Rigidity of Expectations in Threat Analysis

or why, while the “cat is sleeping,” the “mice” are already feasting inside the system

In recent years, the world has become significantly more unstable, and the overall level of risk—both physical and digital—has noticeably increased. This is especially true for the field of cybersecurity: cyberspace provides an attacker with unique advantages—distance, anonymity, a low barrier to entry, and the ability to inflict significant damage with minimal resource expenditure, often completely evading legal responsibility.

Against this backdrop, a systemic problem is increasingly evident, one that is characteristic of both ordinary users and professionals alike: rigidity of expectations in threat analysis.

What rigidity of expectations is

The essence of the problem is simple and therefore especially dangerous. A person tends to expect that an attacker will act in clear, familiar, and visually obvious ways. In everyday imagination, it looks roughly like this: at night someone saws through a lock with a hacksaw, squeezes out a window, climbs inside—in short, behaves as loudly, crudely, and conspicuously as possible.

However, this very approach directly contradicts the logic of an experienced adversary’s actions—whether that adversary is a professional cybercriminal, an organized group, or a structure abusing its authority.

A rational attacker does not choose obvious and expected scenarios, because they are deprived of effectiveness in advance.

Why “standard” attacks are a sign of amateurism

Expecting template-based attacks works only against:

• amateurs,
• petty hooligans,
• impulsive and inadequate subjects,
• people acting emotionally and without strategy.

Against an experienced adversary, this approach does not work in principle.

A professional strives to:

• leave no obvious traces,
• act indirectly,
• use third parties,
• apply complex and non-standard schemes,
• avoid direct attacks that are easy to detect and document.

That is precisely why the most dangerous attacks often look like “nothing is happening”.

An analogy from the offline world (for clarity)

An experienced thief does not saw through a lock or squeeze out a window. He invites you to dinner. There, he treats you to food laced with a sleeping agent, while beforehand taking a substance that blocks its effect on himself, and demonstratively tasting the food, convincing you that it is safe.

When you fall asleep, he calmly takes your keys, wallet, credit cards—and leaves.

In the morning you wake up. Everything is in place. And it may take you quite a long time to realize that you have already become a victim of a crime.

In cybersecurity, this scenario occurs far more often than “broken windows.”

How this looks in infrastructure

A provider may be under an attacker’s control for years. At the same time, its system administrators may not even suspect the fact of compromise, expecting that a “real hack” must necessarily manifest itself through server crashes, service failures, and red warning lights.

They fail to take into account that modern attack tools are designed for:

• maximum stealth,
• minimal interference with system operation,
• disguise as background noise.

Anomalies are written off as:

• bots,
• spikes in user load,
• “hardware glitches,”
• software imperfections.

Meanwhile, the on-duty administrator is playing a computer game, and the attacker has long since bypassed the defenses and is methodically expanding control over users’ systems. Grotesque? Yes. Rare? Not at all.

The user as a “well-fed cat”

With users, the situation is even more illustrative. A classic tragicomedy:

• pirated Windows from dubious sources,
• a router without a password,
• passwords of the qwerty123456 variety (fortunately, modern services already try to protect users from them),
• a complete absence of a threat model.

And at the same time, a firm conviction:
“Nothing will happen to me. And if something does happen, I’ll notice it immediately and quickly block everything.”

In practice, such a user resembles a well-fed cat on whose body the mice are already carrying on their personal lives, while it enjoys a deep sleep.

What to do about it

The conclusion is extremely simple:

Avoid rigidity of thinking.
Do not expect attackers to act according to standard and familiar patterns.

There is a saying for a reason:

He who makes doors too strong often forgets to reinforce the walls.

And one more old threat-modeling formula:

Fear the goat from the front, the donkey from behind, and a vile person—from all sides.

Be prepared to:

• assume non-standard scenarios,
• take complex and combined attacks into account,
• analyze weak signals and indirect indicators of compromise.

The true sign of mature thinking

The ability to see and analyze non-standard, complex threats is a sign of genuinely flexible, creative, and analytical thinking. In cybersecurity, this is not an abstract virtue, but a practical condition for survival.

The key task is to create an environment in which an attacker simply cannot deploy activity. Wherever they try to act, they will encounter:

• preventive defense mechanisms,
• people who think non-standardly,
• the absence of “sleeping cats.”

This does not make a system absolutely invulnerable—but it significantly complicates the attacker’s life and noticeably simplifies the life of law-abiding users.

And in the world of cybersecurity, this is precisely what is considered a good result.