Over the course of my professional career, I have been fortunate enough to be involved in the development of video games and I still keep up with current events and trends in the video game industry. For many, video games are a hobby but for me, they are much more than that. Video games have given me a way to model conflict and there are many patterns we can borrow and apply to the way we approach cybersecurity. When this subject comes up in academic circles, they are quick to reach into the field of study called Game Theory. However, I have had very little luck applying this logical and orderly model in the real world. The reality is, production networks are messy, attackers don’t fit nicely into categories, and in the fast-moving field of cybersecurity, a lot of what happened even this week will take months if not years to reach learning institutions.
The ability to communicate tactics and strategies that are useful in conflict pre-dates the invention of Game Theory and I’m sure you have your set of favorite strategists that have served you well in business, cybersecurity, sports, and other conflict-oriented environments.
I’m no exception to this and in this article, I want to introduce you to a favorite of mine named Musashi Miyamoto. He was the greatest samurai to ever walk this earth and in his later years, he wrote “The Book of Five Rings” where in he outlined his no-nonsense approach to the art of combat. There are a few patterns he describes that I believe are important to those of us trying to figure out how to automate our systems in a way that serves our businesses and not our attackers.
The martial arts are a collection of moves or forms that are rehearsed over and over. This repetition trains the body and the mind for battle where milliseconds of hesitation might mean defeat. Musashi placed a lot of value on not just knowing one form, but all of them. For Musashi, being over-reliant upon a single form was worse than bad technique. This approach earned him a reputation as the “Tactical Chameleon” because he would adapt to his opponents form and exploit the deterministic qualities of those forms’ countermeasures.
Let’s take a moment to connect this approach to the video game genre of fighting games. Looking back to some of the earliest games in this genre like Street Fighter, each character in the game has a defined move-set that makes up a deterministic quality of that character. This still holds true for fighting games today as well. Competitive eSport players study every character, every move, and learn every frame by frame detail to help give them a predictive advantage over their competitors.
Now back to Musashi. When facing an opponent on the trail, he would at first not know what form that opponent was trained in so he would start to exhibit a gesture like “Are you form B?” The way his opponent would react to his initial gesture would confirm or deny this. If yes, the next course of action would be to respond with a countermeasure that was exclusive to form B. By determining the form of his opponent, Musashi could exhibit a move that would put his foe in a vulnerable position and allow him to perform a killing blow.
This same methodology is also applied in eSports. At major fighting game tournaments like the Evolution Championship Series (EVO), the top competitors not only know all the ins and outs of the character they play, but they also know all the moves and matchups against other characters down to the frame level. This approach holds deterministic qualities that the players can use offensively and defensively.
One thing that I should point out in this analogy is that in fighting games, player A and player B both have offensive and defensive capabilities. This is not the case with cybersecurity, where the conflict dynamic is more akin to player A is primarily a defender and player B is an attacker.
However, regardless of this difference, there are still qualities we can learn from Musashi and the fighting video game genre that are useful in threat modeling security automation.
At a basic level, you can view Musashi’s strategies as behaviors that either lead to surviving the conflict or not. Similarly, you can also look at the top players of eSports fighting games as having a dominant set of behaviors that win tournaments and ultimately championships.
As a defender, you are constantly trying to model the behavioral aspects of your attacker. This happens at both your attacker’s cognitive level as well as the mechanical level (machine-scale). Both may exhibit deterministic characteristics that can be used for detection and lead to defensive actions.
As an attacker, threat actors are modeling your activity and identifying any behaviors that will help them achieve their desired outcome with the lowest chance of detection at the lowest cost of operations. If your adversary were to gain the knowledge of your playbooks or runbooks, how would that play to their advantage in terms of evading detected or achieving their goals?
When it comes to behavioral modeling, we just don’t talk about it enough when we assess our security programs. We are still so stuck on nouns (things) when we need to be looking at the verbs (behaviors). Any advanced set of technology will have a dual use with the potential for both good and evil. For example, encryption keeps your customers’ communications private, but it also keeps your adversaries command and control channels private too. The software distribution system you use for updates across your enterprise can also be used as malware distribution by your adversary. In both examples, the thing (or noun) has not changed, but (the verb) behavior has.
Any deterministic quality can be a weakness for the attacker or defender. Because Musashi was an expert in all forms, early in a battle, he would exhibit moves that had deterministic responses from a martial arts form in order to determine his opponents move-sets. By seeing how his opponents reacted, he then knew what the optimal dominant strategy was to counter that form and defeat his adversary.
With fighting games, the game itself holds the deterministic qualities. A certain character will have moves that when a player commits to a specific input sequence, they turn control over to the game to complete that move. During this time, the other player will know at least for the next few microseconds, what the future holds and must determine their next move to move the fight towards their advantage. Repetitive and static use of automation is like using the same combos/patterns over and over in a game. It might work well against many of the opponents you face, but if your foe understands how the combo/pattern works and knows how you use it, they can counter it accordingly.
Take a moment to consider the following: What aspect of your processes or automation techniques could a threat actor use against you? Just because you can automate something for security, does not mean you should. Our systems are becoming more and more automation rich as we move from human-scale operations to machine-scale operations. It is paramount that we understand how to automate safely and not to the advantage of our attackers. Treating your infrastructure as code and applying the appropriate level of testing and threat modeling is not optional.
Security has always claimed that “Defense in Depth” is a dominant strategy. As we enter the world of automated workloads at internet-scale, it has become clear that it is “Defense in Diversity” that wins over depth. When dealing with mechanized attacks, iteration over the same defense a million times is cheap. However, attacking a million defenses that are slightly different is costly. It then comes down to this: How can you raise the cost to your adversary’s observations and actions without raising the cost equally for the defender?
It is accepted that human beings have a cognitive limit on things like recall, working memory, dimensional space, etc. Operating outside of any one of these dimensions can be viewed as beyond the peripheral cognition of a human. This is important because machines have no problem operating outside these boundaries, which is why I have differentiated certain challenges in this article as human-scale versus machine-scale.
Diversity is the countermeasure to Determinism. Extreme forms of diversity are feasible for machines but infeasible for humans, so we need to be careful in its application in our systems.
By accepting these human-level versus machine-level constraints and capabilities, we need to design automation that has machine-scale diversity and operational capacity while still being able to be operated at the human-scale by the defenders.
In order to effectively combat an increasingly strategic and varied set of threats, security professionals need to take a page from fighting game players. While repetitive and static use of an effective move or combo might keep some adversaries at a disadvantage, or even defeat some of them outright, at some point, a player is going to come across a foe that not only recognizes those patterns, but also knows how to counter them and effectively punish them, leaving the player defenseless and open for attack. Much like how an e-sports pro can’t just spam the same set of moves to win every fight, security professionals can’t rely on the same static methods over and over again in order to defend their organizations.
I encourage you to take some time to assess your organization’s current approach to security and ask yourself some important questions:
The first step to becoming a successful “Tactical Chameleon of Security” is learning to identify what elements of your approach are human-scale problems and which are machine-scale problems. Recognizing how to efficiently balance the human and AI/ML components in your kit and understanding the advantages each provide will allow you to better defend against threats and allow you to seize victory against whatever foes come your way.
The post The Tactical Chameleon: Security Through Diverse Strategy appeared first on Cisco Blogs.