As a former – or dormant – professional poker player, I'm seeing a lot of parallels between poker and incident detection, especially when it comes to behavior analytics. Detecting a bluff in poker is really not all that different from detecting an intruder on the network.
New solutions, like Rapid7's InsightIDR, incorporate machine learning and user behavior analytics to detect stealthy attacks. This is an evolution from signature-based solutions, which only work against known threats. Let's look at how analyzing behavior applies to both poker and incident detection.
How to Detect a Poker Bluff
Poker players are always interested in learning how to better detect a bluff. What is a bluff? It's a bet your opponent (or “villain”, in poker jargon) makes to steal the pot with a weaker hand than yours. It's based on deceiving the opponent that you have a higher hand. Nobody likes to get bluffed – it means you folded the best hand that would have won the pot at showdown. It evokes a strong emotional response: you're being stolen from. I imagine we feel the same way about intruders using compromised credentials to steal company financials, PHI, or credit card data.
If you were facing a large bet on the river (the last betting round), you might readily notice the following:
- The intensity of villain's stare, facial expression, or posture
- Shakes, trembles, or nervous ticks
- Size of the bet in relation to the pot in the middle
While these can be valuable indicators, they are meaningless without a baseline to draw from. Perhaps the villain always stares at his opponents, or fidgets, or bets large amounts. In order to reliably detect a bluff, we must compare his current behavior with the baseline in our brain:
- Is he winning or losing today? If he's down money, will he notch up his aggression levels?
- How often does he bet the river? Have we seen him stab at the pot with a weak hand before?
- What does he think I have? What do I think he wants me to do? (The better we understand villain, the more accurate our educated guesses will be.)
Notice how these questions incorporate baselining – I can only answer these questions by having played with him in the past. During a night of play, a solid poker player will continue to consume every player's betting habits, physical tells, and prior history. The best players will adapt their play to best react to each individual player. That means they might play the same exact hand very differently against each player at the table.
Applying Poker Playing to Incident Detection
InsightIDR applies the same concept of behavior analytics to your network by baselining user behavior. This enables InsightIDR to detect intruders masking behind regular user credentials. An organization without a user behavior analytics solution is the “fish” at the table, unable to differentiate noise from the valuable undercurrent of information. InsightIDR gives you the tools you need to see intruder “tells” & movements as they're happening in real-time.
In fact, it's much easier to detect attackers for two reasons:
- Intruders on your network behave very differently than regular company employees
- Attackers don't know they're regularly being hunted – yet. As they continue to evolve their techniques, we will be right beside them, through our Metasploit, Penetration Testing, and Rapid7 Labs teams.
By integrating with your existing network infrastructure, baselining your organization's behavior, and applying our knowledge of attacker methodology, you can:
- Detect stealthy attacks such as compromised credentials & lateral movement
- Investigate incidents faster armed with user context
- Expose risky user behavior from endpoint to cloud