PG - The drunk colonel and the flipped stone: Game Theory for a Defensive Strategic Advantage - Vane

we'll be talking to you today about game theory and how you can use game theory for a defensive strategic advantage a little bit about me I just recently completed my bachelor's in computer science however I've been studying game theory since about 2016 it started when I started working in a red team environment and I found that defenders were having a lot of difficulty straying from their standard operating procedures or their checklist and really trying to think like the adversary or outside of the box when it came to defensive posture so I started a lot of research to try to figure out how I could bridge that gap and have defenders think more like the adversary and what I found was

that game theory was an excellent way to show the relationship between an attacker a defender and so some of these are some of the things that I learned that I want to pass on see you guys today so the first slide of course is the Y slide why should we even care about game theory real quick I want to lay the foundation of what we're talking about when we say game theory game theory in this context I'm talking about the mathematical models that's used for optimal decision making between the interaction of two or more players and probably one of the most famous examples a game theory would be the prisoner's dilemma and this is a classic case where

you and your partner in crime recently got arrested for a crime you're divided between two different rooms and you're told that you can confess or stay quiet and depending on what decision you make determines what kind of prison time or freedom you might get and this is a really good example of what game theory actually does and that's create strategy so instead of trying to wrack your brain and try to figure out what your partner in crime is going to do are they going to rat you out or are they going to confess instead you can actually create enough strategy to be able to know exactly regardless of what your opponent is going to do or your partner in this

case you can come up with an optimal solution and this is really applicable to InfoSec because cyberattacks are not static they're very dynamic they're not always going to go through at the same point in the network they're not always going to be the same type of attack vector and so we can use game theory to come up with a proactive solution of how we can create a defensive posture instead of the whack-a-mole kind of reactive solution that we tend to do so with that in mind I'm going to talk to you about two specific game theory games today I'm going to talk about the Colonel blotto game and how it can be used for resource

allocation as well as the flip-it game and what I call the invisible compromise and then wrap that up and do some final takeaways and lessons on game theory so getting right into it Colonel blotto game has actually been around for almost a hundred years it was first proposed around 1921 as a two player zero-sum game however in 1950 in a Rand Corp paper to the US Air Force grouse and Wagner actually labeled it the Colonel blotto game I tried to find out why they named the paper a continuous drunken colonel game for the US Air Force but I couldn't find any information on it I thought it was still funny nonetheless Colonel blotto game can basically be explained

as a finite number you you are trying to protect a battlefield and what you have a finite number of troops over n number of battlefields and your attacker simultaneously has the same number of troops but you don't know what their distribution is on where they're going to attack your battlefields and we can basically break this down into four main knowns the first one I just mentioned is the number of troops on each side is the same the second is whoever has the most troops at that particular battlefield will win 3 neither party actually knows where those troops are being distributed so you don't know exactly where you need to put your troops in order to gain that

advantage and for both parties want to maximize the number of battlefields they win pretty simple right this is obviously a very simplified version of war or battle but it does a pretty good job at really asking the ground question it which is where are you going to put your resources now on the picture on the left here you have the gross and whitener 1950 solution one of the solutions in which basically they situate all their troops in a way so that they're all distributed evenly but anytime there is a ramp up and attack in a particular place they can all move very quickly and so you can assign those resources into a place that it's needed

in a very quick fashion and that makes sense right so if we try to take this and we try to apply it to InfoSec there's some main questions that we want to ask first of which is what are your assets what assets need extra protection do you have any assets that need actually no protection at all what is your normal defensive posture and how does that differ from your high alert defensive posture and why not be in high alert all the time we're going to talk about a couple of those when it comes to where are your resources that's a fundamental question to have but what I found is a lot of people don't necessarily go to the very first step

which is what are your resources and if you were to act ask just generically what your resources are at a company usually these three things usually come to mind people time and money people in the form of employees because at the end of the day you still need people to run your operations even when it comes to an IDs an intrusion detection system we've gotten we've gone through we've made great strides and having automation and our defense but it's the same at the end of the day you still have somebody that needs to be on keyboard whether it's adding signatures or gathering data and so people are definitely a legitimate limited resource that you would have in

your company time and money's kind of interesting because I always think about that as after the fact when everything goes wrong somebody always mentions time and money either you know we didn't have enough time to be able to to mitigate an attack or if we are for a budget was bigger and if we had more money we could have bought X that could have helped this these are all very legitimate things but the idea with game theory is to think outside of the box so instead let's ask the question what are specific resources that you use in InfoSec in your organization for defense and I've mentioned two here the first being tools tools back in the day used

to be something that you always had that was just installed on your system but today when you have security as a service and IT as a service what you're finding is that a lot more companies are using subscriptions and you can buy a variety of civil zuv subscriptions that have different widgets that other lower pay might not have and so this is something that you really need to keep in mind when it comes to your defensive posture because you might have limitations that you didn't that you weren't aware of particularly if you're using tools that use some sort of monitoring and data collection you might have limitations on how much data that tool can store and parse through and so

that's very important the second is bandwidth and I'm not talking about necessarily your speed of your internet from 1990's but what I'm talking about here is understanding how computationally expensive some of your tools might be that would affect your thorough part of your network an example of this would be dpi or deep packet inspection it's a great tool to use to really get some network analysis but it is very expensive computationally and so that's just one example of some things that you would want to consider when you're talking about your resources so bringing it back to Colonel blotto for a minute what you often see in game theory at the end of the day like I mentioned earlier

game theory is about mathematical models and so here you have two examples of math solutions that were created at the end of these papers the one on the left being your 1950 Grossman ragnar paper and on the right is a more recent 2012 paper in which a specific algorithm was proposed and this is awesome that you actually have some mathematical answers but what off the real challenge is is how do you translate that to your sis ID man to your IT department so that you can create real solutions when you go back to work and with that in mind I've listed two main strategic lessons here that Colonel blotter blotto can teach us that we can immediately use and the

first is to break down your resources into individual zero-sum games so even though strategic you think big picture you can actually divide up individual issues or problems that you're having when it comes to defense into individual games so instead of thinking about it as an attacker versus defender you're looking at it more like malware versus IDs and when you're able to do that then you're able to look much more granularly at your things like resources and your limitations so that you can create a solution the second is to use alerting and traffic flow analysis to know what your current threats are now I'm by no means saying that you should somehow disregard your a/v and all of the

signatures that are in that but what you can do is by doing your own individual traffic analysis you can figure out some of those cyber threat vectors that are specifically trying to get into your network and so it's a great way to be able to know where you need to put your resources based on what kind of threats are out there and where they're trying to get in so you've done everything that I suggested you know your network perfectly you know what all your resources are what their limitations are and all of your alerting awesome you go through and you pull up your alerts and you have no major incidents no bad guys on your network right awesome then you

can just go home go collect your check right not necessarily what we're seeing more often today is that there are already people there already entities on your network there aren't necessarily creating effects that have probably been there for a long time in fact in 2016 there is a fire I report that showed that the global average dwell time between compromise and detection was a hundred and forty six days and so that's actually a long time to think that somebody would be on your network creating backdoors exfilling data and so we really have to ask ourselves if none of this alerted on our system but we have to assume that they're probably there how are you going to defend

against a ghost the answer to that is the next game that I'm going to talk to you about which is flip it flip it is a much more recently proposed game it was proposed in 2012 and a white paper called specifically flip it the stealthy takeover and basically what it is is it's a blind version of go so you're moving to take control over your board but the catch is you don't know when your opponent's moving or where they're moving and this was created specifically to address advanced persistent threats or a PT's so breaking this down into an explanation it's still a zero game a two player zero-sum game like we talked about with Colonel blotto players

compete for control of a shared resource you can move at any time taking control but it is at a cost so the other thing to this is keep in mind both of you can be moving simultaneously it doesn't have to be like a traditional game where I move and then you move each of you can move whenever you feel like that you need to move however it is at a cost who has control the resource is not known until the person moves so when you think about this from a network standpoint basically when you're moving you're checking the network and then you're mitigating the risk so then you now have control of the network and the objective

of course is to have as much time control of the network with the minimal amount of cost and we can see this through an actual Java implementation on github that you can play it's a ten second game you get a hundred points for every second that you control that you are in control but you also lose a hundred points for every time that you actually check or flip and so my first thought in this is okay naturally in a best-case scenario unlimited resources what you want to do is be on your network all the time and constantly check your network right so that's what I did each one of these duh blue dots here is

each time that I flipped because I constantly want to make sure that I'm in control so you see that red because they're also simultaneously moving and flipping they checked five times right so they took control five times but if we're a very short period of time so that's ideal on your network right except for a key point in the flip it game which is it that it comes at a cost and that cost is your resources because it's not actually probable that you're going to be able to have your best tools on your network on every single node at all times and so it really drives home the point that you have to consider where you're going to put your resources

and when you're going to use them so let's let's look at a second example let's say you want to just look at your network periodically at the same time every single day kind of like Patch Tuesday right everybody knows it's coming you can check your network and see if you're in control here you have red clicked flip much more times they had a lot more control over your network and so you lost this game but keep in mind that it might be that you play this game several times and there are times that you will win and in that same regard in InfoSec you can put in your policies you can put in your your standard operating

procedures your implementation of when you're going to check the network and there might be times that you're going to win but game theory really helps you to see that there are also times when you're not going to win and what you should do about that and a big piece to this is the predictability of when you're actually checking your network and so that drives home the 2012 paper solutions or the lessons at the end which were two ways in which you can win the flip it game and that's with renewal strategy and with polymorphic adaptive play and renewal strategy is really that piece of predictability making sure that you're being a bit spontaneous when you're checking your network when

mitigating any kind of threats that are out there so that the opponent is not also looking at your networking knowing exactly when to attack because they know when you're not going to be on the network the second piece of that is polymorphic adaptive play and that's changing up exactly what tools you're using how you're using them and again not being predictable when this applies to InfoSec I call it I'm not the only one but the moving target cyber defense is really at the heart of what we're talking about when it especially when we're talking about adaptive play I always think about horror movies in this example because you always kind of know who's going to die when there's a chase

because you have the one person that's just running in a straight line and so it's really predictive of where they're going and and also predictive that the bad guy is probably going to catch them and kill them right so zigzag is what I usually think of because this is kind of a chase you can think of it as a chase kind of game and so some of those zigzags that you can actually make on your network then aren't necessarily inherit nests are route changes host address changes OS host ID changes and memory address changes and while this might sound like it's something obvious in my experience I found that what most people do is they build up their network

they have those standard IP addresses that they use those host addresses and then they're like okay well I'm done let's move on to other pieces for my defense but this can also be a part of your defense because you got to think that your adversary is probably looking up plenty of things on the open network to try to find what they can find out about you so who is records any of those kind of things they're going to be able to see some of this information if you're changing it on a regular basis it's just going to make it harder for the adversary to be able to pick out a pattern of life for your company so

bringing all of those games together some of the main lessons that I want you guys to take home about game theory is at the end of the day theory is a very broad subject about strategy anybody can use this you can use this in some of your day-to-day life you can take it to any kind of work and you can find a way in which you're seeing that relationship between you and an adversary or opponent and finding that optimal decision I very much encourage you guys to do some research on different games in game theory what you'll find is that there is a whole slew of games for all kinds of different scenarios you're not going to find one

particular game that fits your scenario perfectly that's going to give you all the answers what you're going to have to do is look at these two to help you think outside of the box think of something new think of something that maybe you're not already doing that you just take for granted or our facts and your network and help to see help that gauge what the adversary might need to do on your network bringing it back to Colonel blotto make sure you know your resources make sure you know your network understand your limitations and your resources and then with flip-it don't forget to periodically review renew and adapt if you do want to learn more which

I highly encourage I suggest the book game changer game theory in the art of transforming strategic situations by david adams i felt that to be a pretty good resource as well as tim roughgarden stanford lectures on youtube and also there's the link for the stanford page he has a whole semesters worth of lectures that really break down different facets of algorithmic game theory that i found particularly useful again my name is Vanessa Redman thank you very much for your time

questions hi this is actually the second talk there was another one yesterday that has brought up persistence and you didn't specifically mention it but maybe would you have a comment on the trend toward serverless and how that's going to impact persistence I mean that's the ultimate in adaptive right when you're not using it it doesn't even exist it's true it's true I haven't done a lot of research on that serverless or your cloud services that are out there but I definitely see that as being a challenge because when you own your hardware and your software usually there's it interfers a certain amount of ownership and so now you're relying on a third party potentially to do that kind of

those kind of defensive actions and that's a lot of trust and so I'm not exactly sure how that's going to play out but I'm certainly curious have you applied I like the game theory especially when you're applying blue team red team ins on the different games all the things that from a security engineering perspective on things you have to do is threat modeling have you applied in your thoughts around well these are basic tenants for threat modeling this is how we can apply game theory on top of it to enrich how you assess your air environment absolutely that's that's actually the what I mainly use game theory for as far as my my own independent research is I want to use

game theory to help with cyber threat intelligence and attack mapping is one huge part of that and I think that a game theory can absolutely be used for that kind of attack vectoring and and threat modeling you mentioned the moving target and changing the posture to come try to fight that at least for my experience I found it being non practical mostly because of that IT teams don't want to break anything and for I mean they afraid to make any change in lieu of that warrior thoughts about using things like honey pots and perhaps deception techniques does that a good mitigation control for that or not I think that would be valid but to me

that requires a certain amount of base knowledge that you would need that you would assume that your IT department kind of has and maybe a tack teach would be necessary for that but that would be a good procedural thing that could be implemented I found that maybe making some of those changes even though there is a fear of breaking something that making those simple changes require a little less procedural thought and are just easier to kind of implement for the short term all right last question okay thank you and my question is about from Tim Sarah what is your opinion about building the roach has to like a security zero trust zero Trust is definitely a a hot topic I

think that creating some zero trust mapping is definitely important and would be great to use but I think that it's a bit harder on very well established enterprise networks the larger you are I think it's it's a little bit more difficult awesome it's given us our round of applause [Applause]