During a brainstorming discussion with a colleague on the value of entropy in machine learning models, specifically the models used in threat intelligence work, I mentioned that many of the threat intelligence models in use today seem to overemphasize the pattern recognition aspect of threat intelligence through the egregious use of algorithms. By contrast, they seem to underemphasize the novelty of such aspects as intuition and chaos, both of which would be present if two malicious actors were pitted against a defensive system that is nothing more than an artificially intelligent system with lots of machine learning algorithms. Then I thought about the game of chess, which cognitive psychologists have studied with great interest for more than 70 years. I did a bit of my own research to see what aspects of chess psychologists found most intriguing, and whether any of their findings could be used to build better threat intelligence programs.
The Chess Experiments
The 1965 book Thought and Choice in Chess, by Adriaan D de. Groot, seems to have laid the foundation for the study of psychology in chess. There are several other psychologists who studied the game and its players; William Chase, Herbert Simon and Dr. Ferdinand Gobet are worth mentioning. The short synopsis of their combined research on the best chess players is as follows:
- They can almost immediately determine the problem with the position of a piece on the board when shown a picture or a diagram of a random chess game.
- They can recognize important features in a position quickly, whether in a picture or on the board in front of them.
- They can recall patterns in a position or group of pieces and rapidly come up with moves or countermoves.
- They can build mental templates of about 10 pieces and the space those pieces occupy on a chess board.
- They have exceptional visual-spatial recognition and reasoning ability that improved as they practiced more, when they varied opponents and when they varied game style, such as playing blitz.
- They do not need to see the chess board to play well, but are capable of reconstructing the chess board and pieces in play in their minds.
There are many more findings published on the cognitive aspects of chess, but this short list led to something researchers today call Chunk Hierarchy and REtrival STructures (CHREST). CHREST, in turn, led to the design of computational models that could help psychologists understand why chess experts are so good at the game, by studying the number of moves the typical chess expert memorizes and how an expert organizes information mentally while playing. The research into CHREST, in turn, led to the development of mathematical models for hierarchical chunking in the brain to help cognitive scientists understand how the brain ingests, organizes, stores and later retrieves information.
The Psychology of Chess Can Tell Us Quite a Lot
So what does all this research on the game of chess have to do with threat intelligence? A great deal. CHREST and the subsequent mathematical models for hierarchy and retrieval structures underpin the databases, algorithms and artificially intelligent software used for threat hunting and by the threat intelligence correlation engines today (as well as other types of technology).
Threat hunters today are much like players in a game of chess where the adversary maneuvers in much the same ways as an opponent across a grand chess board. A good threat hunter can determine just who that opponent is, based on the moves he or she makes. We consider adversarial activity as tactics, techniques and procedures just as we consider a chess opponent’s moves as rooted in strategy where the decisions made are based upon patterns and models. One could easily consider the science of threat intelligence as the identification of these patterns as quickly as possible to predict future action and to engage appropriate response maneuvers. However, where does the science of threat intelligence intersect the art of intuitive prediction based on skill and experience? How can an analyst derive meaning and predictive value in a seemingly chaotic engagement?
Interestingly, one of the experiments with the CHREST model showed that expert chess players have superior memory recall for chess positions that are considered random by weaker players. Why is this important? Because it shows that expert players are not only playing the game based upon the patterns they know or the visual representation they have of the chess board in their minds, they are also playing by intuition or gut-feeling – something no mathematical model, machine learning algorithm or artificially intelligent system can duplicate today.
By allowing a team of analysts to rely on their expertise with the introduction of chaos and entropy, we can glean the actions and strategic moves that wed the science of threats with the art of analysis. Then we can truly provide a robust threat intelligence gathering effort that provides threat actor identification, activity prediction, mitigation and response strategies.
To harness the threat intelligence power enabled by chaos and entropy, we can take the following lessons from the game of chess:
- Machine learning algorithms can help identify patterns and commonalities in threat actor activity.
- Introducing entropy can provide us an opportunity to learn how our skilled analysts respond in scenarios where models stop. Consider performing an exercise wherein your red team begins an attack scenario and then deviates from the predictive activities. Allow your blue team to respond and measure the outcomes. Was your blue team able to identify the threat? What did it do differently that can inform your training program?
- Identifying threats and deriving intelligence from data can be difficult without the expertise and skill required to adjust to entropy and chaos. Invest in a strong internal analytical team or entrust the threat hunting and threat intelligence responsibility to an elite team such as those that IBM Security provides.
- Keep your teams sharp by engaging them in attack exercises and capture the flag competitions.
Using chess to build better threat hunting and threat intelligence teams on a slim budget
All of this analysis sounds glorious for large firms with lots of available capital. For small businesses with limited access to both financial and human capital, building a sophisticated threat intelligence team is extremely difficult to achieve. Small businesses:
- Are not able to staff cyber security experts with a specialization in threat intelligence and pay them hundreds of dollars an hour.
- Are not able to spend hundreds of thousands of dollars to hire a cyber security firm to provide the experts.
- Do not have millions of dollars to buy a Cyber Range in a Box (CRIAB) to use for themselves or their customers.
What could a small business or firm do with a limited budget and no sophisticated COTS solution? It can hire entry-level cyber security professionals who have a love for the game of chess, because those individuals will bring with them the following capabilities:
- An understanding of attack strategy and creative thinking.
- An understanding of moves and countermoves.
- An excellent visual/spatial memory that lends itself well to pattern recognition.
- The ability to recognize new opponents and attack techniques.
Skills such as those needed to find OWASP Top 10 vulnerabilities within an application stack can be taught through such sites as HackerOne. The best hackers we have ever met had something in common with the best chess players we know – a love for the game.
Management and Strategy Consultant, IBM
Security Intelligence Analyst