Our cyber world is full of myths and FUD:

Attackers only have to be right once, Defenders have to be right all the time!

Firstly, let’s cut straight to the chase, I can only assume that someone who says this is ignoring or is unaware of how computer systems and intrusions work. But surely this is a true phrase, I’ve seen it repeated over and over again on LinkedIn, so it must be true right?

No, it’s largely false, and it’s one of the more harmful clichés in the industry. But why?

Where it comes from / the grain of truth

It’s true that an attacker often only needs one exploitable path to gain initial access, while a defender has to cover a large attack surface. At the single-point-of-entry level — one unpatched edge device, one phished credential — there’s an asymmetry of coverage. That’s the seed this phrase is built in. It does however drain when confronted with the cold harsh reality of details and science!

Let’s look at the kill chain:

• Mission/Crime Planning
• Research
• Resource Development
• Recon & Enumeration
• As a threat actor we would need to, find the right assets, in the right state, and obtain or develop an access method:
• Phishing/Cred Theft/Known Software Vulnerability/Misconfiguration or 0-Day

So before we were ‘right once’ we had to have the motivation, capability and intent

We then if we land a position somewhere that position needs to:

• Work
• Be unnoticed
• Allow us to move somewhere else (lateral movement/escalation of privileges)

then let’s add in:

• We need to be undetected, we need to also remain undetected or we need to move at speed to the point that a detection does not destroy our position

As a practitioner where I simulate the attacker processes, I fail all the time. I failed because compromising things is not like a CTF (ok sometimes it’s simper, but…. IRL it’s generally much harder than some people will admit).

As an attacker I need to have maybe 7 things line up to ‘be right once’

The Defender Position

As a defender I need to be right 100% of the time….. er sure Jan! Tell me you haven’t been a defender without telling me.

Each event and incident is not the end of the world.

We have human error, insider threats, we have phishing land, we have cred theft we have constant exploit and auth attacks against our exposed infra.

• Sometimes things break
• Sometimes humans make mistakes
• Sometimes software has bugs

But never once, do I have to be ‘right all the time’

Vulnerabilities

We do not aim for a zero vulnerability position, it might sound lovely but it’s simply not how business works or complex computer systems.

• We patch
• We monitor
• We manage
• We prioritise
• We remediate where we need to and where we can
• We harden
• We layer

Anyone thinking you need to have a zero vulnerable position probably hasn’t ever done the job before:

Every month we have ebb and flow of vulnerabilities, most vulnerabilities… are not easily or ever possible to exploit, even when exploited they don’t cause the world to end. We have CVSS for a reason, not everything needs patching” is right in spirit but soft in detail, and someone will pull on it. CVSS base score is a severity signal, not an exploitability or priority signal. The honest version is that we triage on real-world risk — EPSS, CISA KEV, exposure, asset criticality, compensating controls — not on a base score in isolation.

Summary

Now here is one thing, it is possible to have single compromise point which gives the attacker god mode, an exposed RDP server with no account lockout or where domain admin credentials are exposed and hardening and monitoring and other controls are not in place…. Sure, if you do the most stupid thing, if the attacker ‘just buys access’ or is incredibly lucky and all of the things have lined up…. you can kind of have something where one action feels like it’s all it took, but that ignores every failure, every mistake and every other event occurred before the attacker just ‘magic’ and logged in.

The phrase IMHO is harmful, it doesn’t match the reality of attack or defence. It doesn’t add value, if anything people throwing it about like it’s insightful, actually makes the job harder!