Any time there is something valuable it means that multiple parties want it, be it the Maltese Falcon, state nuclear secrets, proprietary business information, or a database full of usernames and passwords for a popular forum. James Caroland, U.S. Cyber Command, and Greg Conti, Director of the Cyber Security Research Center at West Point, put together a commentary about why it’s important to think like a cheater (and by connection: a hacker) in a presentation called “Lessons of the Kobayashi Maru: Cheating is Fundamental.”
The story of the Kobayashi Maru is a test from the Star Trek universe—an unwinnable scenario designed to show the true colors of a commander under intense combat—a Starfleet cadet is given a mission to rescue a distressed ship eponymous to the test. Little do they know the test is programmed to make this impossible. However, in the universe of Star Trek we learn that one person and one person only has ever successfully rescued the Maru; that would be Captain James T. Krik and he did it by exploiting the program.
When talking about cybersecurity I often bring up cheating in video games (for example, cheaters in Diablo III and Blizzard’s response to them) this is because games represent a microcosm of competitive behavior including all the facets of adversarial rules-use. In the enterprise world, hackers essentially act as “cheaters” by looking at the rules of the systems they’re attempting to breach and thinking about how they can exploit and subvert them.
Cybersecurity is made up of multiple, complex, interlocking elements and the most important is how humans interact with the rules. Learning to think like an adversary attempting to breach the circle of trust, or exploit the rules, can lead to a better understanding of what needs to be watched for and how to intercept and to prevent intrusions.
From the transcript of the video,
Every day security professionals face off against adversaries who do not play by the rules. However, at every turn in life we are taught to never… ever… cheat.
Traditional information security education and training programs further compound the problem by forcing students to behave in a flawlessly ethical manner else face expulsion and castigation. In our work we have been teaching people to cheat. As the Kobayashi Maru taught us, it is only by stepping outside the rules of the game that we can truly succeed against no-win scenarios, and today much of information security is a no-win scenario. This talk will cover how to foster creativity and cultivate an adversary mindset through carefully structured classroom cheating exercises.
We’ll cover dozens of techniques and show you the best of our students. work from writing answers on ceiling tiles to engraving answers on a watch to creating a false book cover for Little Brother X. We’ll also cover the underlying security principles, lessons, and countermeasures that we learned in the process. You’ll leave the talk with a better appreciation for the importance of cheating.
At the personal level, this sort of thinking is why security experts warn people not to use the same password across multiple, linked services. We can fully expect that hackers who have gotten our password/usernames combinations will then go and use them across popular Internet services. In the video, it’s mentioned that the students used the instructors’ “inherent laziness” or customs against them.
This is also why hackers use spear-phishing to gain access to systems that otherwise would be impenetrable by unauthorized unknowns. By putting something valuable under lock-and-key, it’s tangible that an attacker will try to attack the lock (guessing the password) in order to get inside; but if instead they can connive the key from the authorized person they can skip the step of attempting to subvert the lock. Knowing this, we can anticipate vectors that might attempt to take our passwords.
The appearance of the state-sponsored cheater and Big Data
This isn’t something altogether new. In fact, before the rise of the Internet we had a different name for the state-sponsored cheater: the spy. Espionage is filled with cheaters, people trained to look at interlocking security systems and subvert the rules and as soon as the Internet hit the deck with a clattering roar and connected the entire world those states went to work cooking up spies for it too.
With the rise of malware such as Stuxnet and Flame that look exactly like what one would expect for a state-sponsored cheater to provide some sort of sabotage or espionage. Of course, malware is best described as “automated-cheating” moreso than any other sort of espionage endeavor; computers add the element in that they can make decisions for themselves based on their own rules. When it comes to botnets this can also be their downfall when researchers terminate them using their own communication codes.
Governments and large corporations have similar concerns about protecting their secrets and proprietary information; as a result both also must prepare themselves for spies to attempt to subvert their carefully crafted defenses.
The answer for the new world of state-sponsored malware and automated-cheating will come from the venue of Big Data. Much of cybersecurity is about watching a multitude of vectors all at once and watching for patterns. A normal operating system behaves in a healthy, somewhat predictable way; but when an intruder is attempting to gain access they will probably do something that normal people don’t usually do (especially if they’re masquerading with a stolen key.) As a result, this means that we need the means to discover them before they do damage.
To do that, enterprise and government sectors are looking for solutions that can watch a huge amount of data in real time and look for cheating. Being able to think like the cheater means that cybersecurity experts can better train their big data expert systems to detect it—not just by looking for the out-of-pattern individual behavior or a system acting strange—but by watching for patterns that match those that they themselves would use in an attempt to subvert the rules.
We can expect that the next-generation of antivirus, malware, and hacker defeating tools will be Big Data and expert system real-time analysis tools that take to heart the lesson of the Kobayashi Maru.