Infinite cybersecurity, what a term. It certainly sounds like some of the other buzzword soup that has become so commonplace in the industry, doesn’t it? I suspect if the concept was viewed as valid then, just like with any other concept, vendors would start stretching the definition to apply to products or services they already know how to offer until it falls into cyber purgatory just like cloud, cyber kill chain, blockchain, machine learning, and others.
The cybersecurity industry and its customers face an infinite number of adversaries that are infinitely varied in their sophistications and motivations, and we have been doing so with a decidedly finite mindset. Much of the first portion of this book covered how the finite mindset has impacted the industry and how vendors advertise their capabilities even though the term finite was not directly called out. When we use terms like “stop threats,” “prevent data leaks,” “secure your environment,” and “block ransomware,” we are embracing the finite mindset.
The Infinite Game
Simon Sinek is a British-American author and public speaker who wrote a book and has given countless talks, including TED Talks, on the concept of the infinite game, which is a similar take in ideas to James P. Carse’s work Finite and Infinite Games. Full credit to Simon for bringing the concept into public light and conveying it in such a way that it can be applied to almost any situation. Essentially, the concept is that there are finite games and infinite games.
A finite game is one where there are known players on known teams playing by established rules with a specific win condition. In such finite games the players are playing to win the game, think a sports game, or chess. Infinite games are those with known and unknown players on known and unknown teams who can join, leave, or return at any time and where the rules are always changeable. Infinite games do not necessarily have a start or a beginning and the players are not playing to win, they are playing to stay in the game, think business or an insurgency.
The Lesson
As applied to business, warfare, and other areas, the most important aspect of finite and infinite games is that the players know what type of game they are in so they can play to the appropriate motivation. If we look at one of Simon’s examples, in the Vietnam War, the United States was playing a finite strategy, trying to “win,” whereas the local opposition was trying to simply stay in the game long enough for the US to drop out. Similarly, this played out recently and to successful conclusion by the opposition playing the right game and the US playing the wrong game in Afghanistan as well. The US was trying to “win” in Afghanistan, where the Taliban was simply trying to stay in the game until the US dropped out. When a player does not know the type of game they are actually playing, they cannot optimize play or hope to improve their position.
Infinite Cybersecurity
The crux of the finite and infinite game concept in application to cybersecurity is that cybersecurity is an infinite game. New threat actors can target a defender at any time, some may give up targeting a vendor at any time. The attackers do not play by any rules and the goal of the defenders should be to keep playing (operating their business or organization in the face of threats). Instead, as we have already covered to some degree, the cybersecurity industry talks a lot like American generals and politicians did regarding the conflicts in Vietnam and Afghanistan.
Theoretical cybersecurity efforts should be aimed at moving the body of work and industry as a whole toward using the infinite game mindset so that we can best address, mitigate, and coexist with the threats on the playing field. Exploration of new cybersecurity paradigms that make us and our customers better players in an infinite game should result in more relevant and effective solutions, capabilities, and services that will look less like sunk costs and more like strategic enablers.
Weaknesses and a Strength
Accepting that cybersecurity is an infinite game where innumerous threats are playing without rules against the defenders our industry supports, we must identify the strengths and weaknesses of our customers and their opponents. For the sake of keeping this discussion to a single chapter, we will primarily focus on three areas where attackers or defenders might have a unique advantage or disadvantage.
Time
Time is a strength for the attacker and not the defender. Some attackers will be unsophisticated, only have a passing interest or even be automated. However, since some may also be nation-state actors, we must assume that the collective adversary, to include any possible attacker, has the ability to spend essentially infinite time trying to compromise a defending network. Conversely, the defender only has a set amount of personnel who can work only a set number of hours in the configuration, maintenance, and defense of the organization. Advantage attackers.
Money
Money, or more broadly resources in general, are also a strength for the attacker and not defender. Since we have assumed all potential threats to include APTs and nation-states, we realize that if the target is important enough, resources and expenditures can essentially be considered infinite. Where national security is concerned, it should not be surprising the great lengths some governments will go to protect it. Just as with time, the defenders are limited by things like budgets and emergency funds and as such will only be able to spend a finite amount of money or resources on protection over any given period. Advantage attackers.
Information and Access
The imbalance of money and time regarding nation-state level threats and APTs compared to their targets is a somewhat conveyed and understood concept, especially in cybersecurity circles. What is less explored and rarely capitalized is the distinct benefit defenders have from their access to and information of their own attack surface, systems, and organization. Attackers are spending time and money to gain information and ultimately access to what the defenders already have. In an infinite game, as players with a unique advantage, defenders need to leverage this as infinite players in the most complete and continuous way possible.
Finite Battles in an Infinite War
Some adversaries will set themselves up for finite, win or lose battles in the larger infinite war. This is where cost benefit comes into play. Actors that are financially motivated (APTs, organized crime) are likely to set some bounds on their activity because at a point, their time and money no longer provide a cost benefit based on a given target. For example, in our Transexperiafax target anecdote from previous chapters, an attacker has some very specific metrics they could use to determine the profitability of such a target and leverage that information to bound finite game durations, incorporating profitability as an activity limiter. If profitability starts to diminish due to a shrinking cost benefit, the adversary can simply drop out of the game against that specific defender and move on to another more profitable target.
Defenders can do this too, both by manufacturing finite battles as well or recognizing where finite battles will occur with their organization in a greater infinite conflict. Take, for example, a company that operates a global small-satellite constellation in low earth orbit (LEO). Let’s say the company provides imaging services. Now, the organization itself wants to play the infinite game. Strategically, it wants to continue to operate the satellites and sell imaging services as long as possible. As such, cybersecurity too must be played broadly in an infinite sense by infinite-minded players.
There are aspects of the attack surface, however, that lend themselves to more finite perspectives and can be fought on finite grounds. The operation of the organization may be hopefully unbounded by time, but the lifespan of LEO satellites is decidedly not. They may be operationally capable for only a matter of two or three years. That operational can be leveraged to bound the cybersecurity effort on that portion of the attack surface represented by the system of systems of systems that is a satellite constellation. The defenders can now make cybersecurity and risk decisions that are in a somewhat bounded environment, limited by operational durations. This means that risk mitigation and cost benefit are considerations for a specific timeline and can be tailored toward winning a defined two-to-three-year battle, instead of an endless one.
This example is arguably a gross oversimplification, but I think it does well to highlight that there are certainly aspects of an organization’s strategic operations that can be taken as winnable finite games in the larger accepted infinite game construct that must be acknowledged.
Applying the Theory
Applying infinite game theory to cybersecurity implementations is and will not be an easy concept. Cybersecurity struggles to find justification or prove capability where there are no easy metrics of success. Unfortunately, those are precisely the areas where cybersecurity is needed most. We will discuss a few high-level applications that look to improve infinite cybersecurity game play and use graphical diagrams to illustrate how they and other principles can help improve any organization’s chances at infinite participation.
The best way to apply this is to identify the cases where we can gain an advantage on as many attackers as possible, while intelligently ceding that there are some (nation-states) where there is no ceiling or timeline for us to shortcut. In those cases, we must simply attempt to close on their curve as much as possible.
Adversary as a Service (AaaS)
OK, so maybe that was a jab at the preponderance of [insert thing] as a service (*aaS) terms and capabilities being slung around willy-nilly. In all seriousness, this is a concept I have discussed at length with other cybersecurity professionals, and it seems to be focused on the infinite game as well as relying on the one advantage defenders do hold in that game, self-knowledge and access.
Typically, some of the most powerful defensive operations an organization can undertake are robust monitoring capabilities and threat-hunting campaigns. Unfortunately, monitoring, and to a greater degree threat hunting, rely on admittedly outdated and non-standardized intelligence to help them zero in on malicious activity in the network. Even frameworks like MITRE’s ATT&CK are based on often aged, incomplete, and largely open source information. This means that hunting based on these facts is likely to find you someone re-using a capability, forgotten access, or tools or help you walk your way down a false flag operation. This is of course because the bad guys also have access to this framework, so they know how different actions, techniques, and tools are attributed.
What if, instead of heavily relying on threat intelligence, we created our own intelligence as an adversary such as a nation-state might? After all, we have access already, we know our own strategic outcomes and goals and how we are going about them. We know our own IT refresh cycles, upgrade and update schedules, etc. Why not create intelligence about our own organization like a nation-state might and leverage that kind of information to inform things like hunt and monitoring as well.
Performing this type of activity is a sort of pseudo red teaming that, when coupled with proactive assessments afforded by penetration testing and red teaming, can help an organization mitigate risk based on self-knowledge and largely agnostic of threat specificity. By not focusing on individual threats and instead focusing on self-knowledge, informed intelligence defenders might be able to force multiply their ability to combat larger groups of potential threats.
In a way, this is a next step to practices like resilience. With resilience, we take an understanding of ourselves and our needs to inform risk-reducing practices aimed at keeping an organization in the game. Having an organic adversary as a service capability allows us to red team our own resilience decision matrix and inform threat-hunting campaigns in a way that supports continued pursuit of strategic goals. Withstand as many threats as possible without trying to fight off specific threats.
Attacking the Curve
A former colleague of mine, contributing author Dr. Sewell, asked an interesting non-cyber question that really got me thinking about how to attack the curve (heavy graphical representation of the curve I am talking about soon to follow). He asked: “How long might it take an adversary to find and weaponize a vulnerability in something like routing infrastructure?”
I was not sure, but that was not the point, I said perhaps three to five years maybe. His next question was: “What if every three years, then, we just switch our routing infrastructure to a new brand entirely, such as from Cisco to Juniper, moving the target on the adversary?”
Now there is a lot to poke at, but broadly, this is a very interesting concept. We can’t have a steeper or continuous curve like some nation-states might in targeting us (if we think our organization is actually the target of such efforts). However, maybe we can attack the adversary’s efficiencies in the aspects of time and resources as they play an infinite game with us.
Before we go through the graphs to follow, I must assert that there is a distinct difference in how you approach attacking the curve when talking about criminal organizations and other lower tier APTs compared to nation-states. As we mentioned, the former has cost benefit in mind, the latter have national security in mind and their curve can be steep and unending if they feel it necessary. For nation-states, cost benefit in this sense is not really a consideration.
Cost Benefit Refined
Attacker Personnel Hours
Defender Personnel Hours
Defender and Attacker personnel hours (limited to 160)
Defender and Attacker personnel hours (realistic)
Highlighted Defender and Attacker personnel hours (limited to 160)
Highlighted Defender and Attacker personnel hours (realistic)
What Figures 8-5 and 8-6 do a good job of showing is the shaded region between the line graphs. This shaded area is essentially a mathematical representation of the disadvantage faced as a surface area. Anything a defender can do to decrease this surface area is a worthwhile approach to cybersecurity. In these examples, our adversary has a bounded finite battle in the greater infinite cybersecurity conflict. If we as defenders can increase the surface area or lower or move the defender’s line of cost benefit, we can successfully impact their ability to win a finite battle and also extend the time we get to play and that they have to play in the infinite game.
Defender Hours Graph
Attacker Hours Graph
Comparing Hours Spent
Effort Gap as Surface Area
Graphs for resources or expenditure would look much the same as the ones we have done with time, so I will not repeat them. These graphs represent a surface area of disadvantage that can be attacked by doing things to increase the defenders surface area, decrease the attackers surface area, or shorten the runway for the attacker to run out of cost benefit. All of this is typically only possible in a semi-bounded, finite conflict, where we hope hackers like criminal organizations essentially have a bottom line. The nation-state graph should show the relative hopelessness in altering the cost benefit equation because, to those organizations, there might not be a bottom line.
Knowledge and Access
Defender Advantage
Summary
This chapter has identified that cybersecurity is not a finite game but an infinite one. This builds upon what we have already learned about preconceived notions, misconceptions, and misconstruing that happens in the cybersecurity industry. We can see that theoretical cybersecurity concepts like strategic cybersecurity, and now infinite cybersecurity, are the real path forward for the industry and the only way to effectively grow the body of work beyond sales pitches and profit margins. At a high level, we have discussed possible concepts that would involve performing and implementing more infinitely minded cybersecurity, but the real challenge is up to you the reader and the industry at large to embrace the theoretical and eventually practical pursuit of these sorts of concepts. Once again, resiliency has been called out as the naturally occurring evolution to participation in the infinite game, which further highlights the need for us to innovate in such directions rather than be pushed toward them, as has been the case. The following chapters, Chapter 9 and Chapter 10, are intended to represent what an academic pursuit of researching and proving out an example of this concept might look like. This is intended to foster further development of theoretical cybersecurity innovation.