Light Dark
October 20, 2016 By Kelly Ryver 4 min read
Advanced Threats
Risk Management

This is the second installment in a series on insider threats, industrial sabotage and game theory. Be sure to read Part 1 for more information about the three phases of an insider attack.

Simple Game Theory Model

Before we continue to examine two-player games and provide a bit more insight on the game theory principles of collusion, cooperation and defection, let’s briefly return to the simple game theory model used in economics.

Cooperation agreements alter the simple game theory model slightly:

  1. Party A will cooperate with party B to target the same division, branch, office, directorate or building within the environment.
  2. Party A will cooperate with party B but target a different division, branch, office, directorate or building within the environment.
  3. Party A will cooperate with party B to share knowledge and information uncovered while infiltrating the environment.
  4. Party A will collude with party B, but party A will put his or her own interests ahead of party B at some point.
  5. Party B will collude with party A, but party B will put his or her own interests ahead of party A at some point.
  6. Either party A or party B will institute punishment measures to assure the other remains cooperative and does not defect under any circumstance.
  7. Either Party A or B will defect one or more times.

The terms party, player and insider threat represent any employee, contingent worker, contractor, subcontractor, union, manager, executive, shareholder, venture capitalist, investment backer, investment firm or external cybercriminal.

Three Phases of Two-Player Games

Phase One: Cooperation

The cooperative model applies when two insider threats agree to work together in pursuit of a common objective. This kind of cooperation does not necessarily imply a literal agreement that both parties sign. Rather, it is simply an understanding between the two parties that they share a common goal — control of one or more parts of the industrial environment they are targeting.

Cooperation between insider threats can have far-reaching consequences, including:

  • Compromise of research and development efforts within the environment;
  • Slow and continuous theft of intellectually property without any discernible, immediately identifiable source;
  • Habitual implementation of the buddy system during corporate reorganizations, allowing workers to remain aligned with specific senior-level executives;
  • Consistent manipulation of pricing schedules and hourly rates for consulting firms to siphon additional profit from the target environment;
  • Leak of sensitive or classified information;
  • Substantial interinstitution lending at unusually low or abnormally discounted rates;
  • Frequently malformed, maligned and ill-conceived trade negotiations, trade pacts or industry cooperatives; and
  • Frequent formation of special interest groups and special interest lobbyists.

When either party begins to put his or her own interests ahead of the other’s, the second phase of game theory begins.

Phase Two: Collusion

When two insider threats collude to target an environment, the parties usually start out cooperating but begin to conspire against each other over time as each party develops individual goals.

Colluding insider threats can result in a slew of problems, including:

  • Attempts to manipulate executive decision-making or influence boards of directors through continuous stock purchases by minority shareholders;
  • Continuous failure of high-visibility, high-impact projects due to project leaders being restructured into areas or divisions in which they have limited experience or understanding;
  • Hiding of major design flaws or failures in quality controls from both inspectors and consumers;
  • Price gouging of consumers, especially on consumer products considered lifesaving or necessary for survival;
  • Price dumping of cheap products or low-quality goods into poorer countries;
  • Consistent failure of both public and private institutions due to fiscal mismanagement, poor management or no management;
  • Collective bargaining by unions with the goal of bankrupting the target environment;
  • Price wars at the local, regional or global level; and
  • Hacktivism that has little structure and no tangible goal or apparent purpose — in other words, hacking for the sake of gratifying the player’s ego.

The third phase of game theory kicks in when either party A or party B decides he or she will no longer collude with the other.

Phase Three: Defection

Understanding defection is not quite so simple. How often the players of the game defect is determined by the type of game. For example, if the game is linear or continuous, such as long-term industrial sabotage, the parties can defect as many times as necessary to reach their goal of controlling the environment. If it’s a single game, a party can defect only once. In industrial environments, a single game would have an ultimate goal of destroying the environment to the extent that recovery is impossible.

Insider threats that defect during a continuous game of industrial sabotage can trigger a variety of issues, including:

  • Whistle-blowing at the public, private or regulatory level;
  • The sale of highly classified information to lone-wolf terrorists, terrorist groups or terrorist sympathizers;
  • Theft of highly sensitive or classified materials to be used in a persistent threat; and
  • Theft of industrial information, controls or facilities to be held hostage by ransomware, malware or hacktivists seeking financial gain or elevated social status.

Insider threats that defect during a single game of industrial sabotage introduce a different set of problems:

  • Complete destruction of private or public property;
  • Complete destruction of internal controls, especially industrial controls that manage critical infrastructure;
  • Complete sabotage of highly advanced military and defense research projects;
  • Terrorist attacks that aim for deadly results; and
  • Dissolution of a single company or a company and all subsidiaries.

In continuous games, defection is not the final phase of the game — the insider threat will simply start the game over by cooperating or colluding once again. In a single-instance game, defection is the end state, since one or both insider threats aim for complete destruction of the target environment.

Detecting and Thwarting Insider Threats

Unfortunately, game theory is extremely difficult to detect in any form, even for the most rigorously secured industrial environments. Security tools that employ behavioral analysis, pattern recognition, predictive analytics and cognitive capabilities enable industrial organizations to bolster their defensive capabilities.

For offensive capability, the industrial environment should establish a red team whose members understand the basic principles of game theory. Industrial environments that do not have the in-house expertise can purchase red team services from a handful of security services firms that offer them.

 |  |  |  | 
Kelly Ryver
Management and Strategy Consultant, IBM

More from Advanced Threats
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

November 6, 2023

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature