Cyber Chess: How You Can Win
Most of us are not very good at playing chess – if we play at all. However, many of us at least have some familiarity with the game. The following quick description will help in the discussion of Cyber Chess – the game the good guys (white pieces) “play” against the cybercriminals (black pieces) as they try to steal anything we value from our cyber world.
The chess game is described in three phases.
The Opening: During the opening, you and your opponent make several moves to establish a battlefront.
The Middle Game: The middle game is the direct battle zone. This phase is spent attacking, being attacked, defending and looking for ways to stabilize your defenses or cripple your opponent and break down his/her defenses.
The End Game: This is where the game comes to a conclusion when, excluding the occasional draw, you either win or you lose to your opponent, Checkmate!
Simple enough, right? And it is, all you have to do is checkmate your opponent – i.e., capture their king more or less. Of course, there are those who would argue that it is not that simple. They say you have to be really smart and know a lot! They point to the fact that for just the first four moves in a chess game, there are 318,979,564,000 possibilities. For the first ten moves, the number is 169,518,829,100,544,000,000,000,000,00. After that, the numbers start to get big, with the total possible moves in the neighborhood of 10120 or 1 followed by 120 zeros – quite a big neighborhood! Hmmm, maybe they have a point.
Chess is a game of extremely big numbers of possible moves. Cybercrime is a “game” of very big numbers. Annually-
- 26,280,000,000,000 malicious e-mails sent
- 2,628,000,000,000 get through current defenses
- 13,140,000,000 are effective
To be clear, Cyber Chess is not “a” game. It is thousands and millions of concurrent games rolled into a continuous stream of threats to which we must respond – in other words, we must “play.” So, the answer to the “Do You Play?” part of the title question is yes, you do play. You may not want to play, you may not know how to play, but like it or not, you are definitely in the game!
The Cyber Chess opening begins with criminals sending out nearly 75,000,000,000 malicious messages (spam, phishing, malware) every day. Your opening moves are probably to make sure your antivirus (AV) software is updated and that your various network devices are current with respect to known threats. Assessment of the opening game: Advantage Black.
The middle game plays out with your defenses blocking what they can and with the cybercriminals taking what they can get in terms of successfully getting into one or some of your users’ computers and then into your network. Using an industry average figure of 1 in 200 attacks being successful, and assuming your company has maybe 1000 users, that means that on average 5 of your users will fall victim to an attack that made its way past your defenses. Of course, all it takes is one successful compromise to allow the criminal to take up residence inside your network. Does this really happen that often considering the money companies spend on cyber defense? If you ask Target, Niemen Marcus, Franciscan Health, dozens of universities, and hundreds of other companies, it absolutely does happen! From the 2013 Verizon Data Breach Report:
- There were more than 47,000 security incidents reported
- Resulting in 621 data breaches
- Email attacks were the primary mechanism to deploy malware into enterprises either directly or indirectly. (Figure 20/pg 29 of the report)
- 67% of the time in large enterprises, email was the direct vector
- And still more often, malicious email was the mechanism by which bad guys gained access to a computer and then directly installed malware on it.
- Of the 621 data breaches, how did companies find out? (pg 54 of the report)
- Only 4% were detected by Network IDS (Intrusion Detection Systems)
- Only another 4% were detected by analyzing log files
- Anti-Virus programs didn’t detect any of them!
- Most companies learned about their data breach from an external source
- Examples: Customers, law enforcement. This happened 70% of the time. (pg 53 of the report)
It is also interesting to note that the average time between when a breach occurs and when a company detects it has been breached is about 210 days (Trustwave). That’s a long time that the criminal has to develop his or her “middle game,” solidifying their presence in your network and positioning for a win in the end game. Of course, they are taking your “pieces” all along the way.
Significant in all of this is that according to the Verizon report, none, zip, zilch, nada, of the breaches were detected by Antivirus programs. That is truly comforting news – for the cybercriminal. Assessment of the middle game: Advantage Black
The End Game. Unfortunately, there is not end to this game, at least not an end that anyone can foresee from the present state. For a long time, we will be forced to play the middle game in response to a continuous assault of opening moves by the bad guys. Can you play the game using yesterday’s tools and yesterday’s strategies and tactics? Absolutely you can! Can you win the game doing that? Absolutely you cannot!
Cybercriminals continuously evolve their tools and tactics to improve their success based on what they learn about their enemy, about us. Theirs is an intelligence-based approach and when they see that something is not working, they make changes. Too many of us continue to put our faith in things that might have worked in the past, but that we know, in our minds and hearts, are no longer effective. Why is that so? For one thing, antivirus companies continue to sell the message that they protect us from bad things, and they do. The problem is that they do not protect us from the worst things and even when they finally do, it often is too late. The other problem is that for such a long time, we have been conditioned to think in a compliance-based way. If we follow the rules and regulations and do we have been doing, and use the updated versions of yesterday’s weapons, we will be okay.
The question to ask at this point is ”How is that working for us?” Given that daily reports of breaches would fill several pages of the daily newspaper, the honest answer has to be “Not very well.” A casual review of the 2013 Verizon Data Breach Report already gives us the answer. The new question is “What can we do to get better at the game and have some hope of eventually winning?”
The new answer is that we must shift away from believing the well-intended but misguided idea that others can protect us with outmoded tools while we blissfully go about our business. We must realize that today’s solutions to today’s criminal attacks are found in actionable intelligence and proactive intervention.
What this means is that we must employ actionable cybersecurity intelligence and forensic analysis about email-based threats (phishing, spam and malware) that identify, prioritize and target cybercriminal activities and provide effective countermeasures. This includes the ability to identify the root sources of cybercrime attacks (servers, perpetrators, locations, etc.), obtaining rich actionable intelligence information about cross-brand attacks and targeted attacks, as well as advanced notification of emerging email-based threats. Only then will we be able to respond effectively to attacks on our brands, and to disrupt email-based threats against us. Only then will we be able to improve our game.
Cyber Chess – Do You Play? Yes, you don’t have a choice.
Can you win? Perhaps, but not by continuing to play yesterday’s game.
Assessment of the end game: It’s up to you. Your Move!