During a brainstorming discussion with a colleague on the value of entropy in machine learning models, specifically the models used in threat intelligence work, I mentioned that many of the threat intelligence models in use today seem to overemphasize the pattern recognition aspect of threat intelligence through the egregious use of algorithms. By contrast, they seem to underemphasize the novelty of such aspects as intuition and chaos, both of which would be present if two malicious actors were pitted against a defensive system that is nothing more than an artificially intelligent system with lots of machine learning algorithms. Then I thought about the game of chess, which cognitive psychologists have studied with great interest for more than 70 years. I did a bit of my own research to see what aspects of chess psychologists found most intriguing, and whether any of their findings could be used to build better threat intelligence programs.

The Chess Experiments

The 1965 book Thought and Choice in Chess, by Adriaan D de. Groot, seems to have laid the foundation for the study of psychology in chess. There are several other psychologists who studied the game and its players; William Chase, Herbert Simon and Dr. Ferdinand Gobet are worth mentioning. The short synopsis of their combined research on the best chess players is as follows:

  • They can almost immediately determine the problem with the position of a piece on the board when shown a picture or a diagram of a random chess game.
  • They can recognize important features in a position quickly, whether in a picture or on the board in front of them.
  • They can recall patterns in a position or group of pieces and rapidly come up with moves or countermoves.
  • They can build mental templates of about 10 pieces and the space those pieces occupy on a chess board.
  • They have exceptional visual-spatial recognition and reasoning ability that improved as they practiced more, when they varied opponents and when they varied game style, such as playing blitz.
  • They do not need to see the chess board to play well, but are capable of reconstructing the chess board and pieces in play in their minds.


There are many more findings published on the cognitive aspects of chess, but this short list led to something researchers today call Chunk Hierarchy and REtrival STructures (CHREST). CHREST, in turn, led to the design of computational models that could help psychologists understand why chess experts are so good at the game, by studying the number of moves the typical chess expert memorizes and how an expert organizes information mentally while playing. The research into CHREST, in turn, led to the development of mathematical models for hierarchical chunking in the brain to help cognitive scientists understand how the brain ingests, organizes, stores and later retrieves information.

The Psychology of Chess Can Tell Us Quite a Lot

So what does all this research on the game of chess have to do with threat intelligence? A great deal. CHREST and the subsequent mathematical models for hierarchy and retrieval structures underpin the databases, algorithms and artificially intelligent software used for threat hunting and by the threat intelligence correlation engines today (as well as other types of technology).

Threat hunters today are much like players in a game of chess where the adversary maneuvers in much the same ways as an opponent across a grand chess board. A good threat hunter can determine just who that opponent is, based on the moves he or she makes. We consider adversarial activity as tactics, techniques and procedures just as we consider a chess opponent’s moves as rooted in strategy where the decisions made are based upon patterns and models. One could easily consider the science of threat intelligence as the identification of these patterns as quickly as possible to predict future action and to engage appropriate response maneuvers. However, where does the science of threat intelligence intersect the art of intuitive prediction based on skill and experience? How can an analyst derive meaning and predictive value in a seemingly chaotic engagement?

Interestingly, one of the experiments with the CHREST model showed that expert chess players have superior memory recall for chess positions that are considered random by weaker players. Why is this important? Because it shows that expert players are not only playing the game based upon the patterns they know or the visual representation they have of the chess board in their minds, they are also playing by intuition or gut-feeling – something no mathematical model, machine learning algorithm or artificially intelligent system can duplicate today.

By allowing a team of analysts to rely on their expertise with the introduction of chaos and entropy, we can glean the actions and strategic moves that wed the science of threats with the art of analysis. Then we can truly provide a robust threat intelligence gathering effort that provides threat actor identification, activity prediction, mitigation and response strategies.

To harness the threat intelligence power enabled by chaos and entropy, we can take  the following lessons from the game of chess:

  1. Machine learning algorithms can help identify patterns and commonalities in threat actor activity.
  2. Introducing entropy can provide us an opportunity to learn how our skilled analysts respond in scenarios where models stop. Consider performing an exercise wherein your red team begins an attack scenario and then deviates from the predictive activities. Allow your blue team to respond and measure the outcomes. Was your blue team able to identify the threat? What did it do differently that can inform your training program?
  3. Identifying threats and deriving intelligence from data can be difficult without the expertise and skill required to adjust to entropy and chaos. Invest in a strong internal analytical team or entrust the threat hunting and threat intelligence responsibility to an elite team such as those that IBM Security provides.
  4. Keep your teams sharp by engaging them in attack exercises and capture the flag competitions.

Using chess to build better threat hunting and threat intelligence teams on a slim budget

All of this analysis sounds glorious for large firms with lots of available capital. For small businesses with limited access to both financial and human capital, building a sophisticated threat intelligence team is extremely difficult to achieve.  Small businesses:

  • Are not able to staff cyber security experts with a specialization in threat intelligence and pay them hundreds of dollars an hour.
  • Are not able to spend hundreds of thousands of dollars to hire a cyber security firm to provide the experts.
  • Do not have millions of dollars to buy a Cyber Range in a Box (CRIAB) to use for themselves or their customers.

What could a small business or firm do with a limited budget and no sophisticated COTS solution? It can hire entry-level cyber security professionals who have a love for the game of chess, because those individuals will bring with them the following capabilities:

  • An understanding of attack strategy and creative thinking.
  • An understanding of moves and countermoves.
  • An excellent visual/spatial memory that lends itself well to pattern recognition.
  • The ability to recognize new opponents and attack techniques.

Skills such as those needed to find OWASP Top 10 vulnerabilities within an application stack can be taught through such sites as HackerOne. The best hackers we have ever met had something in common with the best chess players we know – a love for the game.

More from Intelligence & Analytics

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read