In your opinion, does the adversary or defender have the advantage and why do you think that? Another way to word it would be, is it easier to attack or defend?
The beginning of the book: You'll see this message when it is too late: The Legal and Economic Aftermath of Cybersecurity Breac... begins with this question and it seems like a good topic for further discussion.
Interesting thought question. I'm thinking the answer varies both across the lifecycle of the attack and based on the nature of the attack.
Prior to detection, the attacker has the advantage. They have the luxury of time to plan as much as they want, probe for weaknesses, retreat, regroup, and alter strategy. They can also focus investments based on their planned attack and its timing. The defender must spread their defensive budget across all of all perceived weaknesses and must continually remain at attention.
During the aftermath, the defender has the upper hand. Response, investigation and recovery can call in reinforcements, abandon leads, refocus efforts, and can leisurely reflect on just exactly what that "bloody glove" is really telling them. Plus, budget money generally becomes available to "right a wrong". The attacker, on the other hand, can't even opine without turning suspicion towards themselves.
During the attack itself, the advantage starts with the attacker, but slowly cedes to the defender... and sometimes suddenly (e.g. when SWAT arrives).
Also, it will vary based on the nature of the crime. After all, we are collectively unwilling to "put a $10 lock on a $5 bike", resulting in the attacker retaining advantage for "petit theft". On the other hand, we pull out all stops in the case of murder, resulting in the advantage much more quickly/dramatically shifting towards the defender.
@denbesten @tmekelburg1 My thoughts are on the attacker, on the basis that most defenders cannot detect they have been compromised on average now for a period 287 days across the globe. It makes it relatively easy for the attacker to do reconnaissance, gather intelligence and strike, with the information they have gathered at a time or place they chose. The Defender is a sitting target. Given the statistics we are now seeing, increasing by 10% on average per annum, many defenders are simply naive, unprepared without alignment of their business objectives to their security objectives related to their risk appetite.
The attacker has automated, innovative attacks, the defender is still using traditional security techniques, which are failing or have failed, and many other have failed to recognise this at all.
Regards
Caute_Cautim
I think you're onto something there. The Author described it as the advantage changes depending on where they are at on the kill chain. At the beginning, the attacker has the advantage because there are less choke points or many ways into your network. Then as the attacker gets further into your network there are less decision points, aka more choke points that allows the defenders to gain the advantage on stopping the attack or at least detecting it at that point.
I think you could compare this to a special forces operation. It's a small specialized force going to attack a compound that is heavily fortified and are outnumbered by the defenders. They attack in the middle of the night and move in and out as quickly as possible before the defenders have a chance to coordinate against them to gain the upper hand.
@Caute_cautim I've always operated under the assumption they always have the advantage as well but my perspective has changed.