Managing Network Security

Attack and Defense Strategies

by Fred Cohen



Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


A Strategic View

Attackers and defenders act with intent. This, in turn, means that they are not well characterized by models of a random nature. In the quest for better models, we are forced to find ways of weighting our decision, but if we choose the wrong weights, we may tip the scales against ourselves. Indeed, the weightings we choose can be used against us if they are exploitable by the opponent.

This is the strategic view of conflict as a game, and the subject of this month's article. The basic challenge for the strategist is deciding how to make better decisions than the opponent. Since both sides may apply strategic analysis, the physical elements of conflict become, almost, as pawns in a strategic battle between attacker and defender. Of course these pawns are not as predictable as those in a game of chess, but the master strategist is expected to take that into account.

From a purely practical standpoint, in information protection, we apply various methods of risk management. Even when we don't use a formalism, we make decisions in our head about what to do and what not to do. The result is risk management without rigor. Most of the formalisms applied to risk management in information protection today take the probabilistic approach as an analytical basis and follow it up with some management decision process that, in the end, comes down to an informal decision that suits enough of the parties to the process to make it politically and financially palatable.

These management decisions are the core of the real process of risk management, and can be considered the weak point in that they are the place where the 'scientific' approach fails utterly in most organizations today. If you can get 'into the heads' of the people who make these decisions, your insight will lead you to success against them.

Strategic analysis is about understanding these high-level decisions at a more analytical level. It doesn't remove the human from the process and it certainly doesn't mean that the decisions are less driven by politically and financially palatability. It does mean that, when a high-level choice is to be made, some insight into its implications can be gained.

In order to get at strategic analysis, we must begin by enumerating strategies. I have picked a scheme of viewing the attack and defense strategies based on my own experience, and I will try to explain how I came to pick it along the way, but in the end, my scheme is only as good as my assumptions and experience. Yours may be better suited to you.


Attacker Strategies

Attackers can select from many techniques for their attacks, so the natural question for the attacker who wishes to be highly successful is: 'Which attack should I choose and when?' This selection method is what we call a strategy. Here are some of the attacker strategies we see:

While there are certainly other strategies, these will serve the purpose of our discussion. When looking at these strategies in detail, analysis involves understanding the techniques the attackers are likely to use, the way they might react to things they encounter during the process of attack, and the likelihood that they are able to succeed against particular defenses in particular amounts of time.


Defender Strategies

Defenders also have many defensive techniques to choose from and select different strategies based on their perceived needs and the way their organizations work. Defenders tend to use mixes of defensive techniques in a protection process. As such, the strategies really consist of mixes of different process elements in different amounts. This is essentially a resource allocation issue selected from among the following elements:

There are many more defensive strategies that may be taken, but these should offer a reasonable set to consider in our analysis, and they represent many of the partial strategies taken by companies today. Full defender strategies typically consist of a combination of these techniques under different circumstances and with different balances of investment.


The Strategic Matrix

In analyzing strategies, we typically try to create a strategic matrix that shows the value to attacker and defender for taking each combination of attack and defense strategies. The sample matrix below shows how this might look for the strategies outlined above.
Dissuasion Deception Prevention Detect Repair Exploit Capture Cover up Change
Speed 10 / -10 -5 / 5 -1 / 5 5 / -3 5 / -6 -1 / 1 -8 / 2 8 / 1 5 / -6
Stealth 5 / -5 3 / -3 3 / -3 3 / 2 1 / 0 -4 / 5 -3 / 5 7 / -2 3 / 2
Force 3 / 2 2 / 4 1 / 5 2 / 3 2 / 5 -2 / 3 -8 / 5 8 / -5 4 / 0
Indirect 2 / 3 1 / 3 3 / -2 5 / -5 5 / -5 1 / -1 2 / -2 8 / 2 3 / 2
Random 1 / -1 -3 / 2 1 / -1 -3 / 3 0 / -1 -4 / -2 -2 / -1 1 / 2 1 / -3
Least -2 / 2 -4 / 3 2 / -2 1 / -1 2 / -2 -2 / 1 -3 / 2 3 / 2 3 / -1
Easiest -3 / 3 -3 / 3 1 / -2 1 / 1 1 / 1 -2 / -3 -2 / -2 3 / 2 3 / -1

In this matrix, the first number in each cell represents that payoff to the attacker and the second number in the cell represents the payoff for the defender - if the attacker and defender choose this strategic pair. In this analysis, there are a few important things to recognize.

There is a large body of analysis underlying this formulation of the strategic decision process, and that body of analysis is called game theory.


A Game Theoretic Approach to Analysis

In game theory, we use a matrix such as this one to analyze optimal strategies under different assumptions. In the parlance of game theory, this is a multi-player repeating non-zero-sum game with imperfect information. That is, (1) the game is played by multiple players, (2) it is played repeatedly by attackers and defenders who can learn from their experience, (3) one player's win is not necessarily the other player's loss, and (4) each player may gain some information from experience, but they do not always gain perfect information about what the other player might have done.

In the particular matrix shown above, some more information can be gleaned by examination. For example, there is no case in which an attacker is better served by using the Easiest strategy than by using the Indirect strategy. Thus it is always a better choice for the attacker to use the Indirect strategy. Similarly, Deception is always a better defensive strategy than Dissuasion in this example because there is no case where Dissuasion does better against any attack than Deception. These two examples are specific cases of a phenomena called dominance.

In a strategic analysis, we note that a dominant strategy always does at least as good as strategies it dominates, and thus, regardless of the actions of the other player, the dominant strategy can be used to better advantage than the dominated strategy. Here is the matrix resulting from removing dominated strategies.
Deception Prevention Detect Repair Exploit Capture Cover up Change
Speed -5 / 5 -1 / 5 5 / -3 5 / -6 -1 / 1 -8 / 2 8 / 1 5 / -6
Stealth 3 / -3 3 / -3 3 / 2 1 / 0 -4 / 5 -3 / 5 7 / -2 3 / 2
Force 2 / 4 1 / 5 2 / 3 2 / 5 -2 / 3 -8 / 5 8 / -5 4 / 0
Indirect 1 / 3 3 / -2 5 / -5 5 / -5 1 / -1 2 / -2 8 / 2 3 / 2

To see how this works:

Now in this example play of the strategic game, each player made reasonable moves each time. In the second move, the defender made one of the best choices given their knowledge at the time, as did the attacker. The same happened on the third and fourth move. One of the effects of this 'rationality' is that players avoided 'big' mistakes, but at the same time, the moves of each player were somewhat predictable. For example:

There is seemingly no end to this strategic analysis, and the further we look ahead, the more we might get confused about the possible futures. the limits on information flowing back and forth are also of concern because they limit each player's ability to predict possible moves. Indeed, the attacker might simply chose a strategy not listed here - such as Use speed until you gain 5 points or get a negative score on one move, then quit. In this case, the same series of moves would have yielded a quick win of 5 points to the attacker, a -3 point score for the defender, and the game ends. Against this strategy, Deception and Capture seem like the best initial defenses, but with no information ahead of time, the defender would seem foolish to adopt these strategies.


Mixed Strategies

A more realistic assessment of the way network protection is implemented is as a mix of strategies that coexist with different resources over time. For example, we might have a total budget that can be allocated among the different elements of strategy. In this case, we can look at the analysis in terms of combining the effectiveness of the different approaches to different degrees. For example, we might choose to spread the defense evenly across the 8 different strategies, so that we invest 1/8 of the total budget to each. In this case, when the attacker chose the Speed strategy, the payoffs would be 1 for the attacker (the sum of the attacker payoffs divided by 8) and -1/8 for the defender (the sum of the payoffs for defenses divided by 8). A different mix, for example one that simply ignores Change as an option, would yield 3/7 to the attacker and 5/7 for the defender.

We can try these mixes against different attacker strategies and strategy mixes under different information assumptions and get a wide range of different results. One thing we can be certain of, at least in the real world, is that no static attack or defense strategy can hold up against adaption by the opponent. No matter what the mix is, the opponent can always find a mix against it that wins for them or loses for you.


Conclusions

A strategic analysis of network protection provides another tool in the risk manager's quiver. It allows the roll-up results of other risk management activities to be used in a meaningful way to make decisions about budget allocation and it provides an ability to continue to adapt your approach over time.

The application of game theory to risk management seems like a natural consequence of taking a strategic approach. It provides an effective way to apply mathematical rigor and optimization techniques while still retaining the elements of judgment that are key to the risk manager's success.

While our coverage of the extensive field of game theory in this paper is extremely light and simplistic, there is a great body of knowledge upon which the interested reader can rely in order to use the notions discussed here to their advantage.

But all of this comes with a down side - and a warning. The attackers know about game theory and strategic analysis too - and as more sophisticated attackers become more and more common, you can expect that they will game your defenses just as we have been gaming their attacks.


About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net or visiting /