March 24, 2023 by Gabriel Bassett
Attack innovators and the diffusion of innovation
Over the last few years, there has a lot of interest in the exploitability of vulnerabilities. It’s not so much a recommendation on what to patch, as to what doesn’t need to be patched.
However, vulnerabilities aren’t really exploited all at once by all attackers. I think it’s helpful to think about this in terms of diffusion of innovation.
I suspect the same applies to exploiting vulnerabilities. I suspect that exploitation of vulnerabilities and other innovations in cyber attack spread like complex contagions.
This actually has an upside for defense. If the goal is to protect a population, we may not need to predict what the next big thing will be (a cetainly daunting though the possibility of applying technical forcasting to attackers is a real possibility - https://www.sciencedirect.com/science/article/abs/pii/S0040162597000504). Instead, it may be enough to detect the spread of innovation at it’s early stages and prepare defenses. While the attack innovators and early adopters likely will succeed, in a defended population (ISAC, Insurance, SaaS provider, Government, etc), it may be possible to early majority, late majority, and laggards.
It’s a different mindset for defense. Because most defense happens at the individual rather than population level, we tend not to think of an acceptable level of loss, but in this instance, a little graph theory and computational sociology will go a long way to helping maximize our ability to defend the organizations we are charged with protecting.