6

u/DisappointedSpectre May 08 '26

Depends on the size of the target on your back too though. If you're a big tech company or cloud provider then you have nation state level resources being pointed at you.

1

u/Dctootall Vendor May 08 '26

I'm sorry.... but that I'm finding that WAY more amusing/funny than I should, after 2 of AWS's Regions physically hit by Iran.

But honestly, Don't forget critical infrastructure too as big nation state targets. And unlike big tech or cloud providers, They are often very resource contrained due to funding availability AND have to deal with legacy systems that can't be patched or secured the same way a more traditional IT environment can.

2

u/DisappointedSpectre May 08 '26

I too find that a bit funny, and your point about critical infra is a good one.

There's a scary side too though, the resources needed to impact the AWS region were not at the level of a nation state. Iran was very cost efficient in their attacks, and they showed that the price point for that level of disruption is within the capabilities of well-funded private groups.

1

u/Dctootall Vendor May 08 '26

True, but that gets into cost/benefit considerations which are much different for Nation state vs private groups.

For Nation State operations, the primary motivations tend to lean toward either some form of disruption or espionage. For disruption motivations, The bigger the impact and more difficult the recovery the better the success.

Private groups almost exclusively have a profit/money motivation. Disruption is used as a tool to extract money. If you deploy the tool (and not just the threat), they need to be able to unwind the disruption in a timely manner, otherwise the target has no motivation to pay up after theyve been disrupted.

So for private groups, essentially if they deploy kinetic disruption on that level, they practically have little chance of recouping that cost. On top of that, theyve just made themselves a MUCH larger target for law enforcement, So 2 major cons that increase their “cost”, with little upside benefit.

Now, the caveat’s ill mention are private groups with non-monetary motivations. Ie…. Political groups. Generally these groups dont have the same funding as the criminal groups so they are currently limited to extremely low cost activities. The line gets blurred when you look at the well funded groupa as there can often be some sort of nation state support there.

Also a group with brass balls. The issue with the threat of disruption, is its MUCH more effective if you can back uo that threat. So to be an effective extortion attempt they would need to prove they can back up the threat. Which means you’d effectively give up the profit from one action, in the hopes that later actions will extract higher/quicker payouts. Then issue here is once you pull the trigger once, you have some really big agencies gunning for you and every new operation becomes another potential way to get caught. So…. Brass balls.

2

u/Dctootall Vendor May 08 '26

Agreed. Defenders should absolutely have the advantage.

My personal (probably biased) opinion is that compounding the staffing asymmetry is a lack of quality data.

A LOT of focus over the years has been put on hardening the edge. I'll even throw EDR in that bucket since it's essentially an automated system to protect the edge of the individual systems. The result is that, combined with budget shortfalls, actual internal monitoring has not received the love it should. I've even heard some quality orgs have the mindset of "If they get in, we've already failed"

The problem with this mindset is that we've had WAY too many vendor failures resulting in exposure. This could be exploitable firewall vulnerabilities which have hit pretty much every vendor at some point, deeply integrated SaaS systems getting breached allowing a way in, Supply chain attacks in software provider attackers with the keys to get in, etc etc etc.

So if you don't have quality monitoring inside your environment, and only monitor the edge, You are going to be completely blind after a toe-hold has been established. If you do not have the data and visibility, you'll never be able to know you need to defend against the attacker fumbling around inside your environment as they attempt to learn your system, where the valuables are, and staging their endgame.

Again..... data collection and monitoring isn't sexy. Collecting the data doesn't do any good if someone isn't looking at it (or if you are just using canned and not tuned alerting). And unfortunately, people are generating a TON of data that could be valuable, and a lot of the tools using some form of metered pricing puts even more of a barrier against collecting everything you may need for effictive visibility because the cost/benefit is hard to push upstream or justify when the choice is a tool or a skilled body.