Rigidity of Expectations in Threat Analysis

or why, while the "cat is sleeping," the "mice" are already feasting inside the system

Cartoon: a fat striped cat sleeps on a rug, while on its back three mice play jazz on double bass, saxophone and drums, other mice dance around
Rigidity of expectations in threat analysis. While the "cat" (user or administrator) sleeps soundly, confident that everything is under control, the "mice" (attackers) are already having a jazz party on his back.

In recent years, the world has become significantly more unstable, and the overall level of risk—both physical and digital—has noticeably increased. This is especially true for the field of cybersecurity: cyberspace provides an attacker with unique advantages—distance, anonymity, a low barrier to entry, and the ability to inflict significant damage with minimal resource expenditure, often completely evading legal responsibility.

Against this backdrop, a systemic problem is increasingly evident, one that is characteristic of both ordinary users and professionals alike: rigidity of expectations in threat analysis.

📋 TL;DR — Table of Contents
  • What this article is about: Analysis of rigidity of expectations — a systemic error where defenders assume attackers will act in obvious, template-based ways. In reality, experienced adversaries operate stealthily, indirectly, and unconventionally — so the most dangerous attacks look like "nothing is happening."

What rigidity of expectations is

The essence of the problem is simple and therefore especially dangerous. A person tends to expect that an attacker will act in clear, familiar, and visually obvious ways. In everyday imagination, it looks roughly like this: at night someone saws through a lock with a hacksaw, squeezes out a window, climbs inside—in short, behaves as loudly, crudely, and conspicuously as possible.

However, this very approach directly contradicts the logic of an experienced adversary's actions—whether that adversary is a professional cybercriminal, an organized group, or a structure abusing its authority.

A rational attacker does not choose obvious and expected scenarios, because they are deprived of effectiveness in advance.

↑ Back to top

📋 TL;DR — What rigidity of expectations is
  • Core problem: Expecting that an attacker will act loudly, crudely, and conspicuously. An experienced adversary, by contrast, chooses stealthy, indirect, and unconventional scenarios, because obvious attacks are ineffective by design.

Why "standard" attacks are a sign of amateurism

Expecting template-based attacks works only against:

  • amateurs,
  • petty hooligans,
  • impulsive and inadequate subjects,
  • people acting emotionally and without strategy.

Against an experienced adversary, this approach does not work in principle.

A professional strives to:

  • leave no obvious traces,
  • act indirectly,
  • use third parties,
  • apply complex and non-standard schemes,
  • avoid direct attacks that are easy to detect and document.

That is precisely why the most dangerous attacks often look like "nothing is happening".

↑ Back to top

📋 TL;DR — Why standard attacks are a sign of amateurism
  • Key insight: Template-based attacks only work against amateurs. Professionals act stealthily, indirectly, and with sophistication. The most dangerous attacks look like "nothing is happening."

An analogy from the offline world (for clarity)

An experienced thief does not saw through a lock or squeeze out a window. He invites you to dinner. There, he treats you to food laced with a sleeping agent, while beforehand taking a substance that blocks its effect on himself, and demonstratively tasting the food, convincing you that it is safe.

When you fall asleep, he calmly takes your keys, wallet, credit cards—and leaves.

In the morning you wake up. Everything is in place. And it may take you quite a long time to realize that you have already become a victim of a crime.

In cybersecurity, this scenario occurs far more often than "broken windows."

↑ Back to top

📋 TL;DR — Offline analogy
  • Illustrative example: An experienced thief doesn't pick locks — he drugs his victim at dinner and takes valuables while they sleep. In cybersecurity, this stealthy approach is far more common than "broken windows."

How this looks in infrastructure

A provider may be under an attacker's control for years. At the same time, its system administrators may not even suspect the fact of compromise, expecting that a "real hack" must necessarily manifest itself through server crashes, service failures, and red warning lights.

They fail to take into account that modern attack tools are designed for:

  • maximum stealth,
  • minimal interference with system operation,
  • disguise as background noise.

Anomalies are written off as:

  • bots,
  • spikes in user load,
  • "hardware glitches,"
  • software imperfections.

Meanwhile, the on-duty administrator is playing a computer game, and the attacker has long since bypassed the defenses and is methodically expanding control over users' systems. Grotesque? Yes. Rare? Not at all.

↑ Back to top

📋 TL;DR — How this looks in infrastructure
  • Real scenario: A provider can be compromised for years without administrators noticing, as they expect a "loud" hack. Anomalies are dismissed as bots, load spikes, or glitches, while the attacker steadily expands control.

The user as a "well-fed cat"

With users, the situation is even more illustrative. A classic tragicomedy:

  • pirated Windows from dubious sources,
  • a router without a password,
  • passwords of the qwerty123456 variety (fortunately, modern services already try to protect users from them),
  • a complete absence of a threat model.

And at the same time, a firm conviction:
"Nothing will happen to me. And if something does happen, I'll notice it immediately and quickly block everything."

In practice, such a user resembles a well-fed cat on whose body the mice are already carrying on their personal lives, while it enjoys a deep sleep.

↑ Back to top

📋 TL;DR — The user as a well-fed cat
  • Tragicomedy: Pirated OS, router without password, weak passwords, no threat model — and firm belief that "this won't happen to me." Such a user is a sleeping cat with mice already partying on their back.

What to do about it

The conclusion is extremely simple:

Avoid rigidity of thinking.
Do not expect attackers to act according to standard and familiar patterns.

There is a saying for a reason:

He who makes doors too strong often forgets to reinforce the walls.

And one more old threat-modeling formula:

Fear the goat from the front, the donkey from behind, and a vile person—from all sides.

Be prepared to:

  • assume non-standard scenarios,
  • take complex and combined attacks into account,
  • analyze weak signals and indirect indicators of compromise.

↑ Back to top

📋 TL;DR — What to do
  • Solution: Avoid rigidity of thinking. Assume non-standard scenarios, account for complex attacks, analyze weak signals and indirect indicators of compromise.

The true sign of mature thinking

The ability to see and analyze non-standard, complex threats is a sign of genuinely flexible, creative, and analytical thinking. In cybersecurity, this is not an abstract virtue, but a practical condition for survival.

The key task is to create an environment in which an attacker simply cannot deploy activity. Wherever they try to act, they will encounter:

  • preventive defense mechanisms,
  • people who think non-standardly,
  • the absence of "sleeping cats."

This does not make a system absolutely invulnerable—but it significantly complicates the attacker's life and noticeably simplifies the life of law-abiding users.

And in the world of cybersecurity, this is precisely what is considered a good result.

Even among advanced IT professionals, one can often encounter the belief that blocking all incoming ports makes a system invulnerable. This is a classic example of rigidity of expectations: the defender extrapolates a particular case (a closed port = no attack vector) to the entire threat model, ignoring other penetration vectors.

As practice shows — described in the article "System Hardening Chronicles" — such a strategy does not guarantee security when facing a serious, experienced adversary. An attacker with sufficient resources and time is not limited to network vectors — they will attack the user session, the application layer, and the user interface.

Proper system hardening should be built as a multi-layered, defence-in-depth architecture, where each layer, where possible, contains several complementary and synchronized mechanisms:

  • Network perimeter: a firewall, including hardware-based, on a router or dedicated appliance.
  • Host-based protection: MAC systems (AppArmor, SELinux), intrusion detection systems (AIDS/HIDS), process isolation (Sandbox, containerization).
  • Detection and deception: Honeypot traps for early detection of attacker activity.
  • Cryptographic protection: full-disk encryption, communication channel encryption, hardware tokens (HSM, TPM, smart cards) for two-factor authentication and key storage.
  • Monitoring and auditing: centralized logging, event correlation, behavioral analysis.

Attacks on the user session are particularly dangerous. In this scenario, the attacker gains visibility into the victim's desktop activity or, at a minimum, their browser window activity — including keystrokes, navigation, form contents, and correspondence.

The key problem is that the victim may be confident in their security because all incoming ports are closed and the browser encrypts traffic via HTTPS. However, the user session attack occurs before the data is encrypted by the browser and sent over the network. The interception happens at the input, rendering, or DOM manipulation level, rendering classical network defense useless.

In other words, you may suspect traffic interception and take measures to protect against it, unaware that the entire user session — or at least the browser interface — has been compromised. This is a classic example of how rigidity of expectations — focusing on a single threat vector at the expense of others — can lead to a false sense of security and serious consequences.

Designer Malware

If previously creating designer malware — worms individually tailored to attack a specific user — was an extremely labor-intensive procedure for hackers, now intelligence-analytical AIs without ethical constraints have come to their aid. They allow hackers to accelerate and simplify the creation of unique attack tools that are highly effective against a specific system. As a result, the use of such attack tools is no longer a rare, unique phenomenon and is becoming increasingly common.

A situation arises where a user expects to encounter mass-produced, generic threats but instead faces a unique program crafted specifically for their system. They apply standard antivirus solutions and signature-based protection methods, spend considerable time on this, and then wonder why these measures failed to help.

As of now (June 2026), any user who faces serious cyber threats or is a potential target of an attack (holds a responsible position, works with sensitive information) should consider the risk of designer malware being deployed against them and build their defense configuration accordingly.

Conclusion: security should not be built around a single "magic" solution. Only a combined, multi-layered approach with continuous reassessment of the threat model can effectively counter a targeted adversary.

↑ Back to top

📋 TL;DR — The true sign of mature thinking
  • Key takeaway: The ability to see non-standard threats is a sign of mature thinking. Multi-layered defence-in-depth with continuous threat model reassessment is the only way to counter a targeted adversary. Rigidity of expectations — like believing closed ports = full protection — creates a false sense of security.