December 15, 2016 By Kelly Ryver 3 min read

This is the third installment in a series on insider threats, industrial sabotage and game theory. Be sure to read Part 1 for more information on the phases of an insider attack and Part 2 to learn about the concepts of collusion, cooperation and defection.

Game Theory and Multiplayer Games

Before multiplayer games can be understood even in the simplest of terms, a refresher on two-player games is necessary — specifically the components of collusion, cooperation and defection, which form the basis for multiplayer games in game theory. The second part of our series outlines this model.

We’ll leave the mathematics behind multiplayer games to Ph.D. candidates, but we can safely assume that the probability of colluding, cooperating and defecting becomes more complex as the number of players and possible outcomes for each game increase.

A Simple Model for a Multiplayer Game

Before we continue to examine multiplayer games, it may be helpful to review the simple game theory model used in economics for a two-player game. The model for a multiplayer game is best visualized using a matrix, similar to (but not exactly the same as) what mathematicians call matrix algebra:

Multiplayer Game Applied to an Insider Threat Model

The above model seems simple enough, so let’s apply it to Round 1 of the model game to get an idea of what this type of insider threat could look like:

Hypothetical Scenario, Round 1

  • Target Environment: Nuclear reactor control room at a fictitious energy provider — let’s call it Pluto Energy.
  • Primary Goal: Rattle the control rods in the reactor core and destroy them outright, potentially triggering a meltdown.
  • Players 1 and 2 are current employees of Pluto Energy.
  • Player 3 is a disgruntled former employee of Pluto Energy who has created a new worm capable of tunneling into in the antiquated software running in the nuclear reactor’s control room.
  • Result: The attempt was unsuccessful.

Hypothetical Scenario, Round 2

  • Secondary Goal: Trip the safety sensor and flood the reactor core.
  • Player 3 builds the worm, loads it onto a thumb drive and hands it to Player 1 on a designated day.
  • Player 1 inserts the thumb drive into the control room server during a shift change.
  • Players 1 and 2 ignore the control rod rattling and the safety alarm.
  • Result: The reactor core floods and the reactor is now inoperable.

Based on the result of the first round, if the target result was not achieved, the players would continue to the next round by finding a new attack technique, developing a new attack strategy or varying their entry points into the target environment.

So how does an environment protect itself against such a threat, and what can be done to solve these types of problems? Practice game theory by establishing a skilled team of ethical hackers and certified penetration testers. These individuals can be in-house employees or third-party experts, except for high-security environments, where outside consultants may not be allowed.

Multicolored Teams for Multiplayer Games

Environments that are serious about building a threat program and accompanying threats models should consider building red, blue and black teams, as well as practicing scenarios by participating in capture the flag games. Typically, red teams focus on offensive capability while blue teams concentrate on defensive capability. Black teams are involved in the complete scenario. While not all environments face threats great enough to necessitate a black team, every organization should at least have red and a blue teams.

A handful of security firms employ ethical hackers, certified penetration testers and mathematical theorists to build the complex stochastic and probability models required to run simulated attack scenarios that produce usable results.

Read the X-Force Report on the role of cyber ranges and capture the flag exercises in security planning

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today