Mellow Root

Make attacking not worth the effort

Crime opportunity theory suggests that offenders make rational choices and thus choose targets that offer a high reward with little effort and risk.1

If I can make an attack require more effort than the value an attacker could get from it, I have essentially won the battle against potential attackers. While 100% security is not attainable, my goal is to make my systems not worth attacking in the first place.

A useful mental model for risks is considering the potential efforts and rewards for attackers. Like most mental models, it's useful but not perfect.

Efforts of attacking

I don't want to be an easy target, "opportunity makes the thief" as the saying goes. I want to be as much pain in the ass as possible for potential attackers. If attacking me is taxing enough, attackers will lose interest and move on to something else. Some factors that may impact the level of effort needed to execute an attack:

  • Skills and knowledge
    • Attacks that require specialized knowledge limits who can execute them which means it's less likely to happen. Using a zero-day is more rare than using a public exploit because finding new unique vulnerabilities is harder. By for example keeping systems up to date you may raise the bar higher than a script kiddie can reach.
    • If an attack can be carried out by anyone, it is likely to be relatively effortless. Scams that target older individuals, for example, are popular because they require almost no skills, only a lack of morals, to execute.
  • Physical presence
    • By requiring physical access to a target you limit the pool of potential attackers, which means it's less likely to happen. Pickpocketing a Yubikey or breaking into a house to steal an unencrypted hard drive are both attacks that take a lot of effort, risk, and skill.
  • Time and scalability
    • Spending a lot of time on an attack is tedious. For example, understanding obfuscated code takes longer than understanding non-obfuscated code, and it’s surely more frustrating. If an attack takes too long, an attacker will likely get bored and choose a different target.
    • Some attacks can be carried out against a large number of targets, which means they’re relatively low effort. For example, attempting to guess weak SSH passwords on all machines on the internet with port 22 open is scalable, as is sending a single HTTP request exploit to all machines with ports 80 or 443 open.

I don’t want to be the low-hanging fruit. By for example keeping systems up to date, using 2FA and good and unique passwords, and generally trying to make attacking me tedious and expensive however I can, I hope to not be an easy target.

Risks of attacking

An attacker wants to minimize their risk, and while cyber attacks are much less risky than other types of attacks, there are still some scenarios that are more or less risky. Usually though, they’re out of our control. Attacking governments and infrastructure is riskier since it might mean you get a nation-state after you, but unfortunately you can’t just decide to be a government and get that benefit.

I don’t worry too much about attacks that require physical access. If possible, I use physical devices or presence as a tool to make things riskier to attack. People aren’t likely to cut off my thumb to unlock my phone, they’re also unlikely to steal my Yubikey to get access to my email.

Lowering the reward

To make my systems less attractive targets for attackers, I try to lower the potential rewards of an attack. Here are a few ways to do this:

  • Don't store more data than needed
    • The VPN provider Mullvad is excellent at this. They store no email, password, or other user information, and they accept Monero or even an anonymous envelope with cash for payment. All a user has is an ID. There is nothing there to steal.
  • Minimal user access
    • Each user and service should have as little access as possible. If a person in HR is compromised the attacker shouldn't get access to any code, since there is usually no reason for people in HR to have access to that. This is called the Principle of least privilege.2
  • Limit the blast radius3 with microservices
    • If systems are split up into minimal parts, compromising one service should cause minimum damage. A big monolith that handles all functions of a service means it's enough to hack that one system. If I instead have minimal lambdas, the damage is isolated to only what that lambda can access.
  • Don’t piss people off
    • Just like in the physical world, the best way to defend oneself is to not get in a fight in the first place. I try to not make people feel justified attacking me, as that could make humiliating me a reward.

Of course, an attacker needs to know about these things so they understand that the reward is limited. This is why you see signs saying "We're a cash-free store", "Cashiers can't open the safe", "Registers are emptied every evening", and similar in some stores.

Conclusion

Making an attack more expensive (in terms of effort) than the reward is a way to protect your systems from potential attackers. By understanding what makes an attack demanding, avoiding factors that make it effortless, and limiting the value an attacker sees, you can help make your systems less attractive targets for attackers.

  1. Crime Opportunity Theory - Wikipedia

  2. Principle of Least Privilege - Wikipedia

  3. Blast Radius - Wikipedia

#security #risk #mental-model

- 9 toasts