top of page
  • Writer's pictureMark van Vuuren

Rethinking IDS: The Math behind the Intruder's Dilemma

Security and compliance frameworks like CIS, NIST, and PCI call out intrusion detection systems (IDS) as a must-have technology to build secure defenses. Yet, attackers continue to sneak past even the best-funded perimeter defenses modeled around these frameworks.

Today's attackers follow a land-then-pivot workflow. From a security leader's perspective, land means intrusion events, and the pivot means toward your valuables, threatening a career-limiting data breach. Unfortunately, the IDS workload ends at land. During the most damaging attack phases (lateral movement and data staging for exfiltration or destruction) IDS is mostly irrelevant. This knowledge should give pause to reconsider if your IDS budget is doing enough.

We've created mathematical models to prove why defending your organization at the point of intrusion is not enough: Defending threats from inside the network allows you to take back the advantage. The models will reveal:

  • Why the Defender's Dilemma should temper your investments at the edge

  • How clear eyes on the inside create an Intruder's Dilemma that stops attackers before they do real damage

  • Why your IDS needs a next-gen upgrade to go beyond intrusions

The Defender's Dilemma

Defenders have to be right 100% of the time, attackers have to be right once.

The defender's dilemma defines an unpleasant axiom in the security industry: It's inevitable that a determined attacker will find a way in. It is unclear who first coined the phrase, but it became generally recognized after the Rand Corporation 2015 publication, The Defender's Dilemma, Charting a Course Toward Cybersecurity. The booklet spoke to the complexity of cybersecurity defense, but the term, defender's dilemma, has evolved into an industry narrative about the challenges of preventing an intrusion event.

The defender's dilemma exists because attackers have unlimited flexibility in enumerating targets and tactics to employ at the perimeter. Typically they are looking for an easy path, requiring the least energy and expense to establish a beachhead inside the target's environment.

The land-then-pivot strategy works for attackers because most defenses have crunchy perimeters and mushy insides with minimal introspective tooling. And today, that easy-land path is increasingly exploiting people, not machines: Phishing, stolen credentials, and misconfigurations (2021 Verizon DBIR report) are more common entry points than the software vulnerability exploits that IDS was built to address. This gives an attacker the advantage against an organization's perimeter defenses.

Because attackers have room to be flexible, the defender has to make big investments upfront with the hope of plugging every known and unknown hole. One-hundred percent is a daunting challenge, especially when resources are pitted against business objectives for speed, agility, and frictionless innovations.

The attacker only has to get it right once to succeed. Defenders have to get it right every single time. I would call that a dilemma.

If it feels deflating and perhaps even hopeless, read on—we think not.

The Intruder's Dilemma

The intruder's dilemma tips the scale in favor of the defender: The defender only has to detect one of the intruder's actions to prevent real damage. It makes the clear-cut case that defenders can regain the advantage by battling threats from inside the perimeter. The phrase intruder's dilemma was first coined in a blog by security monitoring author Richard Bejtlich.

Once the intruder lands and gains a foothold, the tables turn in favor of the defenders—that's if the blue team has the tooling to see the intruder doing intruder things. Intruders are foreign to the environment, and they have needs that force them to deploy techniques to discover, escalate privileges, and move laterally through your territory as they converge on your valuables.

MITRE ATT&CK framework models the tactics, techniques, and procedures (TTP) from the attacker's perspective across the kill chain. The nine techniques in the Initial Access tactics category model the attacker options during the intrusion phase. The post-compromise actions where you can intercept a persistent intruder are shown in the following eleven tactics.

Intrusion Skirmishes vs Data Breach Battles

"It's over, Anakin! I have the high ground" —Obi-Wan

In theory, it's better to stop an attacker at the beginning of the kill chain, but in the real world, it makes more sense to battle where you have the high ground. If intrusions are inevitable against determined attackers, then the perimeter is the place for skirmishes with the script kiddies and easily deterred attackers.

This is why adding more brittle signatures of known attack patterns may feel good, but it is just more of the same perimeter-based defense. Instead, the effort and budget may be better served by upgrading IDS to next-gen capabilities that can battle attackers across the whole kill chain before intruders do real damage through a data breach.

The Math Behind the Intruder's Dilemma

Predicting the future is the science of probabilities. For example, when betting on flipping a coin, we know that the likelihood of that coin landing face up is 50%. If we flip that coin two, three, or four times, the probability of getting at least one head is 75%, 87.5%, 93.75%, respectively.

In this same manner as our coin flip sequence, the defender's dilemma follows this model of an attacker's probability of compromising one asset against the total number of targets.

The math behind the intruder's dilemmas operates on the likelihood that the defender can detect at least one adversarial action among the minimum number of actions taken through the kill chain.

As with all prediction models, the resulting quality depends on the accuracy of the inputs. In this case, we are more interested in general trends over the exact percentages.

Example: Phish, Explore, Escalate, Pivot, Exfiltrate

Let's build a scenario to test the calculations behind both the defender's dilemma and intruder's dilemma. From there, you can try it out based on your network model.

The Kill Chain

According to the 2021 Verizon DBIR, phishing continues to be the top method of intrusion, growing from 25% in 2020 to 36% in this year's report. Frighteningly, KnowBe4 Phishing Report concludes that 4.7% of users will click the bait after one year of phishing training.

Let's assume an attacker targeted one hundred users with a phishing email, then model a sequence of the intruder's likely post-compromise actions, which include mapping the victim's environment and pivoting toward their objectives. In our example (table 1), we model everyday real-world intruder actions but limit it to ten steps to simplify the calculation.

Table 1: A Model of Real-World Intruder Actions

The Intrusion Skirmish

In our simulation, we'll assume 4.7% is the probability that one out of one hundred users will click the campaign bait. Based on these two inputs, we see a 98.18% likelihood that this environment will have a successful intrusion using a phishing strategy.

The Defender's Dilemma Calculator

The number of assets or users that can be exploited: 100

Probability your exposed assets will be breached (%): 4.7%

Likelihood the attacker will breach your defenses: 99.18%


You can use this calculator to model as many scenarios as you like by changing the input variables: One hundred email users is extremely small for an enterprise or even most medium-sized organizations. You might also assume that your team is savvy and less likely to fall prey to phishing. Build your threat model scenarios and adjust the slide bars to reflect your exposure.

The Breach-Prevention Battleground

Now that the attacker has landed, we can model the intruder's network actions as they discover the environment and start moving toward your valuables. To form our calculations for this scenario, we used the ten common intruder techniques (view them here) applied while pivoting toward their data theft objectives.

Before we look at the math, let's address the obvious: What if you don't have the visibility to see the action or lack the analytics to identify the kill chain actions? If you're totally dependent on leaky perimeter defenses, the probability of catching the intruder before the exfiltration completes is zero.

The Intruder's Dilemma

Alternatively, let's work on understanding what internal detection coverage and capabilities are needed to match or beat the 99.18% confidence the attacker had at the edge. To do this, we have to find the probability that we can catch the intruder before they complete the ten actions. We see the calculation needs a 38.2% probability of detecting any one of the ten defined actions.

The Intruder's Dilemma Calculator

Rate your network post-compromise detection capabilities: (%) 38.2%

The number of tactics an attacker would perform to get your valuables: 10

Likelihood you will stop the intruder before they cause damage: 99.18%


Now it is your turn to build attack scenarios and interior detection probabilities in our interactive calculators. Once you understand where the odds are and aren't in your favor, you can take action to recreate the intruder's dilemma for your organization and win the war.

Stacking the Odds in Your Favor

Our security budgets should evolve with threats. The intruder's dilemma clearly illustrates why noisy, signature-only IDS is doomed to fail us with a singular focus on initial access. IDS needs a next-gen evolution to create the intruder's dilemma and to stop adversaries before they do real damage.

With the ability to detect lateral movement, next-gen IDS can make the odds work in your favor. Rob Joyce, then working at the NSA, perfectly summed up what network visibility represents to attackers.

"One of [an attacker's] worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior that's going on, and someone's paying attention to it."

What is the ExtraHop NG-IDS?

Reveal(x) NDR, an NG-IDS technology, monitors for malicious activity and policy violations across the whole attack kill chain. It does it with full-spectrum detection, powered by machine learning behavioral analysis, high-risk CVE exploit identification, and integrated threat intelligence.

Unlike IDS, a brittle, signature-based technology, Reveal(x) also spots threats that move laterally and closes compliance gaps caused by cloud initiatives and encryption blindspots.

Just as important, Reveal(x) helps time-strapped analysts be more effective by integrating detection, investigation, response, and forensics workflows into a single tool.

14 views0 comments


bottom of page