The lessons poker can teach us about privileged threat analytics
David Higgins, Director of Customer Development at CyberArk, discusses what poker can teach us about privileged threat analytics

The lessons poker can teach us about privileged threat analytics

Enterprise SecurityIT AnalyticsTop Stories

David Higgins, Director of Customer Development at CyberArk, explores the cybersecurity lessons business leaders can learn from poker.

Brian Koppelman and David Levien’s 1998 cult classic poker movie ‘Rounders’ begins with Matt Damon’s character Mike McDermott narrating, ‘if you can’t spot the sucker in your first half hour at the table, then you are the sucker.’ It’s a memorable line that sets the tone for the entire film.

A theme reinforced throughout the movie is that contrary to popular belief, poker is more about playing your opponent than playing the cards you hold. Cyberattackers know this quite well and can easily spot the ‘suckers’ – and they routinely target these weak links in damaging cyberattacks.

Security teams are often dealt a tough hand – from pre-existing tools that fall short to budget constraints, staffing deficits and more. Security teams must learn to think one step ahead of their opponents (i.e., malicious attackers, insider threats, etc.), have a robust strategy in place and stick to their game plan – beating formidable foes. Here are three lessons security teams can learn from the poker table.

Never drop your guard when it comes to threats

At the beginning of ‘Rounders’, Mike McDermott becomes enamoured with his cards (a full house of nines over aces) and falls into an easy trap set by his opponent, the nefarious Teddy KGB (a ludicrous character portrayed by John Malkovich). Mike inevitably is blindsided and loses all of his money when it’s revealed that Teddy has aces over nines.

It can be easy for organisations to fall into the same trap and become complacent in their efforts to secure privileged access. In order to really stay ahead of the game, organisations need a way to detect and respond to anomalous behaviour going on inside of their environment. Threats are all around and attackers are always looking for new ways to break into organisations’ environments.

This can be accomplished by having a privileged threat analytics engine in place to complement other tools (like SIEMs and UEBAs) in analysing the session recordings that are being done – generating risk scores for privileged sessions and delivering alerts to security operations centres (SOC) if/when suspicious behaviour involving privileged access occurs during a session recording.

It’s about as common as a royal flush (roughly one in 30,939) that an organisation would have dedicated employees sit and watch all video logs of privileged sessions, so it is essential to have a tool that is also able to prioritise events. Without this privileged threat analytics piece, security teams are left with video recordings that they’ve captured to meet compliance requirements but they aren’t leveraging to detect and prevent unfolding attacks.

Hackers will always go for your weak spot

In one of the (relatively) light-hearted scenes in the movie that also traces back to the opening line, Mike and his collective group of card shark friends are playing a low-stakes game in Atlantic City. Eventually, an unsuspecting tourist has the misfortune of sitting at their table and is quickly stripped of his money. There’s an easy parallel to be made here between how attackers look for the path of least resistance, repeatedly target the weak link in an organisation and often go undetected until their target is breached.

The latest Mandiant M-Trends report states that it takes an average of 101 days from the time of breach to discovery. Sophisticated attacks on Kerberos authentication such as Golden Ticket type attacks against domain controllers typically take even longer to detect. Attackers go unnoticed for months on end and by the time they’re finally discovered, there is very little that security teams can do. Often, these attacks start with a phishing attack. The attacker then gains access to the network and proceeds to move laterally until gaining access to critical infrastructure such as domain controllers.

With a privileged threat analytics tool in place, security teams can not only identify when a Golden Ticket is occurring but also take steps to halt the attack such as rapidly changing the password for the KRBTGT account in rapid succession.

Be aware of your environment

The finale of the movie pits Mike McDermott against Teddy KGB, playing in an all-or-nothing game of heads-up poker. While playing, Mike notices that every time Teddy KGB starts eating Oreos from the tray in front of him, he has a great hand. In poker, this is called a ‘tell’.

Mike gets crushed at the onset, but eventually gets pulled into a hand with a good set of cards (similarly to the opening scene) and is in desperate need of a win. However, he folds because he sees Teddy chomping away at his Oreos. He lets Teddy know that he knows his tell, which completely rattles Teddy and changes the course of the game. By taking this path, Mike eventually comes out on top.

For security teams, the lesson is to always pay attention to your surroundings – from humans accessing critical systems to applications communicating with other applications, or some combination of the two. For instance, if a machine that contains sensitive data is being accessed during irregular hours and/or from an irregular IP, an alert can be sent to the SOC to prompt further investigation of the event. In some cases, administrators may opt to set policies to automatically suspend these sessions until they can be verified.

Having tools in place that pay attention to privileged behaviour can help organisations to develop a baseline for what’s ‘typical’,  allowing them to rapidly flag things that seem to be out of the ordinary (an attacker’s tell) and provide the ability to quickly respond to the threat. These tools are essential as security teams continue to face ever-evolving threats, are essential as security teams continue to face ever-evolving threats and can mean the difference between a breach and business continuity.



Click below to share this article