In 1894, William C. Hooker was awarded a patent for a mouse trap that killed a mouse with a single loaded trap upon contact. While some may argue it is more humane to trap and release a mouse versus creating a literal mess of the rodent, the goal is the same: to keep the mouse out of the house. The action to achieve the goal is what is different. This is a crude analogy for cybersecurity, but it works — you have to consider the appropriate action to keep a threat actor out of your environment. Should you terminate them or practice catch and release? Both have merits, and both have serious concerns that we will cover in this article.
Let's say a threat actor (mouse) is entering your environment. The first goal is to detect that they are there. This is true for all scenarios. This is analogous to a mouse touching the spring on your mousetrap and your resulting action. The next goal is to ensure they are fully within the scope of your mitigation regardless of a gunshot (or poison) or a cage. A mouse that can jump away when it hears the trigger will only leave a bullet in the floorboards. A savvy threat actor can detect when they are being monitored and attempt to navigate away from the threat or develop a persistent presence to evade any action being considered in response. The key is to respond fast enough to avoid evasion and stealthy enough to avoid detection.