“You’ll find this game worth playing . . . Your brain against mine . . . And the stake is not without much value, eh?”
—Richard Connell, The Most Dangerous Game
Richard Connell was a prolific writer, penning more than 300 short stories over his relatively short 30-year career, perhaps none more popular than his 1924 masterpiece The Most Dangerous Game . The story challenged basic principles of morality as it terrified readers with a gruesome plot. In it, the protagonist, an avid big game hunter, finds himself thrown overboard while in transit to his next hunting excursion. He discovers refuge on an island where he meets a fellow ardent hunter, the island’s only civilized inhabitant, who gives him a chilling ultimatum: survive a three-day deadly match pitting human against human as hunter versus hunted or suffer a grizzly death by torture as an alternative.
The story grips the reader with the horrifying thought of turning from hunter to hunted. While the protagonist and antagonist are equally matched in skill, the antagonist has the upper hand the entire story: he sets the parameters of the game, he determines when the match starts and ends, he is familiar with the geographical territory in which the hunt ensues, and so on. For the antagonist, hunting animals had long outlived its challenge—only a “new” animal capable of reasoning would test his skills. As Connell so disturbingly conceived, human versus human is the ultimate most dangerous game.
Of course, cybersecurity professionals live out this story every day. While they may not be fighting for their own lives in the middle of a remote jungle, the challenge in matching wits against adversaries seeking to do their organizations harm is a dangerous game in and of itself. With nation-state actors threatening critical infrastructures, the notion of saving lives, both their own and those around them, is less dramatic and more imminent for these veritable heroes as more dangerous hunters enter the game.
Like the hero and villain in the short story, skills are comparably matched between white and black hats. Also, similar to Connell’s fictional tale, black hats set the parameters of the “game,” playing by and often changing their own set of rules. And, as the protagonist discovers, winning the game would simultaneously entail a reliance on his basic skills and an upending of conventional notions. And, though not a typical character, the element of time is a main actor in the story—the hero must survive the perilous plight for three frightening days while the villain seeks to end his opponent’s life before expiry.
Consider the “rules” of the cybersecurity game white hats are up against.
Black hats initiate . White hats are doomed to play defense against threat actors who launch the assault. Understanding where the next threat vector may emerge and how the organization could be vulnerable, including through unwitting employees, become the ongoing challenges for white hats.
Black hats need not play fair . Cybersecurity professionals are governed by a standard of ethics and business compliance. Many in the industry are reluctant to share threat intelligence with their peers, lest they be excoriated in the court of public opinion or unintentionally violate privacy information entrusted by customers. Black hats are not confined by ethics, standards, or office politics. They can freely share with one another (for a price or otherwise) without fear of repercussions. Of course, this isn’t to say hackers aren’t concerned with verifying the identity of what appears to be a virtual like-minded kindred spirit—after all, that wolf in sheep’s clothing may be a law enforcement official in disguise. Yet, despite this rub, black hats can and do play dirty. White hats are held to a standard.
Black hats can, and do, frequently change the parameters of the game . While cybersecurity professionals are confined by information technology (IT) environments predicated upon stability and testing, black hats can iterate on their creations as many times as they choose, based on their own tolerance for personal investment. This means hackers can frequently change the nature of the game to suit them, from polymorphic viruses that obfuscate signature collection to iterations in more advanced countermeasures (such as sandbox evasion techniques) to keep white hats on their heels.
Black hats can easily gain access to the white hat’s secret sauce . Cybersecurity defensive software and appliances are commercially available in the market, giving hackers relatively easy access to either procure or steal this technology and reverse-engineer it to determine how to advance their next offense. Cybersecurity software companies certainly can do the same to a black hat’s creation, however, that typically entails someone falling victim to it in the wild—a much higher price for the white hat to pay to gain access to his opponent’s technology.
Black hats need only score once . Black hats have the advantage of an asymmetric fight. While white hats must be vigilant in defending against all possible attacks (though admittedly at varying threat levels), black hats need only succeed once. They flood white hats with volumes of threats to attempt to simply land one if not provide a smokescreen for a more targeted attack in the making.
Black hats leverage time to their advantage . Time has been a major theme covered throughout this book. Depending on the adversary’s motives, he will stealthily infiltrate his victim’s “keep,” lingering undetected for as long as possible to inflict harm. The latest spate of ransomware attacks has created a new threat category in cybersecurity—one in which the threat actor literally leverages time as the ultimate motivator to convince his victim to pay up. Of course, time can also be an advantage to white hats who are able to implement countermeasures quickly against the next attack. But, given adversaries are the ones who determine when the game starts, they naturally have the benefit of time on their side, at least initially.
Black hats are clearly incentivized . Whether for profit, principle, or province—just three possible motives covered in this book—threat actors have clear incentives motivating their next move. White hats are encumbered with office scorecards and political pressures that often motivate the wrong behavior. Many may feel pressure to simply show all cyberdefense metrics as being in the green so as to avoid uncomfortable discussions with executives and board members, assuming these conversations would be welcomed by these leaders at all, who are often overwhelmed and confused by the topic’s inherent complexity. In fact, cybersecurity is not a domain measured in red or green—it lives in shades of gray as all organizations are under some form of threat (either from generic malware to highly targeted zero-day attacks) at any given time. The result? While black hats clearly know the score, white hats struggle to determine how it is even kept.
Each of these white hat disadvantages is exacerbated by an unenviable confluence within the game’s macroeconomic dynamics. Simply put, there aren’t enough white hats in the fight as the industry faces a labor shortage crisis. At the same time, the attack surface is exponentially increasing—with cloud, mobility and the Internet of Things creating new attack entry points for adversaries to encroach.
While white hats may largely agree that they face this unenviable set of constraints in a game rigged against them, half the market (according to McAfee research on the topic) is following the wrong strategy, ultimately giving their opponent an even greater upper hand. Specifically, thanks to the phenomenon of Grobman’s Curve, where cybersecurity solutions provide diminishing returns with greater market adoption (because adversaries become increasingly motivated to develop countermeasures as more of their potential victims use a given technology), speed becomes of the essence when deploying the latest defense mechanism. Unfortunately, well-intentioned cybersecurity professionals struggling to prove their value are often compelled to adopt the latest point product in the market. And, with 1,400 cybersecurity vendors and counting, there is no shortage of wonder products promising to cure what ails them.
The problem with this strategy is that it creates one of two possible likely outcomes. The first entails a failure to implement the technology at all, known in the industry by the derisive term “shelfware,” as covered in an earlier chapter. The second involves implementing the technology, only to be overwhelmed by a complex back-office operating environment comprised of fragmented tools oftentimes from multiple vendors. In either case, the white hat is not using the technology to his advantage as speed-to-implementation with workforce efficiencies are the elusive and often unattainable goals with such an approach.
We submit that Grobman’s curve requires a different approach to the problem—one that focuses energy in implementing a platform capable of onboarding new security technologies quickly with simplified workflow management to optimize operations efficiencies. This isn’t just a matter of our opinion. Those cybersecurity professionals with a more simplified back-office infrastructure, as provided by fewer vendors in their environment, report experiencing fewer threats, better detection times, and more confidence in their security posture than their counterparts with a more fragmented, multivendor approach.
But, you may rightfully realize that putting most of one’s cybersecurity eggs in one vendor’s basket is a risky game in and of itself. What happens if said vendor suddenly changes strategy or roadmap, is acquired, or simply ceases to innovate at the pace of the market? The CISO (chief information security officer) who recommended consolidating multiple workflows with that vendor will quickly be shown the exit door. Given this possibility, many cybersecurity professionals persist in broadening their vendor environment, in an attempt to also diversify their risks. Unfortunately, this is a losing strategy in a Red Queen Race where time makes or breaks a player.
We offer a different alternative: one that puts the focus on an integrated platform with unified workflow management but also leverages the power of a robust ecosystem of cybersecurity players. Finding the right partner capable of bringing to bear hundreds of providers across a fragmented industry over a common integrated framework offers cybersecurity professionals the best of all worlds.
The ability to rapidly onboard and deploy new technologies with the lowest level of effort, allowing organizations to derive maximum utility from these defensive products before adversaries are incentivized to develop countermeasures
The opportunity to simplify back-office management and processes, allowing existing limited resources to work smarter, not harder, in addressing more threats faster
The benefit of tapping into the aggregate innovative capabilities of a vibrant ecosystem of hundreds of potential players, all connected over the same infrastructure and using the same management tools to simplify operations
This can no longer be a choice where cybersecurity professionals must decide between speed and effectiveness. Adversaries are setting the parameters of the game and it requires both. At the same time, white hats must demand more of their cybersecurity vendors. Threat intelligence sharing in the industry must occur at the vendor level and focus energies on specific campaigns of particular import. The good guys responsible for defending their organizations each day deserve more than superficial threat “intelligence” sharing that is often nothing more than vendors providing data on malware attacks. The Cyber Threat Alliance is a major step in the right direction but the industry can and must do more in this area. Each time an adversary’s campaign is halted prematurely, it forces him to reinvest his efforts in developing his next menace vs. propagating one already created. This creates downward pressure on the adversary’s return on investment (ROI), which forces him to re-evaluate his incentives—favorable outcomes for all white hats, both on the vendor and client side, in the battle.
Company executives must also do their part and a big role they play is in clarifying the cybersecurity incentives and reward structures within their own companies. Penetration testing should be ongoing, with rewards offered to red teams playing the adversarial role—who should be expected to always win if they are effective. Rather than require scorecards that simply measure how many security incidents the organization encountered the previous day, ask meaningful questions to assess the robustness of your cybersecurity posture. Identify your “keep” and what is most critical to protect in your organization. Find out how and where red teams managed to penetrate. Correlate threats with probabilistic indicators toward a specific campaign, particularly one that may be targeted at your organization directly. Inquire about the usefulness of installed security technologies and whether the organization is due for a refresh (for those on the declining slope of Grobman’s Curve). Reward CISOs for candidly assessing where the organization may be vulnerable. Ensure your breach-readiness plan also includes communications policies for handling internal and external stakeholders when the critical moment of truth occurs.
Above all, critically assess your organization’s own success in constantly evaluating the effectiveness of its cybersecurity posture by weighing the utility of any given product in your arsenal against the ongoing costs of maintaining it. Before attempting a forklift, determine if the organization has sufficiently milked the benefits of existing technologies, diligently pruning those that have outlived their usefulness, to avoid introducing unintended complexity, if not shelfware, into your environment. Many times, organizations are left holding the bag and unfortunate blame in the hindsight analysis of a cyberattack by simply failing to have maximized the yield of products, tools, and processes that were already available in their cybersecurity inventory.
In the game of cybersecurity, there are no easy answers, just easy problems. That said, there are practical strategies that cybersecurity professionals, their leaders, and vendors can take to alter the outcome of the contest in their favor. As in Connell’s short story, the stakes for organizations in this game couldn’t be higher. How an organization defends against an enemy and ultimately responds if breached have been the deciding factors in whether executives are required to relinquish their seats, if not force the company to close its doors. There is a happy ending to Connell’s masterpiece: the protagonist wins. The reader is left to conclude he will forever be a changed man, and certainly a changed hunter, as a result of his experience—more cunning and more refined to meet his next match. White and black hats engage in a hunt each day in the virtual jungle in which we increasingly dwell. Our heroes can take a page from Connell’s tale, but it will require that they first challenge their own playbook to change the outcome of this most dangerous game in The Second Economy .
Adversarial campaign
AIDS
Airport security defenses
Airport security personnel
Aman
Amazon Web Services (AWS)
American Automobile Association
American civilians
An Enemy of the People in 1882
Anti-Communist
Anti-malware countermeasures
Anti-malware software
Anti-Phishing Working Group (APWG)
Antivirus software
Antivirus software packages
9/11 attack
AT&T Bell Laboratories
Atomic bomb
Auto manufacturers
Automobile features
Auto safety critics
Bank Secrecy Act (BSA)
British volunteer commandos
Bush period
The Car (film)
CareerCast
Car manufacturers
Cell’s protein
Certified Information Systems Security Professional (CISSP)
Chief Executive Officer (CEO)
Chief information officer (CIO)
Chief information security officers
Chief security officer (CSO)
Church of Scientology
CIA
Cisco study
CISOs
City of London Corporation
City of London Police
Class-action lawsuits
Claw hammer
Clipper Chip
Code spaces
Cold War
Collapsible steering wheels
Collisions
Competitive advantage
Computer code
Computer security
Corporate network
Crime-vigilant cities
Criminal industry
Criminal’s addressable market
Cryptocurrency
Cryptography
CryptoLocker ransomware program
CryptoWall
Cybercrime
Cybercriminals
Cyber defense-in-depth approach
Cyber laws
Cyber Pearl Harbor
Cyberphysical
Cybersecurity
Cybersecurity defense landscape
Cybersecurity defense mechanism
Cybersecurity professionals
Cybersecurity software vendors
Cybersecurity vendor
Cyber Threat Alliance (CTA)
Cyberwarfare
Cypherpunks
DDoS attacks
DDoS campaign
Defense-in-depth approach
Defense life cycle
Democratic approach
Department of Commerce’s Computer Incident Response Team (DOC CIRT)
Department of Homeland Security (DHS)
Deputy fire safety director
Distributed denial of service (DDoS) attack
Dynamic link library (DLL)
Economic Development Administration (EDA)
Electronic control units (ECUs)
EMV
Encryption
Equilibrium efficacy value
Exacerbated rebellion
FBI documents
Federal Aviation Administration
File-sharing networks
Financially motivated criminals
Financial Services Information Sharing and Analysis Center (FS-ISAC)
Free-riding problem
Garden-variety computer conference
Garden-variety viruses and worms
Government-induced programs
Grobman’s Curve
The Guardian
“Guardians of Peace” (GOP)
Gun debate
Harvard Business Review article
Herbert C. Hoover Building (HCHB) network
Hollywood Presbyterian Medical Center (HPMC)
Human immunodeficiency virus
ICM value
Incentive
Information technology (IT)
Inland Regional Center
Insurance model
Intelligence sharing
Internet and social media
Internet Relay Channel (IRC)
Internet traffic analysis
The Interview
iPhone
Iraq War
Islamic State of Iraq and al-Shams (ISIS)
Israel Defense Forces
IT profession
Kidnapping
Kippur War
Licensing fee
Low Orbit Ion Cannon
Macroeconomic conditions
“Make Information Services Pay Its Way”
Manhattan Project
Manning
McAfee Labs
McAfee research study
Mexican kidnapping cases
Mexico City
Military technique
Misguided incentive structure
Misinterpret risk
Money Laundering Control Act
Moody v. State
Motivation
Natanz plant
National Oceanic and Atmospheric Administration (NOAA)
National Security Agency (NSA)
Nation’s domestic intelligence
Net Promoter Scores
Network design
The New York Times
The Nightmare before Christmas
Nuclear fission
Oakland Athletics
Offensive countermeasure innovation
Office of Personnel Management (OPM)
Olympic Games
Online criminals
Operational management costs
Operation Payback
Pareto Principle
Peer-to-peer network configuration
PIN debit networks
Plasmids
Point-of-sale (POS)
Polymorphic varieties
Polymorphic viruses
Postmortem analysis
Post-World War II
Power law
Productivity trumps security
Qaddafi’s test pile
R&D advancements
Ransomware
Red Queen advantage
Red Queen Race
Red-teaming
Return on investment (ROI)
Riskier ventures
The Second Economy
Security environments
Security information and event management (SIEM)
Security software vendors
Skipjack
Sobell’s confession
Social engineering techniques
“Softsword”
Software security vendors
Soviet Union’s Communist movement
State-of-the-art microchip
Statistical analysis
Sub-Saharan Africa
Superbad
Through the Looking-Glass and What Alice Found There (novel)
TIME Magazine
Time-sharing systems
Tit-for-tat approach
TJX
Transmission Control Protocol/Internet Protocol
Troublemaking employees
US Computer Emergency Response Team (US-CERT)
US Government
The Washington Post
Wilcox v. State
Wireless security
Witness testimony
World Health Organization’s (WHO)
World Trade Center (WTC)
Yom Kippur War
Zero-day vulnerabilities
3.14.15.94