Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
Attackers and defenders act with intent. This, in turn, means that they are not well characterized by models of a random nature. In the quest for better models, we are forced to find ways of weighting our decision, but if we choose the wrong weights, we may tip the scales against ourselves. Indeed, the weightings we choose can be used against us if they are exploitable by the opponent.
This is the strategic view of conflict as a game, and the subject of this month's article. The basic challenge for the strategist is deciding how to make better decisions than the opponent. Since both sides may apply strategic analysis, the physical elements of conflict become, almost, as pawns in a strategic battle between attacker and defender. Of course these pawns are not as predictable as those in a game of chess, but the master strategist is expected to take that into account.
From a purely practical standpoint, in information protection, we apply various methods of risk management. Even when we don't use a formalism, we make decisions in our head about what to do and what not to do. The result is risk management without rigor. Most of the formalisms applied to risk management in information protection today take the probabilistic approach as an analytical basis and follow it up with some management decision process that, in the end, comes down to an informal decision that suits enough of the parties to the process to make it politically and financially palatable.
These management decisions are the core of the real process of risk management, and can be considered the weak point in that they are the place where the 'scientific' approach fails utterly in most organizations today. If you can get 'into the heads' of the people who make these decisions, your insight will lead you to success against them.
Strategic analysis is about understanding these high-level decisions at a more analytical level. It doesn't remove the human from the process and it certainly doesn't mean that the decisions are less driven by politically and financially palatability. It does mean that, when a high-level choice is to be made, some insight into its implications can be gained.
In order to get at strategic analysis, we must begin by enumerating strategies. I have picked a scheme of viewing the attack and defense strategies based on my own experience, and I will try to explain how I came to pick it along the way, but in the end, my scheme is only as good as my assumptions and experience. Yours may be better suited to you.
Attackers can select from many techniques for their attacks, so the natural question for the attacker who wishes to be highly successful is: 'Which attack should I choose and when?' This selection method is what we call a strategy. Here are some of the attacker strategies we see:
Speed: Some attackers choose to don only the fastest attacks available. This gives them the advantage that they can win before the defender can detect or react to their presence.
Stealth: Some attackers choose to conceal themselves to avoid detection.
Overwhelming force: Some attackers try to generate enough force - typically in the form of physical assault or sheer volume of resources - to overwhelm the defender.
Indirection (a.k.a. reflexive control): Some attackers use deceptive techniques to cause the defender to spend resources on the wrong defenses or to cause the defender to act in ways that provide openings to attack.
Random: Some attackers just try whatever they happen to come across as an idea on any given day.
Least Resistance: Some attackers try to do things they they think are least likely to be defended against and which are easiest for them to do.
Easiest to find: Some attackers just get software from the Internet and try it against many systems.
While there are certainly other strategies, these will serve the purpose of our discussion. When looking at these strategies in detail, analysis involves understanding the techniques the attackers are likely to use, the way they might react to things they encounter during the process of attack, and the likelihood that they are able to succeed against particular defenses in particular amounts of time.
Defenders also have many defensive techniques to choose from and select different strategies based on their perceived needs and the way their organizations work. Defenders tend to use mixes of defensive techniques in a protection process. As such, the strategies really consist of mixes of different process elements in different amounts. This is essentially a resource allocation issue selected from among the following elements:
Dissuasion: Many defenders try to convince possible attackers to go elsewhere.
Deception: Many defenders create fictions intended to prevent attackers from attacking or to cause them to attack elements of less value.
Prevention: Defenders often choose to build defenses intended to keep attackers from succeeding in their attempted activities.
Detection and Reaction: With the belief that no prevention can be perfect, detection and reaction are commonly used as a part of the mix.
Repair: After detection - or when there is a belief that vulnerabilities exist, repair is often undertaken to mitigate risk.
Exploitation: In some cases, it is determined that an attacker can be exploited in some way to the advantage of the defender. If the defender is so inclined, this strategy may be undertaken.
Capture and Punishment: In many cases, defenders try to capture and prosecute attackers in order to recoup losses and dissuade others from attacking.
Cover Up: It is often considered desirable to cover up an attack so that nobody else knows about it.
Constant Change: Some people take the strategy of changing the way they operate at a pace that is so fast that long-term attacks are destined to failure because the nature of the systems under attack has changed by the time a long-term attack can succeed.
There are many more defensive strategies that may be taken, but these should offer a reasonable set to consider in our analysis, and they represent many of the partial strategies taken by companies today. Full defender strategies typically consist of a combination of these techniques under different circumstances and with different balances of investment.
In analyzing strategies, we typically try to create a strategic matrix that shows the value to attacker and defender for taking each combination of attack and defense strategies. The sample matrix below shows how this might look for the strategies outlined above.
|Speed||10 / -10||-5 / 5||-1 / 5||5 / -3||5 / -6||-1 / 1||-8 / 2||8 / 1||5 / -6|
|Stealth||5 / -5||3 / -3||3 / -3||3 / 2||1 / 0||-4 / 5||-3 / 5||7 / -2||3 / 2|
|Force||3 / 2||2 / 4||1 / 5||2 / 3||2 / 5||-2 / 3||-8 / 5||8 / -5||4 / 0|
|Indirect||2 / 3||1 / 3||3 / -2||5 / -5||5 / -5||1 / -1||2 / -2||8 / 2||3 / 2|
|Random||1 / -1||-3 / 2||1 / -1||-3 / 3||0 / -1||-4 / -2||-2 / -1||1 / 2||1 / -3|
|Least||-2 / 2||-4 / 3||2 / -2||1 / -1||2 / -2||-2 / 1||-3 / 2||3 / 2||3 / -1|
|Easiest||-3 / 3||-3 / 3||1 / -2||1 / 1||1 / 1||-2 / -3||-2 / -2||3 / 2||3 / -1|
In this matrix, the first number in each cell represents that payoff to the attacker and the second number in the cell represents the payoff for the defender - if the attacker and defender choose this strategic pair. In this analysis, there are a few important things to recognize.
First and foremost, this analysis applies only to a specific circumstance. The payoffs might be different for each organizational circumstance and must be analyzed to get these numbers.
The second thing to notice is that this is not a fixed-sum matrix The total payoff to attacker and defender is not equal in all cases, and in some cases, both participants may benefit by particular strategic combinations. For example, a cover-up may benefit both the attacker and defender if the thing cost of the loss is less than the cost of the negative publicity associated with public disclosure.
The third thing to notice is that no strategy is always best for either the attacker or the defender. This means that no matter what strategy one party selects, there is a strategy for the other party that would make the first party's decision seem poor.
Another thing to notice is that this attack and defense process happens again and again. If there is learning involved on each side, then a static strategy by either party can eventually lead to losses all of the time when the other party adapts.
Finally, you should have noticed by now that I didn't explain how I got these numbers. I made them up in this case. Even though these numbers reflect some notions about what is right in some particular case, doing the actual analysis requires a rather lengthy analysis that I am not going to bore you with here.
There is a large body of analysis underlying this formulation of the strategic decision process, and that body of analysis is called game theory.
In game theory, we use a matrix such as this one to analyze optimal strategies under different assumptions. In the parlance of game theory, this is a multi-player repeating non-zero-sum game with imperfect information. That is, (1) the game is played by multiple players, (2) it is played repeatedly by attackers and defenders who can learn from their experience, (3) one player's win is not necessarily the other player's loss, and (4) each player may gain some information from experience, but they do not always gain perfect information about what the other player might have done.
In the particular matrix shown above, some more information can be gleaned by examination. For example, there is no case in which an attacker is better served by using the Easiest strategy than by using the Indirect strategy. Thus it is always a better choice for the attacker to use the Indirect strategy. Similarly, Deception is always a better defensive strategy than Dissuasion in this example because there is no case where Dissuasion does better against any attack than Deception. These two examples are specific cases of a phenomena called dominance.
In a strategic analysis, we note that a dominant strategy always does at least as good as strategies it dominates, and thus, regardless of the actions of the other player, the dominant strategy can be used to better advantage than the dominated strategy. Here is the matrix resulting from removing dominated strategies.
|Speed||-5 / 5||-1 / 5||5 / -3||5 / -6||-1 / 1||-8 / 2||8 / 1||5 / -6|
|Stealth||3 / -3||3 / -3||3 / 2||1 / 0||-4 / 5||-3 / 5||7 / -2||3 / 2|
|Force||2 / 4||1 / 5||2 / 3||2 / 5||-2 / 3||-8 / 5||8 / -5||4 / 0|
|Indirect||1 / 3||3 / -2||5 / -5||5 / -5||1 / -1||2 / -2||8 / 2||3 / 2|
To see how this works:
We will assume that on a particular move, the attacker has chosen Speed and the defender has chosen Detect. The result of this pairing will be that the attacker wins 5 points and the defender looses 3 points. You can translate points into dollars with some scaling factor to get gains and losses in financial terms.
Now, suppose that the defender, having noticed that speed was used in the last attack, switches to the Prevention strategy, while the attacker, who was not stopped by the detection, had no information about what the defender did, and decided to try the same strategy again. In this move, the attacker looses 1 point and the defender gains 5. The total score of the game is now attacker 4 and defender 2.
The attacker might now notice that the defender used Prevention and decide to go with a Stealth approach. Meanwhile, the defender - pleased with the results of Prevention, decides to remain with that defense. The net effect is that the defender loses 3 points and the attacker gains 3, putting the attacker ahead 7 to -1.
In the fourth move, the defenders may decide that this attacker is getting on their nerves and move toward a strategy of Exploit, while the attacker decides to stay with Stealth under the false belief that nothing has been noticed. Now, the defender gains 5 points while the attacker looses 4, and the score stands at 4 to 3 with the defender ahead, but both sides overall winners for now.
Now in this example play of the strategic game, each player made reasonable moves each time. In the second move, the defender made one of the best choices given their knowledge at the time, as did the attacker. The same happened on the third and fourth move. One of the effects of this 'rationality' is that players avoided 'big' mistakes, but at the same time, the moves of each player were somewhat predictable. For example:
Suppose that the attacker assumed that the defender would have detected the first move and selected one of the best strategies as a response (i.e., Prevention or Deception). A rational move might have been to select Indirect for the second move because, whether the defender remained with Detection or chose to use Prevention or Deception, Indirect yields a good return. Of course, the defender, thinking still further ahead, might have chosen Exploit because it never yields a negative result and will tend to do well against Indirect.
There is seemingly no end to this strategic analysis, and the further we look ahead, the more we might get confused about the possible futures. the limits on information flowing back and forth are also of concern because they limit each player's ability to predict possible moves. Indeed, the attacker might simply chose a strategy not listed here - such as Use speed until you gain 5 points or get a negative score on one move, then quit. In this case, the same series of moves would have yielded a quick win of 5 points to the attacker, a -3 point score for the defender, and the game ends. Against this strategy, Deception and Capture seem like the best initial defenses, but with no information ahead of time, the defender would seem foolish to adopt these strategies.
A more realistic assessment of the way network protection is implemented is as a mix of strategies that coexist with different resources over time. For example, we might have a total budget that can be allocated among the different elements of strategy. In this case, we can look at the analysis in terms of combining the effectiveness of the different approaches to different degrees. For example, we might choose to spread the defense evenly across the 8 different strategies, so that we invest 1/8 of the total budget to each. In this case, when the attacker chose the Speed strategy, the payoffs would be 1 for the attacker (the sum of the attacker payoffs divided by 8) and -1/8 for the defender (the sum of the payoffs for defenses divided by 8). A different mix, for example one that simply ignores Change as an option, would yield 3/7 to the attacker and 5/7 for the defender.
We can try these mixes against different attacker strategies and strategy mixes under different information assumptions and get a wide range of different results. One thing we can be certain of, at least in the real world, is that no static attack or defense strategy can hold up against adaption by the opponent. No matter what the mix is, the opponent can always find a mix against it that wins for them or loses for you.
A strategic analysis of network protection provides another tool in the risk manager's quiver. It allows the roll-up results of other risk management activities to be used in a meaningful way to make decisions about budget allocation and it provides an ability to continue to adapt your approach over time.
The application of game theory to risk management seems like a natural consequence of taking a strategic approach. It provides an effective way to apply mathematical rigor and optimization techniques while still retaining the elements of judgment that are key to the risk manager's success.
While our coverage of the extensive field of game theory in this paper is extremely light and simplistic, there is a great body of knowledge upon which the interested reader can rely in order to use the notions discussed here to their advantage.
But all of this comes with a down side - and a warning. The attackers know about game theory and strategic analysis too - and as more sophisticated attackers become more and more common, you can expect that they will game your defenses just as we have been gaming their attacks.
About The Author:
Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net or visiting /