Checkmate: Cybersecurity Strategy on the Modern Battlefield

Chess is a strategic board game estimated to be over 1000 years old. The sharp-mindedness and tactical nous required to win this game was originally designed to mirror medieval battlefield tactics, and the pieces we use today reflect this.

In a modern context, this battlefield has undoubtedly moved to the digital arena. Where warring states once skirmished along contentious territorial boundaries, 21st century nations are now more likely to launch a volley of cyber-attacks than a dawn raid on horseback. Despite this, there are numerous parallels that can still be drawn between the timeless game of chess and cybersecurity strategies in our modern world.

With today marking World Chess Day, it’s an appropriate moment to reflect on how businesses and security teams approach their cybersecurity strategies. What can the new world’s knights in silicon armor learn from this old-world board game?

White Hats Move First

In chess, the player with the white pieces always moves first. It’s also common consensus that this player holds the automatic advantage. In fact, in 1946 a man named William Franklyn Streeter discovered the ‘first move advantage’ – a concept dictating that the player using white pieces will, on average, win over 52% of all games.

In cybersecurity, the white hats (security professionals) can also take advantage of this concept. By understanding and locking down likely attack routes, white hats can limit black hats’ (cyber-criminals’) chances of success. Moving first, taking proactive security measures and anticipating attacks will automatically provide businesses with the ‘first move advantage.’

This approach is especially pertinent when it comes to cloud security. Our 2019 Global Advanced Threat Landscape Report discovered that as many as 55% of UK businesses lack a privileged access security strategy for protecting business-critical applications and cloud infrastructure. When evidence shows that 77% of cloud related incidents involved stolen credentials, this is an alarming result.

Deciding on the right approach to secure a multi-cloud environment may provoke delay, but this is an easily solvable challenge and one that must be prioritized.

Strategic, Not Tactical

If you ask someone with no knowledge of chess to play against you, they will play tactically. In other words, they will be reactive and make short-term decisions based on your preceding move. This tactic simply won’t work in the long run against a chess pro. That’s because chess pros use strategy, not tactics. They bait other players into positions that are beneficial to them. Chess pros aren’t just thinking about the next move, they’re thinking about the endgame. They see the bigger picture.

As cloud adoption increases, the threat landscape expands. To operate in this environment, businesses must strive to adopt the same mindset as chess pros in the digital world and see the bigger picture.

One example of long-term strategy is investing in Privileged Access Management, PAM for short. PAM is an integrated part of a business’ day-to-day operations. It helps IT and security teams provision and deprovision access to different areas of a network for the accounts operating on their systems.

If, for example, a malicious GIF allows a cyber-attacker to gain a foothold on an endpoint in the network, PAM means the compromised account will likely only have limited control and reduced privilege on the system. The attack, in this way, is unlikely to penetrate the network any further. Instead of responding reactively to an attack, PAM allows businesses to deploy security measures pre-emptively.

Protect the King

There’s a hierarchy between chess pieces. Pawns, the least powerful piece, are at the bottom. There are many of them and they have limited capabilities. The king - the piece that decides the end of the game - is at the top. Protecting the king, in other words, is of the utmost importance to a player.

Similarly, in cybersecurity, IT and security teams must work from the top downwards. They must prioritize the security of their organization’s most privileged accounts and credentials – those that confer access to critical systems and information – first before moving down the chain of priorities. In the event of a cyber-attack, losing a few ‘pawns’ may be inevitable, but it’s crucial to prioritize the protection of the ‘king.’

An Integrated Cybersecurity Arsenal

One of the most hotly discussed aspects of chess are its ‘opening principles’ – the strategies players use to ‘open’ a game. The most important opening principle is for a player to make use of the diverse range of pieces at their disposal. To win in chess, all pieces must be used to achieve the end goal of cornering an opponent’s king.

In cybersecurity, businesses must use a diverse set of tools to build their cyber-defenses. This means using technologies such as anti-virus software, encryption programs and privileged access management to cover all bases.

However, IBM’s recent Global Cyber Resilient Organization Report showed that “Organizations using 50+ security tools ranked themselves 8% lower in their ability to detect, and 7% lower in their ability to respond to an attack, than those respondents with less tools.”

To implement effective security, businesses shouldn’t invest in security tools on a whim. History shows that attackers will often focus efforts on strategies that provide the most access and therefore, most impact. These tactics often stick to a similar pattern. Organization’s should focus their own efforts and security investment on breaking these patterns first, before moving to more advanced measures.

Red Team Chess

You’ll often see people playing chess against themselves. Without a partner, it’s a useful way to practice moves and techniques, running through the decisions that they would make in certain scenarios.

The same technique can be applied to security. In fact, according to recent research conducted at Black Hat conference in 2019, over 70% of respondents said their businesses conduct ‘red team’ exercises. Simulated attacks can be employed to actively seek out vulnerabilities in their own security infrastructure – an effective way to proactively prepare for real attacks in the future.

By taking notes from a game that’s been a bellwether of strategy for a thousand years longer than any security professional, businesses can be reminded about where their priorities lie.

The overarching takeaway is that it’s always better to be proactive than reactive. Strategic preparations in advance of an event trump a tactical response after it. Integrating security measures into the very framework of your organization’s processes using measures like PAM should be a priority. Those that let the cyber-attacker make the first move have already given away the advantage.

What’s Hot on Infosecurity Magazine?