Attacker & defender
Part 1 of a series: What Cybersecurity Is and Why You Should Make It Your Life
This post is Part 1 of a series: What Cybersecurity Is and Why You Should Make It Your Life. This series explains what it takes to become a cybersecurity professional, how anyone can do it, and why you should.
The Mother. The Trickster. The Flood.
Swiss psychoanalyst Carl Jung theorized that archetypes shape and structure human thinking. If cybersecurity has archetypes, the two most fundamental are The Attacker and The Defender. These archetypes go by many names: “red team” and “blue team;” “white-hat” and “black-hat.” Through these archetypes, the core drama of cybersecurity unfurls: a never-ending duel between these opposing forces.
In this post…
We’ll introduce these two archetypes.
We’ll learn why inhabiting them—being able to play these characters—is key to our work.
We’ll learn our first technique, threat modeling, and try it out on a system near our hearts. Very near.
First, the archetypes.
The Attacker
Cybersecurity is “about” systems: configurations of people and technologies that are supposed to work a certain way. The role of The Attacker is to subvert systems—to make them work some way they shouldn’t.
Imagine a building where people need to wave a key fob to enter. This is a system: it’s supposed to allow authorized people in and keep unauthorized people out. The Attacker will subvert this system; they may find a way to let unauthorized people in, or keep authorized people out.
The Attacker subverts systems by finding a vulnerability and exploiting it. Vulnerabilities come in many forms. They may be technical—a bug in the way the key fob system works. They may also be social—the fact that people generally trust others, especially people who show up in a work uniform and say they’ve been called by so and so to fix such and such. Such attackers are called social engineering attacks.
Sophisticated attackers often use exploit chains: stringing together several exploits in succession to get what they want. For example, in our building, The Attacker may exploit the social vulnerability of trust to broker initial access. Once invited in, they may subsequently exploit a technical vulnerability to change the way the key fob system works. The latter is an example of privilege escalation—gaining the ability to perform new actions.
Crucially, The Attacker has a motive. They may want money. They may want to spread a political message. They may want to harass or abuse someone. Their motive will dictate how they interact with the system.
To illustrate how motives shape attacks, let’s return to our building. An attacker who wants to harass someone inside the building will find a way to enter it, even if they are not authorized to do so. An attacker who wants to create a scene or make a point may prevent authorized people from entering, or embarrass authorized people as they enter.
The Defender
The Defender responds to The Attacker. They are the yin to The Attacker’s yang.
Ideally, The Defender responds before an attack has taken place. They do so by:
Anticipating possible attacks
Creating barriers to carrying out those attacks
Anticipating attacks is a practice known as threat modeling. (We’ll cover the “creating barriers” bit next time).
Occasionally, The Defender must respond after an attack has occurred. In these cases, The Defender must roll response. They may evict The Attacker from the system (to prevent them from doing more damage), and patch the vulnerability the attacker exploited. This is our profession’s version of active combat. We will discuss these ideas later on.
For now, the key to understanding The Defender is understanding that this archetype cannot exist without The Attacker. If you work in cybersecurity, you may think of yourself as The Defender. (I do). Remember: it is The Attacker who makes us. Not simply that attackers assure we have a job—deeper! Our being is a response to The Attacker’s being.
Everybody on earth knowing that beauty is beautiful makes ugliness. Everybody knowing that goodness is good makes wickedness. For being and nonbeing arise together; hard and easy complete each other; high and low depend on each other; note and voice make the music together; before and after follow each other.
—Tao Te Ching #2 (Ursula K Le Guin translation)
Inhabiting the archetypes
In Jung's theory, archetypes are not predestined personalities. They present opportunities to have particular experiences.
In cybersecurity, inhabiting The Attacker gives you the opportunity to experience systems through an adversarial lens. Inhabiting The Defender affords you the opportunity to experience responding to that adversarial lens.
Understanding these roles, and being able to inhabit them fluidly and fully, is the essence of our profession.
Defenders who cannot wear The Attacker’s “black hat” are bound to be surprised. Attackers who cannot wear The Defender's “white hat” are bound to be confounded.
Successful practitioners think like The Attacker, then think like The Defender, then think like The Attacker again, and so on.
Let's exercise this muscle. We’ll learn our first technique: threat modeling.
Exercise: Threat modeling
As I mentioned above, a key technique in cybersecurity is threat modeling. In threat modeling, we list out the attacks a system is likely to face. This is a speculative process, not unlike writing realistic science fiction. It is an exercise of imagination.
Earlier, we discussed the entrance to a building. To practice threat modeling, let’s think about the entrance to your home.
To help us, we’ll use Adversary Personas, a technique designed by my lab at Berkeley. Government agencies and companies worldwide, including Meta, use versions of this practice to anticipate attacks and manage risks.
What is The Attacker’s motive for entering your home?
Think: what is in your home that someone else might want?
If you find yourself struggling to think of motives, refer to our Adversary Personas cards. The pink cards list adversary motivations. Pick one that speaks to you.
What attack might that motive encourage The Attacker to try?
How might we defend against that attack?
How might that attacker overcome this defense?
Work all the way through these questions. If you found it easy, congratulations. Try another motive. On a roll? Play the full Adversary Personas game with the people you live with.
Whenever you’re satisfied, list out all of the attacks you've found against your home. Congratulations! You've done your first threat modeling. You’ve taken your first step toward becoming a cybersecurity professional.
Reflect
Which did you find easier: placing yourself in The Attacker's shoes, or The Defender's? A journey to a career in cybersecurity is as much about self-discovery as it is about learning skills or techniques. Take note of your inclinations. You'll both need to hone and counteract your natural inclinations to succeed. Balance is everything.
By the way: did this make you a bit paranoid about the safety of your home? Don’t worry. Your home is no less safe than it was before you did this exercise—if anything, it’s safer. For each attack on your list, if you can think of a defense, enact it. If you can’t, don’t fret. Next time, we’ll talk about barriers to attack, and what it means for a system to be secure. See you then.
Jargon review
Here’s the jargon we introduced. Don’t worry about strict definitions—we’ll build an intuitive sense for these terms as we go. If you don’t remember encountering these terms, refer back to the post to see how I used them.
Vulnerability or exploit
Vulnerability/exploit chains
Social engineering attacks
Brokering initial access
Privilege escalation, also known as PrivEsc
Threat modeling
Rolling response
Evicting an attacker or adversary
Patching a vulnerability