Defenders think in lists, attackers think in graphs (2015)

&quot;Attackers&quot; usually have a single mission in mind (exfiltrate juicy data, destabilize the target, hold juicy data for ransom, etc.) and have the privilege of exploring as deeply as needed until the mission is accomplished.<p>&quot;Defenders&quot; (like the SOC) have to think in lists because they&#x27;re tracking many signals and threat vectors at a time and need to prioritize which ones warrant their attention&#x2F;require action because a regulator told them so (think high-scoring CVEs against code that&#x27;s been deprecated forever ago).<p>Without having &quot;defenders&quot; post in random places along the graph looking for interesting activity, I don&#x27;t know how they&#x27;ll be able to &quot;think in graphs&quot;. To wit, the suggestions that the author made would be, you guessed it, signals in a list that a &quot;defender&quot; would check against!

Defenders use lists because they have to manage hundreds and thousands of assets at the same time. What do you do when you have to manage a ton of things? You make a list. You go through that list. You apply a checklist.<p>Now should defenders also make dependency graphs too? Sure, but they should be making lists first before dependency graphs and making sure things are up to date, that they assume limited trust, and that resources are isolated. Then they should make dependency graphs.<p>“Defenders have to think in list and graphs and manage a billion things. Attackers just have to look at a few things.”

I feel like this goes too deep. Or maybe it hits on the right reason, but the wrong cause. The defender’s job isn’t defense. Cyber security isn’t a sportsball game where there are clear even goals and objectives with alternating positions. It’s a side show, and a distraction from the main business of whatever else the defenders are trying to do. By contrast, an attacker’s entire job is to attack the system. There is no other purpose they are serving, no secondary masters or considerations that need to be used to weaken their attacks.<p>Attackers win for the same reason that Microsoft is better at publishing operating systems than Cisco, because ciscos operating systems are a means to an end. Microsoft’s are the end

I feel like this does not go deep enough. :-)<p>&quot;lists&quot; is just short hand for components. &quot;Graphs&quot;, shorthand for interoperation. The component view is analysis, the interaction view - well we don&#x27;t have a really good word for that, and yet as the article points out, that is often the attack surface.<p>Complex adaptive systems (see John Holland&#x27;s &quot;Hidden Order&quot;) have components and a messaging bus which crucially provides a way for the constituent components to interoperate. You can swat ants individually, but if you want to stop them, you destroy the ability to leave pheromone trails.<p>Maybe there should be a word like &quot;analysis&quot; for understanding how things interoperate. Gestaltysis?

Whoa.<p>I briefly worked for a &quot;cyber security&quot; company and couldn&#x27;t quite put my dinner on why I ultimately hated the product and felt that the approach that they took -- and a large part of the industry -- was ultimately a sham.<p>I couldn&#x27;t quite put it into words, but now I get it: we were building the tools to support the most useless of cybersecurity practices -- org-level checklists.

As a pentester, I would argue that attackers don&#x27;t think in graphs either.<p>Apart from Bloodhound, I can&#x27;t think of any tools where we have graphs.<p>For web security, I can&#x27;t think of something where &quot;graph thinking&quot; applies. But we have a pretty huge list of attacks to test <a href="https:&#x2F;&#x2F;portswigger.net&#x2F;web-security&#x2F;all-topics" rel="nofollow">https:&#x2F;&#x2F;portswigger.net&#x2F;web-security&#x2F;all-topics</a>.<p>And ultimately, what is inside your pentest report ? Not a graph, a list of things to do:<p>- SMB signing.<p>- Don&#x27;t use the domain admin to manage every machine.<p>- ...<p>The main reason this phrase is so popular, is that it panders to the hacker community: &quot;We are the smart guys, all the defenders do is excel sheets.&quot;<p>IMHO, the nugget of truth in this is that defenders can spend considerable amounts of time on things that don&#x27;t matter. Like doing CIS benchmark by hand on all servers. While missing the low-hanging fruits that would give them a strong security posture.<p>In a lot of companies, the defenders are just sysadmins that don&#x27;t have any idea of what they should focus on.

This is just a fancy way of saying defenders have to defend every entrypoint vs attackers who only have to find a single point of weakness.

I&#x27;ve done both. I&#x27;ve been an incident responder and have experience with penetration testing and red teaming. I think that, while reductive, this is somewhat true, but not necessarily as negative as the the article reads. Defense is made up of many things. For instance, developing effective controls to reduce the risk and impact of a security event, identifying attacks and compromise, and responding to the events. Lists of standards and responses work well. Defense also includes architectural decisions which require thinking about the graph of the network to develop these controls. There are lots of disciplines in defense too: architecture&#x2F;engineering, risk management, incident response, application security, education, threat intelligence, and so on.<p>Also interesting that the author implies the problem is about thinking of defense in lists then provides a list of items to consider to improve defense.

Attackers win because they only need to succeed once after proving for weak points. Defends have to guard everything at once.

Sounds like there need to be one or more honeypots in each network for catching intruders in the system. Fake crypto credentials, fake password storage etc.

Graphs are lists. <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Adjacency_list" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Adjacency_list</a>

A formal way to frame this insight is how a formal methods security researcher might: graph-based program verification.<p>A lot of core confidentiality and integrity security problems come down to &#x27;safety property&#x27; verification (a notion from model checking), which in turn comes down to reachability on a program flow graph (a notion from program analysis). This is also true of access control verification, but that&#x27;s a topic for another day.<p>Imagine a dataflow or points-to analysis on a program, and extend it all the way to include the code in your OS and the cloud and the database. These analyses create a graph, and the question is can an attacker get from an entrypoint and precondition of some node A (a line of code) and traverse to the assets on point B (another line of code.)<p>Interestingly, the security field is increasingly getting there, with ideas like CNAPP, IAM&#x2F;Cedar, AD&#x2F;bloodhound, where we are getting these basic access graphs modulated by estate, identity, access policy, etc. Often we don&#x27;t even really need the programs, because it&#x27;s more about a distributed system where we can focus just on identities and policies across trust zones. (Eg, If a box gets hacked, that exposes other credentials on the same box.)<p>At the same time, anyone working in these things also knows graph reachability is simplistic 80&#x27;s &amp; 90&#x27;s stuff: there can be complex logical policies at each node, So we&#x27;re seeing things like modeling those harder points, not just as pure reachability, But also things we can actually peek into and more richly verify, such as by modeling fancy ABAC policies using smt solvers.<p>I don&#x27;t think that&#x27;s really where the author is coming from, but it&#x27;s a reason the article resonated with me for so many years from a principled perspective, and I think it&#x27;s incredibly practical and important today.<p>(Disclaimer: we do crazy GPU graph AI power tools for folks in the space at Graphistry &#x2F; Louie.AI, in my first verification papers here were almost 20 years ago, so I&#x27;ve been thinking about this a lot.)

Defenders need to win <i>every single time</i>. Attackers only need win <i>once</i>. So attackers win.

&gt; Bob admins the DC from a workstation. If that workstation is not protected as much as the domain controller, the DC can be compromised.<p>They both run Windows. The protection class between the two is identical. You can draw as many graphs and lists as you want, but the security of this arrangement is mostly down to timely and accurate Windows Updates.<p>&gt; Learn to Spot List Thinking<p>I think in terms of &quot;diffs.&quot; I want to know what is _changing_ on my network. I don&#x27;t ever need an enumeration of things in any particular arrangement and as a human being, whether graph or list, I&#x27;m not equipped to use it in any meaningful way.<p>A difference list is typically very short, reveals intrusion patterns quickly, and is something you can automate easily.

Defenders also think in graphs. Matter of fact, good defenders think like attackers.<p>Case in point, to contradict the author of this post directly:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;BloodHoundAD&#x2F;BloodHound">https:&#x2F;&#x2F;github.com&#x2F;BloodHoundAD&#x2F;BloodHound</a><p>BloodHound is primarily a defender tool, that uses graph theory to help defenders find attack paths. But attackers also use it to help them find the shortest path to owning an AD domain. BloodHound is used in by a lot of threat actors as part of those news stories where the entire company is ransomwared. But what you don&#x27;t see is, in a lot of companies that don&#x27;t get totally ransomwared, there is a chance defenders are also using BloodHound to find and fix attack paths.

Judging by the comments this article seems true in the abstract: &quot;You are only as strong as your weakest link&quot; can be formalized better as &quot;You are only strong if there is no path over your assets for an attacker to carry out their objective.&quot; The big problem with &quot;checklist based security&quot; is that it is agnostic to underlying infra and ignores whatever issues a graph based approach might reveal.<p>I&#x27;ll add another item that defenders use for graphs: SBOMs. You can map out component relationships with them and understand if, for example, there&#x27;s an issue with openssl, note which end applications are affected.

Discussed (a bit) at the time:<p><i>Defenders think in lists. Attackers think in graphs</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9442565">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9442565</a> - April 2015 (7 comments)

Attackers win so easily because corporate security teams play predominantly<p>1) regulatory games<p>2) compliance games<p>3) CV optimization games<p>4) political games and finally<p>5) actual security work games within their organization

This is exactly why (good) defenders work by threat modeling using different perspectives and representations: one of them being attack graphs. But yes, a lot of the mandated compliance and governance stuff is just checking lists, which is why it does not work.

&gt; Philosophy has an affinity with despotism, due to its predilection for Platonic-fascist top-down solutions that always screw up viciously. Schizoanalysis works differently. It avoids Ideas, and sticks to diagrams: networking software for accessing bodies without organs. BWOs, machinic singularities, or tractor fields emerge through the combination of parts with (rather than into) their whole; arranging composite individuations in a virtual&#x2F; actual circuit. They are additive rather than substitutive, and immanent rather than transcendent: executed by functional complexes of currents, switches, and loops, caught in scaling reverberations, and fleeing through intercommunications, from the level of the integrated planetary system to that of atomic assemblages. Multiplicities captured by singularities interconnect as desiring-machines; dissipating entropy by dissociating flows, and recycling their machinism as self-assembling chronogenic circuitry.

Isn&#x27;t a defense strategy based on a graph an O(n!) problem, and thus unrealistic? Perhaps it&#x27;s not quite that bad, but it has to be somewhere in computationally infeasible solutions territory.

What?<p>Those visualizations of network graphs enhanced by segmentation&#x2F;clustering data are at least a decade old. As is studying how attackers traverse.<p>Here’s something I find my true:<p>Defends think in cheap cliches, attackers think like professionals — so attackers win.

Fantastic analogies useful for cybsercurity here.

I know practically nothing of the industry this post is referring to except my passion for continuing my education until I can legitimately become a part of it. Computers and the cybersecurity industry are passions of mine. Im apalled at how badly threat actors are ruining things and I just feel like it takes a hacker to catch a hacker. I&#x27;ve dabbled but never become serious enough to get the required education. Frankly to my way of thinking that involves, ( aside from all the playing around with what one can break), learning a programming language. So I&#x27;m slogging through C. But honestly I believe it is the constraints of societal perceptions that most hinders the security industry from doing better. They tie their own hands by playing &quot;good guy&quot; within the framework of certain rules themselves formulated out of overcaution, while the &quot;bad guys&quot; run rampant, operating effectively without constraints. Most likely despite all the effort and knowledge I will have eventually accumulated as the criteria for being qualified no person or company will ever hire me. I spent a number of years in several states incarcerated in the penal system for crimes entirely unrelated to this industry nevertheless rendering me unfit as far as any firm is concerned to work in the cyber security industry. Even though an education coupled with a map of the criminal mind because of my experiences would be an unbeatable combination (nearly..lol) the fear that abides in the heart of the defenders will be the reason they will always stay one or more steps behind. The idea that reform is not only possible but that SOME of us so abhor the way we once were that we are now staunch bulldogs on the side of morality is an idea entirely unknown in this country currently. And that&#x27;s a shame. Because last I checked it was understood the best way to catch a thief...

I prefer systems inspired by ecology:<p>1. Network connectivity: Crickets<p>2. Cluster resources: Bees<p>3. Queues&#x2F;pipelines: Ants<p>Consider the population of ants on earth is 20*10^15 : One could spend the rest of their life stepping on individuals, but the futile behavior remains meaningless to self-repairing ecosystems.<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=ksZTYRqr444" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=ksZTYRqr444</a> (Jimi Hendrix, &quot;Castles Made of Sand&quot; )

Attackers aren&#x27;t hampered by organizational imperatives. They are free to find targets of opportunity and move between them as it suits them.<p>Defenders usually have to justify their work to management and balance &quot;real&quot; defense work with things that reduce liability. This ends up being a prioritized list.<p>I blame JIRA for giving the attackers an advantage.