Is the "Attackers Only Need to Be Right Once" a Misnomer?

#1743279: Is the "Attackers Only Need to Be Right Once" a Misnomer?

Description:	One of the first phrases we learn in cybersecurity is "The good guys have to be right all the time, but the bad guys only have to be right once." But has that moved from truism to outdated cliche? Asymmetric accounting The saying isn't really about how attacks unfold. It's about how success and failure get measured. Rick Carville, CISO at Great Canadian Entertainment, acknowledged that real-world attacks typically involve multiple steps and that a well-secured system won't usually fall to a single flaw. But the familiar phrase, he said, "is more about the burden of defense than how attacks unfold." His proposed update: "Attackers need persistence, but defenders need resilience." Matthew Rosenquist of Cybersecurity Insights articulated the underlying imbalance. "Attackers only need to succeed once to be characterized as triumphant," he said, "while the expectations for defenders are they must not fail even once, in overall efforts to deny the attackers a win, to be viewed as successful." The asymmetry is baked in by default. Sometimes it really is that easy The argument that attackers need to chain multiple vulnerabilities just doesn't reflect reality. Jan van Dijke of SonicBee has seen organizations compromised with a single open RDP port, a single leaked set of admin credentials, and a single employee falling for CEO fraud. "You make it sound like CVEs are the only way hackers get in, which is clearly not the case," he said. Sedric Louissaint of CLA (CliftonLarsonAllen) described taking over an organization's Active Directory because the domain admin was using a password like "Password123!" "Sometimes it is that easy," he said. As a red teamer, he more commonly chains vulnerabilities together: misconfigurations, known vulnerabilities, occasionally a new zero day. But the single-point failure scenario is real enough to keep the saying honest. The spirit of the saying Dismissing the phrase entirely misses what it was trying to say. Drew Simonis, CISO-in-residence at Insight Partners, acknowledged it is no longer literally true but argued that "the spirit of the comment, that attackers have some advantage due to the complexity of technology systems, remains figuratively true for many." Defenders can use that same complexity to build their own advantage, he said, but most don't. "Instead of creating a minefield, most defenders are focused on creating a tidy display case of goodies." Brian Z. of U.S. Cyber Command argued the saying is being taken out of context. "The hacker has nothing to lose except failing at getting in; they can try as often as possible," he said. The defender has one infrastructure to protect and can't make sustained mistakes. The cheapest way in Technical defenses can be bypassed entirely by going around them. "Even with strong infrastructure, attackers often bypass technical defenses by exploiting people — through phishing, deepfakes, or insider threats," said Satish Govindappa of Indrasol. Multiple technical failures may be required to breach a well-built system, he said, but "sometimes just one well-placed manipulation can open the door." Noam Zolberg of Cubic drew the economic contrast sharply. Breaching layered technical security requires a talented, experienced attacker with considerable investment in time and tools. "Hacking user minds and cognition," he said, "is by far less expensive and requires a lesser skill set. That's why the biggest attack surface is us, humans and our ill-equipped minds and poor habits."
More info:	https://www.linkedin.com/pulse/attackers-only-need-right-once-misnomer-cisoseries-yvifc/

Description:

One of the first phrases we learn in cybersecurity is "The good guys have to be right all the time, but the bad guys only have to be right once." But has that moved from truism to outdated cliche?

Asymmetric accounting
The saying isn't really about how attacks unfold. It's about how success and failure get measured. Rick Carville, CISO at Great Canadian Entertainment, acknowledged that real-world attacks typically involve multiple steps and that a well-secured system won't usually fall to a single flaw. But the familiar phrase, he said, "is more about the burden of defense than how attacks unfold." His proposed update: "Attackers need persistence, but defenders need resilience." Matthew Rosenquist of Cybersecurity Insights articulated the underlying imbalance. "Attackers only need to succeed once to be characterized as triumphant," he said, "while the expectations for defenders are they must not fail even once, in overall efforts to deny the attackers a win, to be viewed as successful." The asymmetry is baked in by default.

Sometimes it really is that easy
The argument that attackers need to chain multiple vulnerabilities just doesn't reflect reality. Jan van Dijke of SonicBee has seen organizations compromised with a single open RDP port, a single leaked set of admin credentials, and a single employee falling for CEO fraud. "You make it sound like CVEs are the only way hackers get in, which is clearly not the case," he said. Sedric Louissaint of CLA (CliftonLarsonAllen) described taking over an organization's Active Directory because the domain admin was using a password like "Password123!" "Sometimes it is that easy," he said. As a red teamer, he more commonly chains vulnerabilities together: misconfigurations, known vulnerabilities, occasionally a new zero day. But the single-point failure scenario is real enough to keep the saying honest.

The spirit of the saying
Dismissing the phrase entirely misses what it was trying to say. Drew Simonis, CISO-in-residence at Insight Partners, acknowledged it is no longer literally true but argued that "the spirit of the comment, that attackers have some advantage due to the complexity of technology systems, remains figuratively true for many." Defenders can use that same complexity to build their own advantage, he said, but most don't. "Instead of creating a minefield, most defenders are focused on creating a tidy display case of goodies." Brian Z. of U.S. Cyber Command argued the saying is being taken out of context. "The hacker has nothing to lose except failing at getting in; they can try as often as possible," he said. The defender has one infrastructure to protect and can't make sustained mistakes.

The cheapest way in
Technical defenses can be bypassed entirely by going around them. "Even with strong infrastructure, attackers often bypass technical defenses by exploiting people — through phishing, deepfakes, or insider threats," said Satish Govindappa of Indrasol. Multiple technical failures may be required to breach a well-built system, he said, but "sometimes just one well-placed manipulation can open the door." Noam Zolberg of Cubic drew the economic contrast sharply. Breaching layered technical security requires a talented, experienced attacker with considerable investment in time and tools. "Hacking user minds and cognition," he said, "is by far less expensive and requires a lesser skill set. That's why the biggest attack surface is us, humans and our ill-equipped minds and poor habits."

More info:

https://www.linkedin.com/pulse/attackers-only-need-right-once-misnomer-cisoseries-yvifc/

Date added	June 25, 2026, 11:25 p.m.
Source	LinkedIn
Subjects	PodCasts / Webcast / Webinar / eSummit / Virtual Event etc. Security Management/Strategic Security/ROI/ROSI - CISO and Higher Level