kosmin - Fotolia

Cyber-risk analysis, time are keys to infosec says game theory

Analyzing infosec through the lens of game theory shows that cyber-risk analysis and wasting attacker time may be highly effective cybersecurity strategies.

LAS VEGAS -- Using game theory to describe the opportunities and challenges of cybersecurity may uncover new ways to secure enterprise networks, according to one talk at Black Hat 2017.

Kelly Shortridge, threat analytics product manager for BAE Systems Applied Intelligence, a consulting company based in the U.K., was ardent to explain that game theory is a mathematical language, not actually a theory, and using it to describe cybersecurity shows that the keys to security are in cyber-risk analysis and figuring out how to best waste an attacker's time.

According to Shortridge, using game theory to describe infosec reveals it to be a game of continuous attack and defense, a non-zero sum game, incomplete and asymmetric -- meaning opponents don't necessarily know what the other has done or will do next.

With this understanding, Shortridge suggested cyber-risk analysis modeled after SWOT analysis, where an IT team must determine the strengths, weaknesses, opportunities and threats present in the game. Opportunities and threats, in this case, often boil down to strengths that can become weaknesses or weaknesses that can become strengths.

"For yourself, you may think what you have is a strength, but, in reality, it's a weakness; that's a threat. If you think it's a weakness, but it's actually a strength, that's an opportunity, and visa versa for your opponent," Shortridge said.

For example, under this cyber-risk analysis, Shortridge said the major strength an attacker has is having the time to plan and perform an attack; cybersecurity professionals need to turn that strength against attackers. Similarly, while attackers may have better knowledge of vulnerabilities, Shortridge said an IT team's major strength lies in having more intimate knowledge of its own network compared to an attacker, who needs to discover the layout.

Cybersecurity teams should exploit the fact that they understand the local environment better than the attacker and attempt to confuse an attacker, Shortridge said.

Faking out the attackers

The goal is to make the attacker uncertain of your defensive environment and profile. So, you really want to mess with their ability to profile where their target is.
Kelly Shortridgethreat analytics product manager, BAE Systems Applied Intelligence

One tactic Shortridge suggested was creating fake data or making a system look like a different malware analyst's virtual machine sandbox every time an attacker enters. If an attacker can't figure out what security tools are in use or where the valuable assets are, it wastes their time and makes an attack less worthwhile.

"The goal is to make the attacker uncertain of your defensive environment and profile. So, you really want to mess with their ability to profile where their target is," Shortridge said. "A way to think of it is putting wolf skins on sheep. You want to mix and match what I call hollow-but-sketchy-looking artifacts on normal physical systems, ideally at boot."

Shortridge said an IT team could emulate various executables, dynamic link libraries, folders or media access control addresses to make it appear that certain security products are in use, and can set up a system to change what products are emulated each time, in order to confuse attackers. Or IT pros can use hypervisors and other products to prevent malware from being triggered and force an attacker to investigate -- once again, wasting more of their time. Ultimately, the specifics of defense tactics depend on the results of the cyber-risk analysis.

"When malware is looking for these artifacts, it's looking for what's most reliable. So, it also means on the reverse side, if you spoof like you are a debugger, it's a very reliable way of doing it. So, it will constantly be blaring out this loud noise, which is great," Shortridge said. "You can also make it look like you have every sort of antivirus and different antivirus every time.

"Defense is very reactionary, it's very quick, but attackers have time for recon -- they have time to craft something that will actually work," Shortridge added. "What you can do is start to leverage that strength with strategies that lead them down rabbit holes and really waste their time, and leverage the fact that they do have a lot of time and they're willing to spend it."

Next Steps

Approach a breach with an offensive and defensive strategy

Find out how artificial intelligence can give cybersecurity a boost

Get info on network security best practices

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing