Organisation Number: 834653192

Jarkko Kinnunen

HomeJarkko Kinnunen

🎙️ Jarkko Kinnunen

Talk Title: Blue Team Needs to Succeed Every Time — and Other Lies We Tell Ourselves

Abstract

Debunking the myth of cybersecurity defense and attack dynamics. In the realm of cybersecurity, one pervasive myth that often surfaces is the belief that defenders—commonly referred to as the “blue team”—must succeed every time, while attackers need only succeed once. This notion, though widely accepted, is fundamentally flawed and oversimplifies the dynamic nature of cyber defense and offense.

The Reality of Cyber Attacks: Contrary to popular belief, attackers rarely accomplish their objectives with a single exploit. Instead, they must complete a series of steps: initial access, persistence, privilege escalation, lateral movement, and data exfiltration. Each of these stages presents challenges that must be overcome in sequence, meaning attackers must succeed multiple times—not just once.

The MITRE ATT&CK framework helps illustrate this layered process, providing defenders with multiple points at which to disrupt an attacker’s progress. For example, a phishing attack may provide initial access, but the attacker must still escalate privileges and avoid detection across various systems to succeed.

Practical Examples and Breach Data:

  • Target Breach (2013): Attackers gained access through a third-party vendor, installed point-of-sale malware, and exfiltrated payment data—each stage a unique challenge.
  • SolarWinds Attack: A highly coordinated supply chain attack that required persistence, evasion, lateral movement, and eventual data theft across many compromised environments.

Strategies for Blue Team Success: Understanding that attackers must succeed repeatedly empowers blue teams to focus on layered defense strategies. Rather than striving for perfection, defenders can disrupt attackers’ progress at multiple stages through defense-in-depth, continuous monitoring, and rapid incident response.

In conclusion, the idea that defenders must always win and attackers only once is a myth. With well-structured defenses and strategic planning, the blue team has numerous opportunities to stop an attacker before damage is done.

Bio

Jarkko Kinnunen is a Technical Security Architect at Microsoft and Co-Founder at KuoSec. A passionate advocate for the Blue Team, he specializes in developing continuous security services and SOC operations.

During the day, he advises companies and partners on designing and implementing solutions that utilize Microsoft security technology. After working hours, he loves helping the community to do stuff…

← Back to Speaker List