Cybersecurity : The Winner’s Game and The Loser’s Game
There is a seminal paper in finance by Charles Ellis called the The Loser’s Game which, in simple terms, foretells the move from active to passive investing and the reasons for it. My favorite bit of the paper is the reference to studies in sports and other fields that describe similar themes. Particularly interesting is the tennis example and the observation that tennis is actually two sports. One for professionals where the game is dictated by the ability to win points. The other, for amateurs, where the game is dictated by simply not making errors and thus winning when your opponent inevitably makes their error. In other words, professional tennis is a winner’s game and amateur tennis is a loser’s game.
This is similar to cybersecurity in many respects. This distinction cleanly works between professionals (people who do this for a living) and amateurs (home users) as people who need to actively win and those who simply need to do the basics consistently and hope that professional attackers don’t uniquely and exhaustively target them.
You can also carve up the professional’s game in cyber. I won’t use the terms professionals vs. amateurs and winners vs. losers even though that would make the opening analogy flow better. Rather, it is more correct, and not just to avoid emotional triggers, to distinguish between the two major types of organizations as follows:
Advanced and Persistently Targeted
The Advanced and Persistently Targeted are, of course, targeted by the other APTs (Advanced Persistent Threats). There could be a third type of organization, that is the non-advanced and persistently targeted, but they mostly tend not to be around for that long in that form.
The Advanced and Persistently Targeted organizations have critical assets of interest, operate services that are potential vectors to other targets or whose compromise can achieve some wider adversarial goal (disrupt, degrade, destroy, etc). The Advanced and Persistently Targeted organization is playing a winner’s game against Advanced Persistent Threats. It is not enough for that organization to simply not make mistakes in the face of the adversary since that adversary will be willing to expend significant resources over time to defeat a commodity set of baseline defenses.
The Advanced and Persistently Targeted organization will need to have more advanced controls, more advanced detective and response capabilities and be capable of thwarting the adversary dynamically. They also have to make adversaries expend unusual resources to make inroads through multiple layers of their organization’s defensive depth. The organization is capable of manipulating the adversary’s economics - attackers have bosses and budgets too. But, remember, that advanced attackers don’t immediately try to use advanced attacks (economics again) - if they can use cheap attacks successfully, they will.
The other type, the Ambiently Targeted organization, is just that: an organization that may never be uniquely, exhaustively or persistently targeted but can be compromised in commoditized mass exploitation using automated tooling operated by adversaries. They’re not specifically targeted but rather are “collected” as a compromised organization. Then, that point of entry can be used directly or sold to be used later for monetization through data theft, fraud, ransomware or other exploitation. They may even have value as an attack path for the APT on APT action described before.
The goal of the Ambiently Targeted organization is to not get swept up in mass or easy compromises by making sure the basics are done well, for example: perimeter controls, patching, solid least exposure configuration, least privilege, some internal segmentation of critical services, strong two-factor authentication for external access, in other words the CIS Critical Controls. Yes, I said basic, and I think in 2021 these are basic. If you do these you will not likely be compromised as an ambient target. However, I didn’t say easy. Even the most sophisticated organizations, especially those with IT systems built over decades can struggle to implement these without a massive transformation commitment. In the end, the Ambiently Targeted organization needs to do the basics and not make a mistake.
Now, many of you will be thinking carefully about this and will have spotted the flaw. All this was true, at least in my view, for the past decade or so. But, it is now breaking down.
It is breaking down in the sense that the Ambiently Targeted will increasingly need do more than the basics to avoid incidents. The reason for this comes down to economics. Specifically, criminal groups and some nation states, are driven by maximizing risk-adjusted returns on their attacks. They perform like rational economic actors and seek to automate and make their compromise-to-exploit-to-monetize cycle ever more efficient. This means that they have a greater scope to use exploits in the window between patch availability and patch application across the majority of the target population (or more generally: vulnerability to awareness to vulnerability mitigation). They have industrial scale tools and processes to land compromise points for later exploitation.
Even the economics of using zero days will likely keep changing. For example, an attacker may have an expensive zero day that they previously would have reserved for a specific target or small number of targets. But, if they can move so quickly to use it such that they can land a large number of active or latent compromises in the window between zero day discovery and remediation they may still get way more value than the cost of burning that zero day. Attacker automation and ever faster attacker supply-chain capabilities (their supply chains / markets) bring more targets into play with more advanced attacks. Perhaps this is another APT, this time: Advanced Pervasive Threats.
So, more organizations will have to move to play the winner’s game. But, many organizations don’t have the resources (people, budget, services, capabilities) to play that game. The only way to play this game is to apply the same brutal economic lessons that attackers are learning and that is to raise the baseline of control by reducing the unit cost of control. In other words, constantly get more security value out of the same resources, or more precisely, to grow security budget sub-linearly to overall business/IT asset growth. You’re then in a race to make sure your unit economics are out pacing attacker unit economics. The winner’s game and the loser’s game is all converging to be a racing game on an economic playing field.
Raising the baseline by reducing the unit cost of control is about process changes, IT modernization, security by design, security by default, and continuous controls assurance. It is also about the hard choices of moving from excessive heterogeneity to minimal heterogeneity while not creating the concentration risk of homogeneity. It also means shifting your threat intelligence game from micro to macro and working to make organization and IT architecture choices that thwart whole classes of attacker TTPs (tactics, techniques and procedures). For most organizations this means tapping into service providers (especially cloud providers) that can provide an innate economy of scale.
While a big part of any racing game is about reliability and not making mistakes, it is more broadly about speed, in this case:
Speed of moving to a modernized IT architecture where security, resilience, compliance and privacy controls are pre-integrated.
Speed of consuming and applying updates to take advantage of new or enhanced controls. Every security feature your service providers give you (and they will constantly) is there because of a threat projection, a control unit economics break-through, an incident or close-call somewhere or because another sophisticated customer made a well-reasoned ask for it. For many organizations simply putting yourself in a position where you are a boat on a rising tide of controls is a great place to be.
Speed of equipping employees and customers with improved capabilities.
Speed of eliminating stagnant systems and wrapping remaining legacy environments in modern controls.
Speed of the OODA loop for threat, risk, control, and security event detection and response - remediating root cause of root causes.
Bottom line: In cyber what was a winner’s game and a loser’s game is now becoming a racing game. Getting the speed advantage is critical and most organizations can’t do that alone.