The Rise, Fall, and Rebirth of the Presumption of Compromise

The concept might make us sharp and realistic, but it's not enough on its own.

Oleg Brodt, R&D Director of Deutsche Telekom Innovation Labs, Israel, and Chief Innovation Officer for Cyber@Ben-Gurion University

June 23, 2022

4 Min Read
Digital padlock
Source: vska via Alamy Stock Photo

The Rise of the Presumption of Compromise

In cybersecurity, we often say that "prevention is ideal, but detection is a must." But why do we say that? Shouldn't both prevention and detection be musts in a layered, defense-in-depth security approach? Well, this saying is rooted in a realistic view of reality, where we, as cyber-defense professionals, have come to accept that it's almost impossible to prevent the bad guys from breaking into connected systems. The choices are either total isolation (which, in some cases, can be circumvented) or risking a breach of the system. This notion of failing prevention has become a linchpin in our modern defense strategy and has become known as a "presumption of compromise." That is, assume that you already have been breached and focus on never-ending detection and eradication of the badness lurking in your systems.

Since we failed with prevention, we turned to detection. To paraphrase Churchill: No one pretends that detection is perfect or all-wise. Indeed, it has been said that detection is the worst form of defense except for all those other forms that have been tried.

The Inevitable Fall of Presumption of Compromise

Nevertheless, the current form of presumption of compromise — which focuses on rapid detection — is intended to fail because its contemporary version serves merely as a tactical tool rather than as a strategical framework. It tells you what not to rely on but doesn't tell you how to truly solve the problem. Instead of providing a solution, presumption of compromise merely kicks the can down the road.

In a recent thought-provoking experiment, security researchers from Splunk tried to determine the speed of encryption of modern ransomware malware families. They selected 10 ransomware families and measured the time it took each to encrypt 100,000 files on a victim's system. The results were astonishing. It took 45 minutes on average, with the slowest ransomware (Babuk) able to encrypt the files within 3.5 hours, while the fastest ransomware (Lockbit) achieved this goal within only 4 minutes (!).

Other recent research, which analyzed ransomware attacks, concluded that "the average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021."

An additional parameter to consider in this context is breakout time, which measures how much time it takes for an adversary to hop from an initially compromised system on to the next. According to CrowdStrike, the average breakout time in 2021 is 1.5 hours. In 2018, it was almost 2 hours.

Unfortunately, these measurements provide a dismal forecast for our near future. The attackers are getting faster, and the ever-shrinking detection window is under a constant pressure.

Automation Arms Race

To detect faster, defenders turn to automation — sometimes by using static signatures and detection rules, and sometimes with the help of machine learning. Unfortunately, automation is not the monopoly of the good guys, and attackers use it as well. Being able to inflict damage faster and with fewer human personnel is serving the attackers' business models well, so the incentive to automate attacks has never been stronger.

Once both sides — the attack and the defense — increasingly turn to automation, we end up in a spiraling automation arms race. The defenders have had a head start in this race, spending the last several years developing and deploying AI-based solutions. Nevertheless, it's frightening to think about the consequences of the mass adoption of such technologies by the attackers, which continues to narrow the detection window.

The Rebirth of the Presumption of Compromise

The inevitable shrinkage of the detection window forces us to rethink its foundation. In the long term, it appears that detection alone is no longer a viable defense strategy. Instead, I believe that the focus of defensive strategy will be passed on to resilience — being able to recover quickly from an incident, with automation and volatile computerized systems that can be brought up and down instantly playing a pivotal role.

Make no mistake: A presumption of compromise is a good idea after all. It keeps us sharp and realistic. Nonetheless, its current detection-oriented manifestation looks like a losing strategy over the long term. Instead, we should start focusing on resilient, self-recoverable, and instantly rebuildable systems. Such recoverability will lay out the missing brick of the solution: protection, detection, and resilience. Together, they have the power to form the holy trinity of a truly sustainable defense-in-depth strategy.

About the Author

Oleg Brodt

R&D Director of Deutsche Telekom Innovation Labs, Israel, and Chief Innovation Officer for Cyber@Ben-Gurion University

Oleg Brodt serves as the R&D Director of Deutsche Telekom Innovation Labs, Israel. He also serves as the Chief Innovation Officer for Cyber@Ben-Gurion University, an umbrella organization responsible for cybersecurity-related research at Ben Gurion University, Israel. Prior to joining DT Labs and Cyber@BGU, Oleg was an attorney specializing in technology and high tech and represented a broad spectrum of local and international clients.

Oleg is a veteran of an elite technological unit of the Israeli Defense Forces, and he is an author of several cybersecurity patents and research papers. In addition, to CISSP, CCNP, Linux LFCA, and other technological certifications, Oleg holds bachelor's and master's degrees in international business law as well as a degree in business and management from the Inter-Disciplinary Center, Herzliya, Israel. Oleg serves as a member of the Israeli National Committee on Artificial Intelligence, Ethics, and Law, and is a member of the Israel Bar High-Tech committee.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights