The Rise of the Presumption of Compromise

In cybersecurity, we often say that "prevention is ideal, but detection is a must." But why do we say that? Shouldn't both prevention and detection be musts in a layered, defense-in-depth security approach? Well, this saying is rooted in a realistic view of reality, where we, as cyber-defense professionals, have come to accept that it's almost impossible to prevent the bad guys from breaking into connected systems. The choices are either total isolation (which, in some cases, can be circumvented) or risking a breach of the system. This notion of failing prevention has become a linchpin in our modern defense strategy and has become known as a "presumption of compromise." That is, assume that you already have been breached and focus on never-ending detection and eradication of the badness lurking in your systems.

Since we failed with prevention, we turned to detection. To paraphrase Churchill: No one pretends that detection is perfect or all-wise. Indeed, it has been said that detection is the worst form of defense except for all those other forms that have been tried.

The Inevitable Fall of Presumption of Compromise

Nevertheless, the current form of presumption of compromise — which focuses on rapid detection — is intended to fail because its contemporary version serves merely as a tactical tool rather than as a strategical framework. It tells you what not to rely on but doesn't tell you how to truly solve the problem. Instead of providing a solution, presumption of compromise merely kicks the can down the road.

In a recent thought-provoking experiment, security researchers from Splunk tried to determine the speed of encryption of modern ransomware malware families. They selected 10 ransomware families and measured the time it took each to encrypt 100,000 files on a victim's system. The results were astonishing. It took 45 minutes on average, with the slowest ransomware (Babuk) able to encrypt the files within 3.5 hours, while the fastest ransomware (Lockbit) achieved this goal within only 4 minutes (!).

Other recent research, which analyzed ransomware attacks, concluded that "the average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021."

An additional parameter to consider in this context is breakout time, which measures how much time it takes for an adversary to hop from an initially compromised system on to the next. According to CrowdStrike, the average breakout time in 2021 is 1.5 hours. In 2018, it was almost 2 hours.

Unfortunately, these measurements provide a dismal forecast for our near future. The attackers are getting faster, and the ever-shrinking detection window is under a constant pressure.

Automation Arms Race

To detect faster, defenders turn to automation — sometimes by using static signatures and detection rules, and sometimes with the help of machine learning. Unfortunately, automation is not the monopoly of the good guys, and attackers use it as well. Being able to inflict damage faster and with fewer human personnel is serving the attackers' business models well, so the incentive to automate attacks has never been stronger.

Once both sides — the attack and the defense — increasingly turn to automation, we end up in a spiraling automation arms race. The defenders have had a head start in this race, spending the last several years developing and deploying AI-based solutions. Nevertheless, it's frightening to think about the consequences of the mass adoption of such technologies by the attackers, which continues to narrow the detection window.

The Rebirth of the Presumption of Compromise

The inevitable shrinkage of the detection window forces us to rethink its foundation. In the long term, it appears that detection alone is no longer a viable defense strategy. Instead, I believe that the focus of defensive strategy will be passed on to resilience — being able to recover quickly from an incident, with automation and volatile computerized systems that can be brought up and down instantly playing a pivotal role.

Make no mistake: A presumption of compromise is a good idea after all. It keeps us sharp and realistic. Nonetheless, its current detection-oriented manifestation looks like a losing strategy over the long term. Instead, we should start focusing on resilient, self-recoverable, and instantly rebuildable systems. Such recoverability will lay out the missing brick of the solution: protection, detection, and resilience. Together, they have the power to form the holy trinity of a truly sustainable defense-in-depth strategy.