Are there any especially useful constructs that cybersecurity advisors and security services providers can draw on to hash-out choices with their concerned (and probably resource-constrained) clients without diving into jargon-laden minutiae? I have always relied upon the lessons available in zero-sum game theory, originally proposed by John Nash in his 1951 thesis, “非合作游戏.” (Non-cooperative is a pretty mild description of the types of conflict that can be usefully assessed using the zero-sum framework!)
The basics of zero-sum game theory are straightforward: my opponent’s gain comes at my expense, 反之亦然. 在这个双人游戏中, 两名球员都在优化自己的位置, but, 重要的是, each plays taking into account the expected response of the other. 据纳什所说, equilibrium is achieved when neither player can improve their position in the game by adjusting their strategy.
What an attacker acquires by compromising my network is to their benefit, coming at my expense. Because there is rarely a cost to the attacker when they undertake their criminal behavior, there’s an asymmetry in the relationship between attackers and defenders that starkly favors attackers. 他们很少有任何费用强加给他们. So, lesson number one from zero-sum game theory is that, 他们没有付出任何代价, 他们将愉快地继续下去. There is no equilibrium as proposed by Professor Nash. Any step you can take to burden the attacker is a step in the right direction.
In this example, zero-sum isn’t an all-or-nothing proposition. What we lose when we are victims of hackers isn’t usually everything. 我们失去的肯定是有经济代价的, albeit too often measured in millions or tens of millions of dollars.
In cybersecurity, however, there is one important way in which zero-sum is, in fact, all-or-nothing. 当攻击正在进行时, 攻击者的目标, 一旦进入网络, is to discover assets and surreptitiously assert control over as many of them as they possibly can. Why? If the enemy can write to any device, they control it, not the defender. 环境中它们控制的设备越多, the harder it is for a defender to wrest back control and expel intruders from every corner they occupy. So, their control over each device in a network is all-or-nothing.
This is one reason the average dwell time of the adversary in systems is about nine months, per IBM Security in their 2023 Cost of a Data Breach Report. 尽他们所能, after-the-fact analytical tools struggle to deal with most network incursions in a timely enough fashion.
If attacks that unfold in very short timeframes aren’t met with real-time countermeasures, all the defender will end up doing is fighting a rearguard action to reclaim lost territory. Automated, real-time reactions—ideally ones that make the exploit costly for the attacker—are needed. What if the intruder’s malign activities weren’t just the subject of monitoring and analysis, 然后标记为事件响应? 想象一下, 而不是, that an intruder must confront an environment inherently hostile to them, one in which their exploitation tools and techniques produce wildly unexpected results that reflect something is going terribly wrong with the exploit, 这就是整个经历, 而不是一个有趣的解谜练习, 感觉更像是在铁丝网里跳舞.
You might really like how Russell Crowe… I mean John Nash… earned his Nobel by checking out the 2001 Best Picture winner, 美丽心灵!
作者简介: 斯科特·福格蒂 is the CEO of Ridgeback Network Defense Inc. 世界正处于无休止的网络战争中. 还有脊背的创始人和发明者, 托马斯•菲利普斯, 斯科特领导脊背队, building and deploying tools that battle despicable criminals who would rob our families, hijack our hospitals and impose on our economic freedoms. Ridgeback’s approach draws on using a range of techniques that automatically engage, 在连接期间破坏和削弱攻击者. Gartner covered Ridgeback as an Emerging Tech Innovator in June 2023.
