The Rise, Fall, and Rebirth of the Presumption of Compromise

The emergence of the presumption of compromise

In cybersecurity, we often say that “prevention is ideal, but detection is a must.” But why do we say that? Shouldn’t both prevention and detection be a must in a layered, defense-deep security approach? Well, this saying is rooted in a realistic view of reality where we as cyber defense professionals have come to accept that it is almost impossible to prevent the bad guys from breaking into connected systems. The choices are either total isolation (which in some cases can be circumvented) or risk a breach of the system. This notion of failing prevention has become a focal point of our modern defense strategy and has become known as a “presumption of compromise.” That is, assume that you have already been broken, and focus on endlessly discovering and eradicating the bad that lurks in your systems.

When we failed with prevention, we turned to detection. To paraphrase Churchill: No one pretends that detection is perfect or versatile. In fact, it has been said that detection is the worst form of defense apart from all the other forms that have been tried.

The presumption of compromise inevitably falls

Nevertheless, the current form of presumption of compromise – which focuses on rapid detection – is intended to fail because its contemporary version serves only as a tactical tool rather than as a strategic framework. It tells you what not to trust, but does not tell you how to really solve the problem. Instead of giving a solution, the presumption of compromise just kicks the can down the road.

In a recent thought-provoking experiment, security researchers from Splunk tried to determine the encryption rate of modern ransomware malware families. They selected 10 ransomware families and measured the time it took each to encrypt 100,000 files on a victim’s system. The results were amazing. It took 45 minutes on average, with the slowest ransomware (Babuk) being able to encrypt the files within 3.5 hours, while the fastest ransomware (Lockbit) reached this goal in just 4 minutes (!).

Other recent research analyzing ransomware attacks concluded that “the average duration of a company’s ransomware attacks decreased 94.34% between 2019 and 2021.”

An additional parameter to consider in this context is breakout time, which measures how long it takes for an opponent to jump from one initially compromised system to the next. According to CrowdStrike, the average breakout time in 2021 is 1.5 hours. In 2018, it was almost 2 hours.

Unfortunately, these measurements provide a gloomy forecast for our near future. The attackers are getting faster and the ever-shrinking detection window is under constant pressure.

Automation arms race

To detect faster, defenders turn to automation – sometimes using static signatures and registration rules, and sometimes using machine learning. Unfortunately, automation is not the monopoly of the good, and attackers use it as well. Being able to inflict damage faster and with fewer human employees serves the attackers’ business models well, so the incentive to automate attacks has never been stronger.

Once both sides – the attack and the defense – increasingly turn to automation, we end up in a spiraling automated arms race. The defenders have had a head start in this race, where they have spent the last many years developing and implementing AI-based solutions. Nevertheless, it is frightening to think about the consequences of attackers’ mass adoption of such technologies, which continues to narrow the registration window.

The rebirth of the presumption of compromise

The inevitable shrinkage of the detection window forces us to reconsider its basis. In the long run, it seems that detection alone is no longer a viable defense strategy. Instead, I believe that the focus of defensive strategy will be passed on to resilience – to be able to recover quickly after an incident where automation and volatile computerized systems that can be brought up and down immediately play a central role .

Make no mistake: a presumption of compromise is, after all, a good idea. It keeps us sharp and realistic. Nevertheless, its current detection-oriented manifestation looks like a losing strategy in the long run. Instead, we should start focusing on resilient, self-recovering and instantly rebuildable systems. Such a restoration will lay out the missing bricks of the solution: protection, detection and resilience. Together, they have the power to form the Holy Trinity of a truly sustainable defense-in-depth strategy.


Leave a Reply

Your email address will not be published.