Tuesday, August 8, 2017

Strategic Plateaus in the Cyber domain

One thing I think that surprises many people who don't play video games is how similar the strategies for them all are. It's as if Chess and Checkers and Go all had the same basic gameplay.

In most online shooters, you have characters with a high "skill ceiling" that require precise aim and maneuvering, and others which have the ability to soak up damage or cause area effects or heal their friends, which generally require more positioning and strategy understanding.

And as new characters are introduced to a game, or existing characters are tweaked, you change the strategies that works the best overall.

In Overwatch, the most popular game among hackers right now, you have "Dive Comp" and "Deathball Comp". These represent "Fast, deadly characters and chaotic rampage" vs "Healthy armored characters and slow advance". If you're going with the right team composition and strategy you can overcome even very serious disadvantages with your "mechanics" (shooting skill, reaction times, etc.) . I.E. your team gains an asymmetric advantage until the other teams copy you and catch up.

Which technique works best is generally called "The current meta" and trickles down from the pro-players to the very lowest ranks of Overwatch (where nobody should honestly care, but they still really do). New meta shifts in Overwatch, despite the continual changes introduced by every patch, are extremely rare, perhaps once a year! The game designers say this is because people are bad at finding and testing new strategies, essentially. It is a rare skill. You almost have to be pretty good at any new strategy to know if it even really works. I call this a strategic plateau, because it LOOKS like the meta is still one way, but it's really another way, yet to be discovered until someone gets good  enough at some new way of operating.

And yet, the cyber domain is even more choppy than any computer game could ever be. Things change at a tremendous rate, and people generally look at the "Cyber Meta" as a static thing! Either we are in the "Botnet Meta" or the "Worm Meta". We either do "Client side attacks" or we do "SQLi attacks". So many people think the cyber meta is what the West Coast's VC funded machine tells them it is at RSA or in Wired Magazine!

Getting this right is a big bet - some might point to recent events by saying it is a bet of global importance. Investment in a high end "Man on the Side" technology stack can run you into the billions. You'd better hope the meta doesn't change until your investment pays off. And what are the strategic differences between TAO-style organizations and the Russian/Chinese way? It's possible to LOSE if you don't understand and adapt to the current up-to-date Meta of the domain you are in, no matter what your other advantages are.

Grugq has a whole talk on this, but everyone is going to divide it differently in their head and be really crazy about it, the way people are when I use Torbjorn on attack. Also, why isn't "Kaspersky" in my spreadsheet yet! :) Also: Do you have a similar spreadsheet? IF SO SHARE.

No matter how you define the "Deathball" or "Dive Comp" of the cyber domain you also need to analyze in depth how modern changes in the landscape effect them and make them stronger and weaker. "Bitcoin and Wikileaks as a service" may have replaced "Russian Intel" as a threat against giant teams of operators, for example. Endpoint defenses and malware analysis and correlation may have advanced to the point where Remote Worms have become much stronger in the meta.

But the real fun is in thinking up new comps to run - before QUANTUMINSERT was done, someone had to imagine it fully fledged in their heads. Before the Russians could run a destructive worm from a tiny contractor team that hit up an accounting firm, someone already had a certainty in their mind that knew it would work. And so that's the real question I'm asking everyone here. What's the next meta? What does your dark shadow tell you?

No comments:

Post a Comment