A panicked employee walks into your office and tells you that several of your systems have been locked up by ransomware.
What happens next? What should you do? What will the attacker do?
An example of this happened last year during the Kasaya attack. Malicious actors targeted the remote system management software Kasaya in hopes of victimizing large organizations with cloud-based versions of the software. During this time, many smaller companies that were not the intended target of the attack were also compromised and unable to contact their offsite technical support for assistance. Victims of this attack were left wondering what would happen next.
Unfortunately, it’s impossible to know what exactly will happen next, especially if your company hasn’t practiced incident response.
However, there are a few methods of understanding the potential outcomes of a cyber attack such as ransomware. One of which is something most people are familiar with – Game Theory.
What is Game Theory? (the Prisoner’s Dilemma)
Game Theory is a method of predicting the actions of an individual based on their perceived payoff for their actions. The most popular problem in Game Theory is the prisoner’s dilemma:
This problem in Game Theory plays on the most beneficial course of action for both players. If both players remain silent, they both get one year in prison. If one player confesses and the other does not, the player that confessed does not go to prison but the other player gets 10 years in prison. If both confess, both players get 5 years in prison.
With this layout of potential punishments, both players will attempt to confess, hoping the other will not confess. This happens because their most beneficial payoff would be to get no years in prison due to their confession. Since both players will almost always attempt to confess, the game will almost always end with both players getting 5 years in prison each.
How does Game Theory apply to cybersecurity?
In cybersecurity, Game Theory can be used to begin understanding what a potential attacker may be attempting to do based on the payoffs for their actions. While the payoffs are often abstract in theory, a more tangible value can be assigned to these payoffs to help guide understanding and decision making. . In a cybersecurity incident, the main value of payoffs are the monetary earnings or losses for attacker and victim respectively.
For example, a payoff in the worst case scenario for an example ransomware attack could be the attacker gaining $50,000 while the victim loses the $50,000 dollars plus another $50,000 in downtime and data.
Since we can assign the payoffs for what the attacker would want and what the victim would lose, we can use Game Theory to form a rudimentary understanding of what the attacker might be going after and what actions can be taken to minimize the adverse impacts to the victim of the attack.
In this situation we have the assumed values:
Ransomware Price: $50,000
System Downtime Cost if Attacker Releases Data: $25,000
System Downtime Cost if Attacker Doesn’t Release Data: $50,000
With this current game tree, where the attacker takes the payoff on the left and the victim takes the payoff on the right, both players will attempt to play their ideal actions over the course of the situation. In this case, the attacker would hack, the victim would not pay and the attacker would most likely not release. This is the current equilibrium for the game as both players are taking their ideal actions from the beginning of the game to attempt to get their ideal payoffs.
In the above example of a ransomware attack, other factors also need to be considered. If the victim has a backup solution that can be utilized, the major loss can be circumvented, with the only loss being the time needed to restore backups.
Being able to map these possibilities while utilizing supplemental information from consultants and qualified personnel can help to result in an outcome that is least detrimental to the victim of the cyber attack. This same method can be used to ensure that the attacker gets the smallest payoff possible.
The tree is the same as above, with the added assumption that the cost to restore the system using backups is $10,000.
If you look at this chart, the victim now has another option which is able to be utilized for their step in the cyberattack. By having a backup solution in place prior to the attack on their system, the Victim is able to circumvent the second action of the attacker. This would then allow for the victim to reach their ideal scenario, where they keep the $50,000 dollars that they would have needed to pay to the attacker in order to recover their data, minus the cost to restore the backups.
When factors are added to the game tree, new solutions and values are able to be displayed. For example, if the victim does not pay and restores backups, the attacker could continue the game with a new action – threatening to publish the data on the dark web. A new tree stemming from the outcome would be created, and new dollar values would need to be assigned for each potential new outcome.
Please note that the above trees are just examples. While the example shows that not paying is always optimal, different values will be present for every attack. There may be situations where the victim’s best outcome can be obtained by paying the attacker.
Limitations of Cybersecurity Game Theory
Unfortunately, there are many issues with using Game Theory for Cybersecurity.
The number one limitation is the innate unpredictability of an attacker. While their actions can be approximated and hypothesized, there is no way to fully understand what the malicious actor wants until they make an express move to try to target a specific portion of the system.
A ransomware attack is a relatively simple scenario to apply game theory to, since the payoff for both parties can be ascertained with relative ease. We get the values for the situation with the requests the attacker makes to be paid and whether or not the victim is willing to pay. Granted, the unpredictability of the attacker would still allow for surprising actions to be taken. For example, if they see no value happening and decide to release the information back to the victim, that action would be unpredictable.
Other, more complicated attack scenarios, such as an insider threat, have many more factors to consider and would be very time consuming to create the payoffs and game trees for. In the time it would take to map, the threat may have come and gone. It’s impossible to know the value of the variables someone could gain by betraying a company, creating a situation where the unknown variables and values outweigh the known variables – reducing the usefulness of the game tree.
Not Perfect, Still Useful
While Game Theory is an imperfect system for determining the effects and methodologies of a cyber attack, it still has value to help predict the outcome of a situation to better prepare for it.
A game tree could be created to plan potential outcomes for a cybersecurity incident response tabletop exercise, or to imagine where security controls could be added to prevent or circumvent an attacker’s actions.
Controls such as Intrusion Detection Systems or Intrusion Detection and Prevention Systems (IDS and IDP) could stop attackers from successfully completing a hack. Backup solutions can be used to reduce the damage an attacker does in a ransomware attack.
It may be impossible to know the exact outcome of a cybersecurity incident is, but with Game Theory you can come to a better understanding of what could happen – allowing you to better plan for and respond to cyber incidents.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.