Myths and Misconceptions about Attackers and Attacks

TL;DR

This paper investigates attacker behavior through a three-year study, debunking common myths, clarifying attackers' true capabilities and challenges, and emphasizing that defenders can leverage attacker uncertainties for better security.

Contribution

It provides an in-depth analysis of attacker behavior, clarifies misconceptions, and highlights the uncertainties attackers face, informing more effective defense strategies.

Findings

Attackers do not have absolute advantage; they operate under uncertainty.

Misconceptions about attackers are widespread and often exaggerated.

Understanding attacker limitations can improve defense mechanisms.

Abstract

This paper is based on a three year project during which we studied attackers' behavior, reading military planning literature, and thinking on how would we do the same things they do, and what problems would we, as attackers, face. This research is still ongoing, but while participating in applications for other projects and talking to cyber security experts we constantly face the same issues, namely attackers' behavior is not well understood, and consequently, there are a number of misconceptions floating around that are simply not true, or are only partially true. This is actually expected as someone who casually follows news about incidents easily gets impression that attackers and attacks are everywhere and every one is under attack. Our goal in this paper is to debunk these myths, to show what attackers really can and can not, what dilemmas they face, what we don't know about attackers and attacks, etc. The conclusion is that, while attackers do have upper hand, they don't have absolute advantage, i.e. they also operate in an uncertain environment. Knowing this, means that defenses could be well established.