For IR scholars writing on offense/defense balance, SolarWinds has major points:
1) One good/great team hacked one company and gained access to thousands of others including *extremely* hard targets. If you measure o/d by dollars or resources spent, take notice...
1) One good/great team hacked one company and gained access to thousands of others including *extremely* hard targets. If you measure o/d by dollars or resources spent, take notice...
2) Comp science literature exhaustively discusses at least 12 reasons why attackers have the advantage. EG, this classic paper on monocultures: https://cryptome.org/cyberinsecurity.htm
Be sure to cite this literature & not just IR journals
Be sure to cite this literature & not just IR journals
3) It is possible (want to workshop this) the current Internet dynamics creates overall conditions of attacker advantage but that that plays out different in specific engagements. This condition can change over time.
This might reconcile the two views...
This might reconcile the two views...
4) Consider the lived experience of cyber practitioners. Yes, as IR scholars the idea is that your tools give you deeper insights. But find ways to listen to that experience (which is generally our getting pwned year after year for decades) & include it
In short, regardless of which side of O/D balance you come down on, there's a lot to learn from SolarWinds & other massive Internet vulnerabilities and incidents