Monday, February 1, 2021

Simulating Security Strategy

You’ve probably imagined it, right? Lots of little attackers and defenders going at it in a simulated environment while you look on with glee. But instead of spending our cycles on details such as if the attack gets in, let's leave that for the virtual detonation chambers and focus on the bigger picture of attack and defense?

That is exactly what Complex Competition does.  It simulates an organization as a topology and then allows an attacker and a defender to compete on it.  Table 1 provides all the rules:

  1. Gameboard is an undirected, connected, graph. Nodes may be controlled by one or both parties.  One node is marked the goal.

  2. The defender party starts with control of all nodes except one.

  3. The attacker party starts with control of one node only.

  4. Parties take turns. They may:

    1. Pay A1/D1 cost to observe the control of a node.  
    2. Pay A2/D2 cost to establish control of a node. 
    3. Pay A3/D3 cost to remove control from a node (only succeeding if they control the node).
    4. A4/D4 cost to discovery peers of a node.
    5. Pass or Stop at no cost.
  5. They may only act on nodes connected to nodes they control. 

  6. The attacker party goes first.

  7. The target node(s) is assigned values V1-Vn.  When the attacker gains control of the target node X, they receive value Vx and the defender loses value Vx.

  8. The game is over when both parties stop playing.  Once a party has stopped playing, they may not start again.

This allows us to test out a lot of things which include the below:

Does randomly attacking in a network pay? 

Answer: No! (Unless the target of the attack is connected to the internet)

What does it cost to defend?

Answer: anywhere from three to five times the number of actions the attacker took.

What attacker strategies work best if there’s no defender?

Answer: Attacking deep into the network, or trying a quick attack and bailing.

What attacker strategies work best if there is a defender?

Answer: Now the quick attack is a clear front runner.

How does an infrastructure compromise change the attack?

Answer: When the infrastructure is compromised, the attacker doesn’t have to dig deep into the network. (Obvious, I know. But here we can show it quantitatively.)

Now the caveats

All that analysis must be taken with a grain of salt.  It’s totally dependent on the costs of the actions (all 1), the value and locations of the targets, the topology, and the attacker strategy.  None of which are meant to be particularly representative in these simulations.  Also, this simulation is relatively basic, but hopefully it strikes a balance between usefulness and simplicity for this first iteration.

Still, there’s a lot of other questions we could try to answer:

  • When should the defender stop defending / how much should they spend on defense?
  • How else does the location of the attacker affect their cost to reach the target?
  • How does the target location affect the attacker's cost to reach it?
  • How do different topologies affect the attacker and defender costs?
  • How do different costs affect the attacker's chance of reaching the target?
  • What is the relationship between topology, attacker strategy, attacker action cost, and target value?

And eventually we could make it more complex:

  • Add more information to the nodes to help players choose actions
  • Probability of success per edge
  • Cost of action per node
  • Replace the undirected graph with a directed graph
  • Different value for the attacker and defender for achieving the goal.
  • Separating the impact cost to the defender from the goal and having them on separate nodes
  • Allow the defender to take more than one action per round
  • Set per edge success probabilities and costs
  • Create action probabilities
  • Allow the defender to pay to increase attacker action cost (potentially per edge).
  • Allow the defender to pay to decrease the action success probability (potentially per edge).
  • Allow the defender to pay to monitor nodes without having to inspect them

Primarily, though, we simply want to get this out there and give everyone a chance to try it out,   and, more than anything, illustrate the clear need to simulate security strategy. (He said the thing!)


  1. One of the first questions this sparks for me is potential effects due to resource disparities (attacker - high vs defender - low, etc.)

  2. Awesome, earth is nothing without art. Its really a very interesting hobby. Even capturing a picture is also an art. A special type of cell is a tartan. In the national clothes of the Scots, the cage carried information about which clan a person belongs to. In a modern suit, the plaid is a classic example of a free style with a touch of aristocracy. Curved lines - wavy, curved, spiral, etc. - as opposed to straight lines, are the embodiment of freedom and looseness. They are associated with impermanence, movement, frivolity. They are more feminine - creative and intuitive. Such drawings, along with florals, are attached to the romantic style. Choosing the right art material is also not as easy as we think as i am also searching for a good art supplies online guts(.)pk/shop/category/art-supplies/pencils/ via a stationery store Anyways, thanks for sharing the nice piece of stuff with us.

  3. Cybersecurity is a demanding and complicated field. There are workforce talent shortages, ineffective security controls, new adversarial attacks, a lack of collaboration between security entities and practitioners, and immature laws and governance. The list goes on and on. A breach can be disastrous and costly for organisations of all sizes and types, from small businesses and hospitals to large government agencies.

    According to the Identity Theft Resource Center, by October 2021, breach volumes had surpassed those of 2020. According to Ponemon Institute and IBM research, the cost of a breach has risen 10% to $4.24 million.

  4. It's an informative article. This is about security strategy. Thanks for sharing your content with us. Now it's time to get Vfix services for more information.

  5. Citizen journalism has been the driving force behind contemporary reporting. It enables and encourages individuals to interact with their surroundings and report what they see and hear via their own channels, opening the path for more varied and specialised reporting from many perspectives. When civilians go up against states or authorities in power, citizen journalists may provide a much-needed source of information for both the persons engaged and the rest of the globe.

  6. Argireline solution is often combined with other anti-aging ingredients like hyaluronic acid, peptides, antioxidants, or retinol to enhance its effectiveness and provide additional benefits for the skin.

    Considerations: While Argireline can provide temporary wrinkle-reducing effects, its results are not as long-lasting or dramatic as invasive cosmetic procedures or injectable treatments like Botox. Additionally, individual results may vary, and the extent of improvement depends on factors such as skin type, depth of wrinkles, and overall skincare routine.

  7. Simulating Security Strategy is the future's chessboard, challenging minds to anticipate threats and maneuvers. As one delves deeper, a side note: for those overwhelmed academically, remember to buy coursework uk for that needed relief.

  8. The article's conclusion on the need for increased complexity in simulations resonated with me as well. As attackers become more sophisticated, it's crucial that our defensive strategies keep pace. Incorporating elements like human factors and psychological warfare into simulations could be a valuable next step. golang training