Epilogue

“You’ll find this game worth playing . . . Your brain against mine . . . And the stake is not without much value, eh?”

—Richard Connell, The Most Dangerous Game

Richard Connell was a prolific writer, penning more than 300 short stories over his relatively short 30-year career, perhaps none more popular than his 1924 masterpiece The Most Dangerous Game . The story challenged basic principles of morality as it terrified readers with a gruesome plot. In it, the protagonist, an avid big game hunter, finds himself thrown overboard while in transit to his next hunting excursion. He discovers refuge on an island where he meets a fellow ardent hunter, the island’s only civilized inhabitant, who gives him a chilling ultimatum: survive a three-day deadly match pitting human against human as hunter versus hunted or suffer a grizzly death by torture as an alternative.

The story grips the reader with the horrifying thought of turning from hunter to hunted. While the protagonist and antagonist are equally matched in skill, the antagonist has the upper hand the entire story: he sets the parameters of the game, he determines when the match starts and ends, he is familiar with the geographical territory in which the hunt ensues, and so on. For the antagonist, hunting animals had long outlived its challenge—only a “new” animal capable of reasoning would test his skills. As Connell so disturbingly conceived, human versus human is the ultimate most dangerous game.

Of course, cybersecurity professionals live out this story every day. While they may not be fighting for their own lives in the middle of a remote jungle, the challenge in matching wits against adversaries seeking to do their organizations harm is a dangerous game in and of itself. With nation-state actors threatening critical infrastructures, the notion of saving lives, both their own and those around them, is less dramatic and more imminent for these veritable heroes as more dangerous hunters enter the game.

Like the hero and villain in the short story, skills are comparably matched between white and black hats. Also, similar to Connell’s fictional tale, black hats set the parameters of the “game,” playing by and often changing their own set of rules. And, as the protagonist discovers, winning the game would simultaneously entail a reliance on his basic skills and an upending of conventional notions. And, though not a typical character, the element of time is a main actor in the story—the hero must survive the perilous plight for three frightening days while the villain seeks to end his opponent’s life before expiry.

Consider the “rules” of the cybersecurity game white hats are up against.

1. Black hats initiate . White hats are doomed to play defense against threat actors who launch the assault. Understanding where the next threat vector may emerge and how the organization could be vulnerable, including through unwitting employees, become the ongoing challenges for white hats.

2. Black hats need not play fair . Cybersecurity professionals are governed by a standard of ethics and business compliance. Many in the industry are reluctant to share threat intelligence with their peers, lest they be excoriated in the court of public opinion or unintentionally violate privacy information entrusted by customers. Black hats are not confined by ethics, standards, or office politics. They can freely share with one another (for a price or otherwise) without fear of repercussions. Of course, this isn’t to say hackers aren’t concerned with verifying the identity of what appears to be a virtual like-minded kindred spirit—after all, that wolf in sheep’s clothing may be a law enforcement official in disguise. Yet, despite this rub, black hats can and do play dirty. White hats are held to a standard.

3. Black hats can, and do, frequently change the parameters of the game . While cybersecurity professionals are confined by information technology (IT) environments predicated upon stability and testing, black hats can iterate on their creations as many times as they choose, based on their own tolerance for personal investment. This means hackers can frequently change the nature of the game to suit them, from polymorphic viruses that obfuscate signature collection to iterations in more advanced countermeasures (such as sandbox evasion techniques) to keep white hats on their heels.

4. Black hats can easily gain access to the white hat’s secret sauce . Cybersecurity defensive software and appliances are commercially available in the market, giving hackers relatively easy access to either procure or steal this technology and reverse-engineer it to determine how to advance their next offense. Cybersecurity software companies certainly can do the same to a black hat’s creation, however, that typically entails someone falling victim to it in the wild—a much higher price for the white hat to pay to gain access to his opponent’s technology.

5. Black hats need only score once . Black hats have the advantage of an asymmetric fight. While white hats must be vigilant in defending against all possible attacks (though admittedly at varying threat levels), black hats need only succeed once. They flood white hats with volumes of threats to attempt to simply land one if not provide a smokescreen for a more targeted attack in the making.

6. Black hats leverage time to their advantage . Time has been a major theme covered throughout this book. Depending on the adversary’s motives, he will stealthily infiltrate his victim’s “keep,” lingering undetected for as long as possible to inflict harm. The latest spate of ransomware attacks has created a new threat category in cybersecurity—one in which the threat actor literally leverages time as the ultimate motivator to convince his victim to pay up. Of course, time can also be an advantage to white hats who are able to implement countermeasures quickly against the next attack. But, given adversaries are the ones who determine when the game starts, they naturally have the benefit of time on their side, at least initially.

7. Black hats are clearly incentivized . Whether for profit, principle, or province—just three possible motives covered in this book—threat actors have clear incentives motivating their next move. White hats are encumbered with office scorecards and political pressures that often motivate the wrong behavior. Many may feel pressure to simply show all cyberdefense metrics as being in the green so as to avoid uncomfortable discussions with executives and board members, assuming these conversations would be welcomed by these leaders at all, who are often overwhelmed and confused by the topic’s inherent complexity. In fact, cybersecurity is not a domain measured in red or green—it lives in shades of gray as all organizations are under some form of threat (either from generic malware to highly targeted zero-day attacks) at any given time. The result? While black hats clearly know the score, white hats struggle to determine how it is even kept.

Each of these white hat disadvantages is exacerbated by an unenviable confluence within the game’s macroeconomic dynamics. Simply put, there aren’t enough white hats in the fight as the industry faces a labor shortage crisis. At the same time, the attack surface is exponentially increasing—with cloud, mobility and the Internet of Things creating new attack entry points for adversaries to encroach.

While white hats may largely agree that they face this unenviable set of constraints in a game rigged against them, half the market (according to McAfee research on the topic) is following the wrong strategy, ultimately giving their opponent an even greater upper hand. Specifically, thanks to the phenomenon of Grobman’s Curve, where cybersecurity solutions provide diminishing returns with greater market adoption (because adversaries become increasingly motivated to develop countermeasures as more of their potential victims use a given technology), speed becomes of the essence when deploying the latest defense mechanism. Unfortunately, well-intentioned cybersecurity professionals struggling to prove their value are often compelled to adopt the latest point product in the market. And, with 1,400 cybersecurity vendors and counting, there is no shortage of wonder products promising to cure what ails them.

The problem with this strategy is that it creates one of two possible likely outcomes. The first entails a failure to implement the technology at all, known in the industry by the derisive term “shelfware,” as covered in an earlier chapter. The second involves implementing the technology, only to be overwhelmed by a complex back-office operating environment comprised of fragmented tools oftentimes from multiple vendors. In either case, the white hat is not using the technology to his advantage as speed-to-implementation with workforce efficiencies are the elusive and often unattainable goals with such an approach.

We submit that Grobman’s curve requires a different approach to the problem—one that focuses energy in implementing a platform capable of onboarding new security technologies quickly with simplified workflow management to optimize operations efficiencies. This isn’t just a matter of our opinion. Those cybersecurity professionals with a more simplified back-office infrastructure, as provided by fewer vendors in their environment, report experiencing fewer threats, better detection times, and more confidence in their security posture than their counterparts with a more fragmented, multivendor approach.

But, you may rightfully realize that putting most of one’s cybersecurity eggs in one vendor’s basket is a risky game in and of itself. What happens if said vendor suddenly changes strategy or roadmap, is acquired, or simply ceases to innovate at the pace of the market? The CISO (chief information security officer) who recommended consolidating multiple workflows with that vendor will quickly be shown the exit door. Given this possibility, many cybersecurity professionals persist in broadening their vendor environment, in an attempt to also diversify their risks. Unfortunately, this is a losing strategy in a Red Queen Race where time makes or breaks a player.

We offer a different alternative: one that puts the focus on an integrated platform with unified workflow management but also leverages the power of a robust ecosystem of cybersecurity players. Finding the right partner capable of bringing to bear hundreds of providers across a fragmented industry over a common integrated framework offers cybersecurity professionals the best of all worlds.

• The ability to rapidly onboard and deploy new technologies with the lowest level of effort, allowing organizations to derive maximum utility from these defensive products before adversaries are incentivized to develop countermeasures

• The opportunity to simplify back-office management and processes, allowing existing limited resources to work smarter, not harder, in addressing more threats faster

• The benefit of tapping into the aggregate innovative capabilities of a vibrant ecosystem of hundreds of potential players, all connected over the same infrastructure and using the same management tools to simplify operations

This can no longer be a choice where cybersecurity professionals must decide between speed and effectiveness. Adversaries are setting the parameters of the game and it requires both. At the same time, white hats must demand more of their cybersecurity vendors. Threat intelligence sharing in the industry must occur at the vendor level and focus energies on specific campaigns of particular import. The good guys responsible for defending their organizations each day deserve more than superficial threat “intelligence” sharing that is often nothing more than vendors providing data on malware attacks. The Cyber Threat Alliance is a major step in the right direction but the industry can and must do more in this area. Each time an adversary’s campaign is halted prematurely, it forces him to reinvest his efforts in developing his next menace vs. propagating one already created. This creates downward pressure on the adversary’s return on investment (ROI), which forces him to re-evaluate his incentives—favorable outcomes for all white hats, both on the vendor and client side, in the battle.

Company executives must also do their part and a big role they play is in clarifying the cybersecurity incentives and reward structures within their own companies. Penetration testing should be ongoing, with rewards offered to red teams playing the adversarial role—who should be expected to always win if they are effective. Rather than require scorecards that simply measure how many security incidents the organization encountered the previous day, ask meaningful questions to assess the robustness of your cybersecurity posture. Identify your “keep” and what is most critical to protect in your organization. Find out how and where red teams managed to penetrate. Correlate threats with probabilistic indicators toward a specific campaign, particularly one that may be targeted at your organization directly. Inquire about the usefulness of installed security technologies and whether the organization is due for a refresh (for those on the declining slope of Grobman’s Curve). Reward CISOs for candidly assessing where the organization may be vulnerable. Ensure your breach-readiness plan also includes communications policies for handling internal and external stakeholders when the critical moment of truth occurs.

Above all, critically assess your organization’s own success in constantly evaluating the effectiveness of its cybersecurity posture by weighing the utility of any given product in your arsenal against the ongoing costs of maintaining it. Before attempting a forklift, determine if the organization has sufficiently milked the benefits of existing technologies, diligently pruning those that have outlived their usefulness, to avoid introducing unintended complexity, if not shelfware, into your environment. Many times, organizations are left holding the bag and unfortunate blame in the hindsight analysis of a cyberattack by simply failing to have maximized the yield of products, tools, and processes that were already available in their cybersecurity inventory.

In the game of cybersecurity, there are no easy answers, just easy problems. That said, there are practical strategies that cybersecurity professionals, their leaders, and vendors can take to alter the outcome of the contest in their favor. As in Connell’s short story, the stakes for organizations in this game couldn’t be higher. How an organization defends against an enemy and ultimately responds if breached have been the deciding factors in whether executives are required to relinquish their seats, if not force the company to close its doors. There is a happy ending to Connell’s masterpiece: the protagonist wins. The reader is left to conclude he will forever be a changed man, and certainly a changed hunter, as a result of his experience—more cunning and more refined to meet his next match. White and black hats engage in a hunt each day in the virtual jungle in which we increasingly dwell. Our heroes can take a page from Connell’s tale, but it will require that they first challenge their own playbook to change the outcome of this most dangerous game in The Second Economy .