Are there any especially useful constructs that cybersecurity advisors and security services providers can draw on to hash-out choices with their concerned (and probably resource-constrained) clients without diving into jargon-laden minutiae? I have always relied upon the lessons available in zero-sum game theory, originally proposed by John Nash in his 1951 thesis, “Non-Cooperative Games.” (Non-cooperative is a pretty mild description of the types of conflict that can be usefully assessed using the zero-sum framework!)
The basics of zero-sum game theory are straightforward: my opponent’s gain comes at my expense, and vice versa. In this two-player game, both players play to optimize their position, but, importantly, each plays taking into account the expected response of the other. According to Nash, equilibrium is achieved when neither player can improve their position in the game by adjusting their strategy.
What an attacker acquires by compromising my network is to their benefit, coming at my expense. Because there is rarely a cost to the attacker when they undertake their criminal behavior, there’s an asymmetry in the relationship between attackers and defenders that starkly favors attackers. They rarely have any costs inflicted upon them. So, lesson number one from zero-sum game theory is that, without any cost inflicted upon them, they will happily carry on. There is no equilibrium as proposed by Professor Nash. Any step you can take to burden the attacker is a step in the right direction.
In this example, zero-sum isn’t an all-or-nothing proposition. What we lose when we are victims of hackers isn’t usually everything. What we lose certainly comes at an economic cost, albeit too often measured in millions or tens of millions of dollars.
In cybersecurity, however, there is one important way in which zero-sum is, in fact, all-or-nothing. When an exploit is underway, the attacker’s goal, once inside a network, is to discover assets and surreptitiously assert control over as many of them as they possibly can. Why? If the enemy can write to any device, they control it, not the defender. The more devices in your environment they control, the harder it is for a defender to wrest back control and expel intruders from every corner they occupy. So, their control over each device in a network is all-or-nothing.
This is one reason the average dwell time of the adversary in systems is about nine months, per IBM Security in their 2023 Cost of a Data Breach Report. Try as they might, after-the-fact analytical tools struggle to deal with most network incursions in a timely enough fashion.
If attacks that unfold in very short timeframes aren’t met with real-time countermeasures, all the defender will end up doing is fighting a rearguard action to reclaim lost territory. Automated, real-time reactions—ideally ones that make the exploit costly for the attacker—are needed. What if the intruder’s malign activities weren’t just the subject of monitoring and analysis, then flagged for incident response? Imagine, instead, that an intruder must confront an environment inherently hostile to them, one in which their exploitation tools and techniques produce wildly unexpected results that reflect something is going terribly wrong with the exploit, and that the whole experience, instead of being a fun puzzle-solving exercise, feels more like a dance through razor wire.
You might really like how Russell Crowe… I mean John Nash… earned his Nobel by checking out the 2001 Best Picture winner, A Beautiful Mind!
About the author: Scott Fogarty is the CEO of Ridgeback Network Defense Inc. The world is in perpetual cyber-war. Together with Ridgeback’s founder and inventor, Thomas Phillips, Scott leads Ridgeback, building and deploying tools that battle despicable criminals who would rob our families, hijack our hospitals and impose on our economic freedoms. Ridgeback’s approach draws on using a range of techniques that automatically engage, disrupt and impair attackers during connection. Gartner covered Ridgeback as an Emerging Tech Innovator in June 2023.