3, The morals and ethics underlying the judgment.

All of which change with time.

People also need to be mindful that neither good nor bad can exist in isolation one requires the other for judgment. Thus they form a line or spectrum by which all technology can be measured at that point in time.

Which is what,

“The essay provides the first framework for metrics about how we are all doing collectively—and not just how an individual network is doing.”

Is in effect trying to quantify, but is in danger of missing the change of time and environment.

Also there is a reason we are “drowning in metrics” but we are not achieving anything with them.

There a “value” is not meaningful untill it can be not just accurately and independently quantitized but meaningfully compared.

That is they have to allow for meaningful ratios to be given so that progress or advancement in any given direction can be independently checked and used for test and analysis.

Without which the metrics are not even worth the paper they are noted on.

jbmartin6 July 30, 2025 9:10 AM

Continued existence shows the defenders are winning. If the attackers were winning, the Internet would have joined usenet in the queue to the trash compactor.

lurker July 30, 2025 2:15 PM

@jbmartin6

The internet will continue to exist for a while yet: the attackers need it to work their deeds on. Usenet was just a subset that died when something better came along.

Jon July 30, 2025 5:12 PM

I’m with @Swede on this one. The attackers always have a huge financial advantage, because they only need to find one crack, one loose stone, while the defenders have to build an entire fortress.

This is not helped by those who make operating systems cheerfully denying any responsibility (or liability) for cracks in the wall – imagine how a castle contractor who built a cracked castle would be treated in the Middle Ages – and how today by the governments who let them, even when their own castles turn out cracked.

There are solutions to this. Make such that those who do find and exploit such cracks are subject to discovery and punishment so that it’s no longer worth their time to look for cracks anymore.

For example, a couple handfuls of Saudi Arabians took advantage of lax airline security to kill a few thousand people, and then the USA went all punitive and in return killed several thousand Afghans, tens of thousands of Iraqis, and several thousand more of their own people in an attempt to punish them for it. Maybe one or two Saudis.

Erf, maybe that’s a bad example. Anyhow, point being that in asymmetric warfare, there may be other influences that can be brought to bear.

J.

Clive Robinson July 30, 2025 6:08 PM

Swede, Jon, ALL,

With regards,

“Attackers need to find one flaw. Defenders must find and fix all flaws.”

Actually not true at all.

All you have to do is prevent the attackers reaching any and all flaws, and I’ve mentioned this repeatedly one way or another on this blog and in other places.

Go back to the translations of Sun Tzu and you will find two comments that are relevant,

1, Know you and your enemy.
2, Pick your battles and the ground you fight your enemy on.

In modern warfare these often get poorly translated to,

1, Have good intelligence.
2, Occupy the high ground.

Sun Tzu pointed out that battles are lost before they start if you do not know yourself and know your enemy and most importantly how to deny your enemy knowledge of yourself.

But further, “He will win who knows when to fight and when not to fight”

Both denying knowledge to the enemy and denying them a battlefield are covered by the more modern notion of “segregation”.

In ICTsec terms segregation is covered by “energy gapping” a more purposeful form of “air gapping” which is simply “denying the enemy” both knowledge and a battlefield.

It’s why almost the first question I ask is,

“Why is this computer connected to the Internet?”

Rarely does a sensible answer come back and even more rarely does a sensible gapping strategy get described and implemented.

Thus as it’s not possible to know “all flaws” in any worthwhile system the only sensible precaution is to “properly deny access” and that means effectively “no access of any form” or to flip it around to the defenders view point,

“No communications accessable externally”.

Will stop “outsider threats” but not necessarily “insider threats”. Which is why the old John Philpot Curran maxim of “eternal vigilance” has to be in place as a minimum.

As “full segregation” and “full surveillance” are probably considered excessive for most organisations a modified approach can be taken, in that you have rings of segregation that have strictly mandated and monitored crossing points.

Whilst this can never be 100% it does reduce the resources needed.

A look back in history to the design of fortifications will give a good overview of how defenders can effectively reduce some attackers abilities, but actually aid others such as “insiders”.

Which is why you should always remember “All Castles are Prisons” and you can loose much by not taking this observation into account.

One thing that is or should be abundantly clear is that all the big Silicon Valley Corps are now forcing two things,

1, Required external communications.
2, Required untrustworthy insider agents / applications.

Because their actual intent is 100% “Surveillance for Profit”.

Corrupt ideho July 30, 2025 10:19 PM

Because not everyone is an IT Tech, or a CyberSecurity Engineer who knows what a Service, Process, Handle, or a Thread(Threading) or Open, Listening, or Closed Ports are, Micro$haft has been shipping Windoze with everything enabled by default and enabled at startup, which was not the case on a fresh install of Unix or Linux until Ubuntu and some other flavors started receiving bribes (call it what it is) to “bundle” garbage/bloatware with the installations of their distros. The convenience of having that Print Spooler Service enabled by default also means that associated port(s) are going to be open, or in the LISTENING state, and the same goes for Telnet, FTP, etc…..etc….
System Hardening requires a lot of knowledge of Processes, Operating Systems, Software, CyberSecurity, etc…etc… and this is how you limit/reduce your footprint/Attack Surface/exposure/visibility when connected to the Internet. And it’s always gonna be calculated as: Risk versus Benefit but all this knowledge does NOT come from the books/literature/education ALONE. In ALL cases, many years, often decades of EXPERIENCE is a must, to be able to know all that $hit. It is not adequately awarded/appreciated (compensated monetarily) yet, not nearly as good as say Nursing, or MD, or a few other medical field professions, and don’t even get me started with CROOKED LOYAZ – so a great deal of knowledge will certainly be taken by many of us into our graves because most people see most of Cyber Security Gurus as “crooks” while forgetting that there is good and bad everywhere and that some of us would never exploit another innocent human being for no money in the world. If a shitty LOYA can charge hundreds of bucks for one hour then a Cyber Security Engineer should be able to charge at least FOUR TIMES that amount – UNTIL THEN, I will take my knowledge with me when I die. Adios.

ResearcherZero July 31, 2025 9:15 PM

@Clive Robinson, @Swede, @Jon, @ALL

1, Have good intelligence.
2, Occupy the high ground.

The FSB has been using the same techniques and tactics for a very long time.
This strategy has worked successfully for decades and can be seen time and again.

Using SORM, an ISP level AiTM attack allows for TLS/SSL stripping.

FSB tricks diplomatic staff to download a fake Kaspersky antivirus installer…

https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/

The same techniques have been used over and over again.

https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/

(The unfortunate fact is, that although state sponsored actors have been breaking into our own telecommunications providers’ internal networks and physical telecom facilities for decades, the telcos remain highly uncooperative and resistant to warnings of incidents.)

Recently during the latest round of telecom hacks, companies were found to not have installed patches for old vulnerabilities, with one telco using the password 123456.

A Verizon Breach Investigations Report found over 70% of employees reuse passwords at work. And “81% of hacking-related breaches leveraged either stolen and/or weak passwords.”

ResearcherZero July 31, 2025 9:49 PM

Here is why employees should not be using weak passwords or reusing passwords. If attackers discover a vulnerability – they may then be able to gain access to the admin dashboard.

Once they have this access they can begin to target other companies and customer PII. Access may be handed over to state sponsored actors for long-term persistence and espionage. Hack-for-hire mirrors the same payment options as financially motivated crime.

Some individuals within extortion groups are controlled by state-backed handlers. It won’t matter which operating system without current updates and if your passwords are rubbish.

Everything flows through the telecommunications network regardless of who you are.

‘https://medium.com/@Berserker1337/secondary-context-leads-to-company-takeover-0dc88ca751ea

Please log in and provide the information at the following portal:

https://www.abc.net.au/news/2025-08-01/asio-disrupts-24-major-espionage-operations-in-three-years/105599488

ResearcherZero July 31, 2025 10:07 PM

Almost 400 individuals revealed they worked on the AUKUS project, and nearly 2500 boasted about having a security clearance (on social media).

So if you still have those blueprints for the submarine propulsion system, don’t forget to email them to me at the following address. Or leave them on top of your office cabinet. 😉

(Obviously don’t do that. That would be highly irresponsible.)

$2 billion of trade secrets and intellectual property stolen from Australian companies.

‘https://www.thenewdaily.com.au/news/world/2025/08/01/spies-australia-asio

Clive Robinson August 1, 2025 2:19 AM

@ ResearcherZero, Swede, Jon, ALL,

With regards,

“Using SORM, an ISP level AiTM attack allows for TLS/SSL stripping.”

Trust that “link level” and similar “automated / app” encryption is secure, is always unwise.

The British Diplomatic folks used to use message/file level “end to end” encryption as well as communications “super encryption” via “one time tape” systems on high speed HF radio network links between nodes that geographically spanned the globe (just one of the things the Brits brought to the table for BRUSA agreement).

The Russians as we know –from project VENONA– opted for a different “centralized” or “star network” system. That is messages were first coded, then encrypted by One Time Pad[1] and sent by HF Radio directly to their “control” back in Russia. This made “finding” of non diplomatic station traffic much easier as the frequencies and times of day of messages were often very much dictated by nature. And the distances involved oft ment the use of “high power” by the senders.

The Russian message level code was in effect universal to “flatten the statistics” and “shorten the message” both desirable things. But being non unique in use offered no additional confidentiality. Which is why breaking the network encryption broke the confidentiality entirely.

The same issue applies with Internet traffic, the use of HTTPS at best only gives limited “traffic confidentiality” not “message confidentiality”.

Hence SORM gives plaintext messages, and why it is used.

If people want confidentiality of messages then they need to first compress then uniquely encrypt each message with different KeyMat. That way SORM as a “Man In The Middle”(MITM) attack would only give message “ciphertext” not “plaintext”.

Unfortunately for interactive communications with unknown sites MITM attacks stop unique message level encryption being confidentially established… So no message can be regarded as being confidential…

[1] If used “properly” One Time systems are in effect unbreakable. However if the “Key Material”(KeyMat) is used just twice it fails to an easy attack that can be done by hand even though laborious.

During WWII when Russia was under pressure from German attacks the need for “KeyMat” went up dramatically and those making it as code books either by accident or design “reused” pages. It’s been indicated that,

“All the duplicate one-time pad pages were produced in 1942, and almost all of them had been used by the end of 1945, with a few being used as late as 1948”

And that by 1980 when VENONA was stopped less than 3000 pages had been successfully decoded, but they were enough to have caused significant damage.

Clive Robinson August 1, 2025 5:58 AM

@ ResearcherZero, ALL,

With regards,

“The FSB has been using the same techniques and tactics for a very long time.
This strategy has worked successfully for decades and can be seen time and again.”

There is more on the latest Russia abuses ISPs,

https://www.theregister.com/2025/07/31/kremlin_goons_caught_abusing_isps/

“The [Microsoft] threat hunters first observed one such Secret Blizzard snooping mission in February. Putin’s spies, according to Microsoft, used an adversary-in-the-middle (AiTM) position at the ISP/telco level to gain access to foreign embassies located in Moscow and deploy their custom ApolloShadow malware.

I keep forgetting to be PC with regards “MiTM” now being “AiTM”…

The definition is given as,

“AitM attacks are characterized by their active engagement, going beyond passive eavesdropping to actively manipulate data and communications. This makes them a potent threat in the cybersecurity landscape.”

The thing is as far as I’m aware MiTM never was about “passive eavesdropping”, it was always about “active engagement” by “impersonating end points” bi-directionally using either faux-certificates or fall-back / down-grade attacks with sometimes “traffic injection”.

Whilst there are protocols that will stop A/MiTM attacks they require two things as a foundation,

1, A secret “root of trust”.
2, A secure “second/side channel” to exchange the root of trust.

The real problem is the “side channel” and ensuring it is secure (CIA triad).

No modern consumer/commercial network provides this and many in the past have tried and failed to make it work even on private monitored networks.

The underlying issues are “the nodes” in the network and how they destroy visibility beyond them.

This is a known problem that goes back thousands of years, when the “node” was a human acting as a courier/messanger.

The issue was aptly put as,

“Three can keep a secret, if two are dead.”

Supposably based on a line from Shakespeare’s “Romeo and Juliet” of,

“Did you ne’er hear say, Two may keep counsel, putting one away?”

So,

Trust yea not those who tattle,
For they will get you with their prattle.
If you be in any doubt,
Look you too a bloody rout.
Remember though if yea gets away,
They will try another day.
So let not fear make yea swoon,
Open their gullet by midnight moon.

Anonymous August 4, 2025 4:51 PM

“Neither good nor bad can exist in isolation.”

I disagree. Just because you can’t hear every tree falling doesn’t mean many fallers are silent. Sound doesn’t wait for ears, and truth doesn’t wait for witnesses.

If you need contrast to perceive something, that speaks to your perception — not to the existence of the thing itself.

Clive Robinson August 4, 2025 5:39 PM

@ Anonymous,

If you are going to quote someone quote them in full or within context, not some snippet you chose to make a Straw-Man out of.

As for the rest of your incorrect comment the less said about it the better as it shows you have other failings.

As you statements suggest a certain cognitive bias a quote you are probably familiar with to consider,

“Judge not, that ye be not judged. For with what judgment ye judge, ye shall be judged: and with what measure ye mete, it shall be measured to you again.”

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.