I grew up in an environment filled with fun and engaging games. My parents, who were Grand Life Masters in the game of Bridge, believed their children could “learn to think” by playing and facing challenges presented by different strategy games. Growing up my family played many hours of strategy games such as Chess, Risk, Bridge, and many others. One of my favorite games was Stratego. As CTO of an organization specializing in information security solutions and vulnerability management services, I often see many parallels between the strategy game I played as a child and the very real and serious methods of vulnerability management.
A Short Explanation of the Game
Have you ever played Stratego? If so, you can skip past this part. If no, here’s how it works:
Stratego is a two player game where each player has a 40 piece army. One player plays the red colored army, and the other plays the blue army. Each army has a piece which is their Flag, and the object of the game is to capture the opponent’s flag. In this regard, we see it already relates to cyber attack and defense.
Each army’s pieces have two sides, where one side shows the piece rank and the other does not. When you place the pieces on the game board, you see your pieces ranks but your opponent does not. I show a picture of the game set up. I am playing the Blue army and can see my opponent’s red army set up but can’t see the ranks on those pieces.
Each army includes a Flag, 6 Bombs, a Spy, and the remaining pieces are those which represent different army ranks, such as Marshal, General, Colonel, Major, and so on, down to Scouts. These pieces are numbered 1 through 9. In the traditional game, the lowered numbered pieces are stronger than the higher numbered pieces. For example, the Marshal is labelled 1, and is stronger than the General which is labelled 2, which is stronger than the Colonel labeled 3 and so on. Each player moves one piece per turn. Most pieces can move 1 square either forward or backward, left or right (but not diagonally). The Scout numbered 9, may move 1 or more squares at a time. A player attacks an opponent’s piece by touching it in the next square upon which each player must reveal their piece to see who wins. The losing piece is then removed from the board and it the attacking piece wins, it moves into the opponent’s piece square. In the case of equal ranks, both pieces are removed from the board. Any piece which attacks the opponent’s Flag will win that piece and of course, win the game because they captured the opponent’s Flag. From this perspective, the Flag is the most vulnerable piece. Although the Marshall (numbered 1) is considered the strongest piece, if the Spy attacks it first, the Spy will win. Any piece which attacks the Spy wins, even the Marshall. Only the Miners numbered 8 can diffuse a Bomb and all other pieces which attack a Bomb will blow up and must be removed from the board.
With this in mind, I touch on a few cool cyber defense strategies and lessons we may learn from this game including Threats/Vulnerabilities, Protection/Prevention, Incident Response, and Deception.
Vulnerabilities are Everywhere
If you’ve played Stratego before, you will agree every piece is vulnerable to something. The Flag can be captured by any moving piece, Bombs win versus all pieces except for the Miners, and even the Marshall is vulnerable to the Spy. This is analogous to the real world in which we have data and service availability we want to protect and which are encompassed within our network endpoints. Our endpoints include hardware and software, and which always have the potential of vulnerabilities. We may know of some or most of our own weaknesses, but even then, there are Zero-Days we are unaware of. Given this, just as in Stratego, we need to set forth strategies to protect our value (our flags) for effective cyber defense.
Use of Preventive Strategies
In Stratego, the Flag is the player’s ultimate value because once it is captured, the game is over. It wouldn’t make sense to place it in the front row in our territory. That would be risky and would likely result in a fast game conclusion. With that in mind, we realize board set up is a very crucial part of the game’s strategy. In terms of cyber-defense, the board set up relates to our investment in our security prevention technologies and our operation of these.
Typically in Stratego, one places the Flag in the deepest row of one’s territory, and most would agree that surrounding it with Bombs is a good set up choice. See the figure above which shows that I placed my Flag deep in my territory and I surrounded it with Bombs on either side. Since only the Miner can diffuse a Bomb, and the opponent starts out with only five of these pieces, the Flag is quite protected. This strategy correlates to the protection of data with encryption. An alternative analogy is considering the Bombs as Firewalls. Certainly, the rows on the board where the pieces are placed in one’s territory are analogous to network segmentation – you have to get past the first row in order to get to the next. Network segmentation is therefore a crucial part of cyber defense.
Another strategy in Stratego is to realize that each piece is vulnerable to something, and with that in mind, one attempts to protect pieces with others. For example, the General is a very strong piece (numbered 2 in the traditional set) but is not invincible; it is vulnerable to the Marshal (numbered 1). However, the Marshal may be defeated by the Spy, provided the Spy attacks it first. A common strategy is to keep the Spy close to the General, so that in case the General is defeated by the opponent’s Marshal, the Spy may then in turn, defeat the Marshal. Although there is no direct analogy to this in cyber defense, one may consider it similar to managing one’s endpoint vulnerabilities (prevention) by patching vulnerabilities, especially those for high value assets, along with incident response technologies to detect the movements of the attacks. To do this, deception is frequently employed in one’s movement of the Spy piece so that the opponent is tricked into risking its Marshal. Speaking of deception, let’s explore more deception strategies.
Deceiving the Attacker
Deceptive strategies are used in Stratego in different ways. One way encompasses the setup of the board up so that bombs are placed around a
piece which is not the Flag. One then moves their pieces in such a way as to give the impression there exists something to protect in the area of the board where the fake Flag lies. If the attacker then attacks one of these bombs, and even if they diffuse it with one of their Miners, you then defeat their Miner with the fake flag, which is typically a piece that is stronger than a Miner (e.g. a Sargent which is numbered with 7). This Stratego deception strategy is illustrated below with a board setup reflecting a Sargent “protected” with two Bomb pieces.
This strategy is like setting up Honeypots in your network with the goal of getting the attackers to waste time in that part of the network, which also enables one to glean intelligence on the threats attacking the network, and take appropriate action, even though there is no danger of losing value. Slowing down the attacker gives more time for one’s incident response in other areas of the network.
Slowing Down the Attacker and Incident Response
I touched on the concept of slowing down the attacker above. In Stratego, this concept is used often. For example, the board has two lakes which separate army movements along three different fronts: the left side, the center and the right side of the board. One strategy is to place ones pieces in such a way as to limit mobility of the opponent. For example, you may place Bombs in different areas on the right side of the board, and you may play in such a way that you don’t move much on that side of the board. If the opponent wishes to attack through that side, first, they need to take time and discover where the Bombs are and secondly, they risk losing pieces to Bombs. You may then focus more play on the center and the left side of the board. This slows down the attacker.
For cyber defense, you also want to slow down the attacker so as to give yourself more time to detect the attacks and to take appropriate action. You can do this in different ways. One is by way of deception as described above. Other ways include eliminating vulnerabilities by patching strategically, by way of effective network segmentation and firewalling, as well as other protective and preventive means.
Strategy is important in gaming as well as in life and this strongly applies to cyber-defense. There is no one size fits all cyber defense strategy, just as there are many different strategies and board set-ups in the game of Stratego. What we learn though is there is a mix of different strategies we should use including preventive and proactive protection, including deception, as well as incident response. These should be balanced in consideration of what we are protecting and what we have to lose.
Happy playing and learning.