LeBron James, Advanced Attackers and the Best Man Theory

There is a line of thinking that pervades and pollutes the discussions of many sporting events, and it goes something like this: “You can’t let LeBron James/Derek Jeter/Lionel Messi beat you. You have to force someone else to beat you.” It’s a flawed strategy for a number of reasons, but it’s even more problematic when you realize that this same mentality could be applied to information security.

There is a line of thinking that pervades and pollutes the discussions of many sporting events, and it goes something like this: “You can’t let LeBron James/Derek Jeter/Lionel Messi beat you. You have to force someone else to beat you.” It’s a flawed strategy for a number of reasons, but it’s even more problematic when you realize that this same mentality could be applied to information security.

Let’s look at this line of thinking bit by bit. The general reasoning behind this premise is that in order to give yourself the best chance of winning a given contest–especially if you’re at either a real or perceived disadvantage–you need to take away your opponent’s greatest strength. In the sports world, this means putting your best defender on the other team’s most dangerous scorer and trying to take him out of the game. Think of LeBron James deciding that he was going to check Russell Westbrook or Paul Pierce man-to-man and that his man just wasn’t going to score, period. 

But there are a couple of problems with that plan. For one, even though James is one of the premier defenders in the league, devoting that kind of mental and physical energy to locking down one player for 48 minutes could have a detrimental effect on his offensive output, putting his team at a disadvantage. And, if James only is guarding one player, that means that there are likely lesser defenders checking other players who may benefit from the lack of attention from James and have a big offensive game.

Coaches who employ this game plan essentially are betting that the other players on the opponent’s team, collectively, aren’t good enough to make up the difference if the star is taken out of the game. Sometimes it works, and sometimes it doesn’t. But when it doesn’t, the coach can simply say, “Listen, we shut down their best player, but Player X just got hot. It happens. But I’ll take my chances that Player X won’t go 14-for-18 again.”

TV sports analysts love this strategy because it sounds logical and it gives them the opportunity to talk about how Player X is really underrated and his Player Efficiency Rating is in the top 10 percent of all power forwards drafted in the third round or later from Big 10 schools since 1992.

Sure, but you still lost and there aren’t any points for losing with the right strategy or losing while four out of five Tim Leglers agree with your decision.

Now apply this line of thinking to security, where you’re focused on defending against the LeBron James of attackers: the state-sponsored hacker. Defeating targeted attacks from groups in China, Iran, Syria and other hostile nations is a priority for many organizations right now, government agencies and private-sector companies alike. Stories about foreign hacking crews making off with invaluable IP or state secrets abound. Just as coaches review game tape of upcoming opponents, security teams devote considerable time and resources to understanding the tactics and tools that these groups are using and how they’re employing them. 

“Are we vulnerable to the kind of browser-based attacks that this Chinese group is using?” they ask. “Can we stop our users from opening malicious PDFs? Are there persistent attackers inside our network right now and how can we find them if they’re here?”

The number of organizations that truly are at risk from high-level state-sponsored attackers is likely relatively small, but, like arm-chair sports analysts, I have heard some analysts suggest that virtually every organization needs to act as if it’s a target for these crews and defend accordingly. The thinking here, apparently, is that if you employ the kind of defenses and policies necessary to defeat the best and most advanced attackers, you’ll prevent the other team’s best player from beating you, and perhaps, stop some of the lesser players in the process.

In both cases, sports and security, this strategy assumes that the defender actually has the ability to stop the star player. That’s not always true in sports, and it’s certainly not a given in security, either. Just because you know what play the other team is going to run doesn’t mean you can prevent it from succeeding. Everyone on earth knew that John Stockton and Karl Malone were going to run the pick-and-roll 35 times a night, and yet no one could stop it. Stockton and Malone went to the Hall of Fame on that play.

Right now, state-sponsored attackers are the Stockton and Malone of hacking. They seem to win at will, even when the defenders know what play is coming. (Although, unlike in sports, we never hear about the attackers’ losses; just their wins.) Studying their tactics and tools certainly is worthwhile, given that many of those same techniques are used by lower-level hackers. 

But focusing on the all-powerful Chinese hacker at the expense of defending against more commonplace, yet still effective, threats such as phishing, malicious email attachments and drive-by downloads that often compromise even sophisticated organizations can be a mistake.

A loss is a loss, regardless of who beats you and how they do it.

Suggested articles

Discussion

  • Anonymous on

    Sorry guys, but the analogy was lost on those of us from the 95 and a bit percent of the world's population who are not American.

  • Roger on

    Hey D, I would've understood the Messi reference, and you could always link to wikipedia for those who still choose to ignore the world'smost popular sport! Great article! -- Roger Fortier

  • chort on

    I was with you on the sports analogy, but I don't think it applies the same way to information security. Especially in the closing paragraph where you say "at the expense of defing against ... phishing, malicious email attachments, and drive-by downloads." At least two of those are commonly used by APT groups, and arguably the first is just a vector for the third. It sounds to me like putting defenses in place to defeat nation-state attacks would also apply to many cybercriminal attacks.

    Similarly, I don't think asking if there are persistent attackers inside one's network is an unreasonable question either, nor is implementing processes to answer it.

    Sure, most organizations won't need to invest the resources required to fend off extremely persistent attackers, but that doesn't mean other attackers can be defeated with AV and firewalls.

  • Jeff Rogers on

    Hey, I like the conclusion but I don't like the analogy.   It's not a flawed strategy.   Instead of thinking "Don't let Lebron James beat us"... what if the coach said "We're going to stop their normal game plan and make them do something else to beat us"?  Usually, the normal game plan is to lean on the star player and use his skills first.   Double-team that guy, or do something else to slow him down, and make the opponent uncomfortable.   Make him figure out how to adapt.   Now, that sounds pretty smart, right?   I grew up around coaches and coaching cliches. but there's a reason some of them are there and the reason is founded on years of strategy tested on the field/court/etc.

  • Anonymous on

    i understand, but the analogy for some people may be a bit difficult....think analogy is

    good,  perhaps same article, different type of analogy,  at beginning,  i was lost...then read on, guess because it was out of character for threatpost..,  yet it told it like it is....mixed emotions...

  • caoimhinp on

    I'll comment because I think this article broaches a concept we don't address very well publicly.

    I disagree (obigatory dramatic dissension).

    I disagree because the analogy breaks down. Addressing state actors isn't performed in a man-to-man fashion. In the private sector we don't generally address the attacks on a moment to moment basis as performed by Bu Zhenshi Zhe. What is addressed is a methodology, vectors versus vulnerabilities. The question is whether or not these attacks and the methods as performed by the state actors are methods we should focus on. If there is significant crossover between attack methods used by state actors and methods used by less sophisticated attackers then we are justified in concentrating on the sophisticated attacker. Basically, if addressing the APT also addresses the script kiddie then we have maximized our efforts. 

    Extending the original analogy, we could say this would be the zone versus man-to-man. I don't think we ever execute man-to-man coverage so the discussion is really whether or not we are covering the right zones.

    The post actually addresses methods in the penultimate (never enough opportunities to use that word) paragraph. Note also that the methods mentioned in that paragraph are all delivery methods and the general discussion on Stuxnet and Flame are generally discussions on the local vulnerabilities, privilege escalation, etc. Delivery is almost never discussed.

    I'll ask the question. Do you believe we should be talking more about / addressing delivery methods? Does the community focus too much on payloads and the targets of these payloads? Is that the root of your contention?

  • Anonymous on

    It's basically about resources and risk management

    Should we put ALL our defenses to defend against a threat that other people / organizations are facing .. yes, if the same threats apply to us in the same measure. How about the rest of the threats, well, if there are sufficient resources left over, it would of course be nice to to consider other threats as well .. 

    But we all know the story about resources and IT Security? ;) Well, in my limited experience it's always too little too late ..

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.