The DIE Triad
Distributed, Immutable, Ephemeral
Distributed, Immutable, Ephemeral
For decades, the cybersecurity industry has organized its thinking around the CIA Triad: Confidentiality, Integrity, and Availability. This framework has guided security professionals through the evolution of threats from viruses in the 1990s to sophisticated nation-state attacks in the 2010s. But as we move through the 2020s, we have a new class of threats that demand a fundamental rethinking of how we architect and protect our digital infrastructure.
The rise of ransomware, destructive malware, and irreversible attacks has exposed a critical gap in our security paradigm. While the CIA Triad excels at helping us identify, protect, detect, and respond to threats, it falls short when addressing our ability to recover from catastrophic events. Enter the DIE Triad, a new paradigm that represents not just an evolution of security thinking, but a complete shift in how we build resilient systems.
As computers become cheap and organizations buy lots of them, we are faced with our first challenge: "What did we buy and how does it support the business?" We met this challenge with tools to inventory our technology assets and simply understand how they contributed to business operations.
As computing became more prevalent, new threats emerged. Viruses, server-side attacks, and insecure configurations became the core challenges. The security industry responded with antivirus software, firewalls, and secure configuration standards.
By the 2000s, organizations were drowning in logs and alerts. Client-side attacks became increasingly sophisticated, and the sheer volume of security data overwhelmed traditional approaches. Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) platforms emerged.
The 2010s brought a sobering realization: "assume breach." Organizations faced raging fires, excessive privileges, and the understanding that prevention alone was insufficient. Incident response teams, armed with Endpoint Detection and Response (EDR) tools and Security Orchestration, Automation and Response (SOAR) platforms, became critical components.
In this decade, we face a new challenge: irreversible harm. Ransomware doesn't just encrypt data—it threatens the very existence of organizations. MBR wipers, DDoS attacks, and firmware bricking represent attacks fundamentally undermine our ability to recover. The solutions from the past eras might minimize the occurrences of such events, but the approaches from the past eras cannot save one from a recovery problem. This is where the DIE Triad enters the picture.
The DIE Triad represents a fundamental shift from protecting assets to designing systems that are inherently resilient. The three pillars of the DIE Triad (Distributed, Immutable, and Ephemeral) each address a specific aspect of the CIA Triad, but from a design perspective rather than a defensive one.
The Principle: The best solution against a distributed attack is a distributed service.
When systems are distributed across multiple nodes, regions, or providers, they become inherently resistant to Distributed Denial of Service (DDoS) attacks and single points of failure. The more distributed something is, the less we need to worry about the availability of any one thing.
Example Technologies:
The Principle: Unauthorized changes stand out and can be reverted to known good states.
Immutability means that once something is created, it cannot be modified. It can only replaced. This approach reduces our need to worry about integrity since any change is considered undesireable and can be flagged immediately.
Example Technologies:
The Principle: Short-lived assets make attacker persistence hard and reduce concern for assets at risk.
Ephemeral systems exist only as long as needed, then disappear. This approach undermines an attacker's ability to maintain persistence. Furthermore, the more ephemeral something is (particularly for data), the less value it has, thus reducing the burden on confidentiality.
Example Technologies:
Pets are fragile. They represent single points of failure. They're expensive to maintain. And when they're compromised, recovery is complex and uncertain. They are your legacy systems that everyone wishes they could just get rid of.
Cattle don't matter. When something goes wrong, you don't fix it. You destroy it and create a new one from a template. Systems are built to be distributed (many instances), immutable (deployed from unchanging templates), and ephemeral (short-lived by design).
In the CIA paradigm, security professionals act as veterinarians: diagnosing sick systems, applying patches and remediation, nursing critical systems back to health, and preventing future illness through protective controls. This is skilled, important work, but it's also reactive and never-ending.
In the DIE paradigm, security professionals become pet control officers: identifying and reducing the potential pet population, promoting cattle-based architectures, implementing policies that discourage pet creation, and incentivizing decommissioning and creative destruction.
The path from fragility to antifragility requires intentional practice. This chaos testing playbook provides 30 concrete experiments to validate and strengthen your DIE implementation. Each test is designed to verify that your systems embody the principles of being Distributed, Immutable, and Ephemeral.
How to use this playbook:
Remember: The goal isn't just to pass these tests. It's to build systems that become stronger through chaos. Failed tests reveal hidden "pets" in your infrastructure that need to be converted to "cattle."
kubectl cordon <node>; kubectl drain <node> --ignore-daemonsets --delete-emptydir-data --forceaws ec2 create-network-acl-entry --network-acl-id <acl> --egress --rule-number 100 --protocol -1 --rule-action deny --cidr-block 0.0.0.0/0kubectl scale deploy/ingress-controller --replicas=0kubectl scale statefulset/db-replica-<n> --replicas=0kubectl edit configmap coredns # remove a forwarder
kubectl rollout restart -n kube-system deploy/corednskubectl run loadgen --image=ghcr.io/rakyll/hey --restart=Never -- hey -z 5m http://svc-a/kubectl delete pod -l app=rabbitmq -n mq --field-selector=status.phase=Running --force --grace-period=0kubectl delete pod -l app=<svc> --grace-period=0 --forcekubectl exec -n kube-system etcd-<leader-pod> -- pkill -9 etcdsudo ip route add blackhole <remote-cidr>kubectl exec <pod> -- sh -c "echo 'x=1' >> /app/config.yaml"kubectl cp ./testbin <pod>:/usr/local/bin/. ; kubectl exec <pod> -- chmod +x /usr/local/bin/testbinkubectl exec <pod> -- iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPTkubectl exec <pod> -- sh -c "echo '#tamper' >> /app/app.js"kubectl exec <db-pod> -- psql -c "ALTER TABLE users ADD COLUMN x int;"kubectl exec <pod> -- date -s '2 hours ago'kubectl exec <pod> -- sh -c "echo 'baduser:x:1002:1002::/home/baduser:/bin/bash' >> /etc/passwd"kubectl create secret tls badcert --cert=bad.crt --key=bad.key -n <ns>; kubectl patch ingress <name> ...kubectl exec <pod> -- sed -i '1s/.*/TAMPERED/' /var/log/app.logkubectl run bad --image=<unsigned:tag> --image-pull-policy=Alwaysaws ec2 terminate-instances --instance-ids <i-xxxx>kubectl rollout restart deploy/<app>aws secretsmanager rotate-secret --secret-id <db-secret>aws cognito-idp update-user-pool-client --access-token-validity 5 --token-validity-units MINUTESkubectl delete pod -l app=builder # controller recreates from base imagesudo certbot renew --force-renewal && sudo systemctl reload nginxaws s3 put-bucket-lifecycle-configuration --bucket <b> --lifecycle-configuration file://ttl.jsonaws apigateway update-api-key --api-key <id> --patch-operations op=replace,path=/value,value=$(openssl rand -hex 16)kubectl apply -f deploy-green.yaml; kubectl rollout status; kubectl delete -f deploy-blue.yamlaws workspaces reboot-workspaces --reboot-workspace-requests WorkspaceId=<id>The cybersecurity industry stands at a crossroads. We can continue fighting yesterday's battles with yesterday's frameworks, or we can embrace a new paradigm designed for the threats we actually face.
The CIA Triad served us well for decades. But the world has changed. We now face ransomware that can destroy organizations, wipers that cause irreversible damage, supply chain attacks that compromise trusted foundations, and adversaries with near-unlimited resources and patience.
Against these threats, protection, detection, and response are necessary but insufficient. We need systems designed for resiliency from the ground up.
The DIE Triad isn't just a theoretical framework. It's being implemented today by organizations that have recognized the limitations of traditional security approaches. Cloud-native companies building on serverless architectures, containerized microservices, and privacy-enhancing technologies are demonstrating the practical viability of DIE principles.
Organizations must choose their path:
The question isn't whether the DIE Triad is correct. It's whether your organization will adopt it proactively or be forced to adopt it reactively after a catastrophic incident.
Death to CIA. Long live DIE.