Applying Poker Theory to Incident Detection & Response

Last updated at Mon, 28 Oct 2019 16:59:08 GMT

Editors Note: Calling Your Bluff: Behavior Analytics in Poker and Incident Detection was really fun and well received, so here's an encore!

Hold'em & Network Security: Two Games of Incomplete Information

When chatting about my past poker experience, there's one statement that pops up time and time again:

“So… as a 'pro'… you probably bluff a lot.”

A bluff is a bet made knowing that if called, you have no chance to win at showdown. At its core, a bluff is an attack - betting and raising in an effort to win, or some may say, “steal," the pot. Deciding to attack your opponent is always a risk. Your target merely needs to call to drag in the pot - if your opponent has a strong hand, this can be the equivalent of burning money.

   Tom Dwan, one of the most intuitive and aggressive hand-readers of all time.

Similar to poker, an intruder on your network is also making decisions based on incomplete information. He or she doesn't have perfect information on your vulnerabilities, incumbent technology, or the security stack you have in place. Getting an initial foothold on the network involves risk - he or she is forced to leave behind traces in order to make headway.

So how do attackers know when to bluff, and how does this relate to incident detection and response? For poker, in theory, it's quite easy.

Imagine...magically, you could see the other person's hole cards - you'd never make a mistake. Not only could you extract optimal value every time you had a better hand, you could also attack with impunity when your opponent holds absolute weak holdings (say, a weak pair or worse). Therefore when deciding to bluff, your own cards don't matter, and two tenets hold true:

• Attack players who fold too much, or adapt poorly to a high level of aggression
• Analyze opponent behavior to read their hand and identify signs of weakness

How Attackers Choose Their Methods

In security, it's much easier to launch an attack. First of all, there's no getting stared down eye-to-eye after you throw in the payload salvo. Second, attackers are largely opportunistic and motivated by quick financial gain. Instead of developing an intricate plan against a single target, attackers can knock on thousands of doors for a quick win. This means attackers:

• Target organizations with both monetizable data and an immature security program
• Use previously successful signs of weakness (e.g. what's worked in the past?)

In both endeavors, the aggressor usually has only one good shot before the defenses go up. A poorly executed attack greatly reduces the chance of succeeding again. With this mindset, how do you improve your security program to detect an attack? At Rapid7, instead of comparing your security program to similar organizations, we recommend modeling to the Attack Chain, pictured below.

Following this model, here are three best practices to improve your security program:

1. Ensure you have detection for previously successful attack vectors.

If it ain't broke, don't fix it. In this year's Verizon DBIR, 63% of organizations leveraged credentials in the attack. This ranges from stolen credentials to weak passwords and policies (non-expiring passwords, anyone?).

2. Detect earlier in the attack chain.

If you only get an alert when unauthorized access of your critical assets occurs, that's really late into the game. By detecting an intruder during initial compromise and attacker reconnaissance, your team can catch the attack earlier, ideally before monetarily valuable data is breached.

3. Have coverage on each of the steps appropriate to your security bandwidth.

From Rapid7 research, our white and black hat teams, and the Metasploit project, we've found that organizations are adequately identifying malware, but leave gaps in detecting credential based attacks, endpoint detection (including malicious local lateral movement), and cloud services. A true detection-in-depth should identify anomalous behavior at each step in the chain, for a variety of attack vectors, across the network ecosystem.

Of course, that's easier said than done. From our annual Incident Detection & Response survey, we found that (1) organizations have strained security teams, (2) are plagued with too many alerts from their existing technology, and (3) incident investigations - especially for false positives - just take too much time.

At Rapid7, we focus on detecting and stopping intruders anywhere they go in your ecosystem. Our team's experience and research on attacker methodology can assist your security team whether you have gaps in people, process, or technology. If this piqued your interest, check out our recent research report on how intruders attack passwords in The Attacker's Dictionary – Auditing Criminal Credential Attacks.