"Lose Now, Win Later" Principle in Security

CyberDefenses - Chess

Every decision has a distinct set of consequences. Some outcomes can be predicted with particular certainty — others remain dark to any oracular vision. Over time, the effects of a change or shift to security play out. The measured outcomes often become the deciding factors as to whether the original scions have proven beneficial or disruptive. Take a security assessment, for example. When you assess your security, the outcome of the assessment frequently comes with significant, suggested changes. While those changes are deemed necessary and positive from experience, the outcomes won’t be known for some time after those changes are made.

A more blunt example of this principle in action is illustrated when you have security incidents with an entrenched adversary. The enemy may be detected and allowed to operate (“the lose”) so you can document and understand them well enough to shut them down beyond this incident (“the win”). The concept isn’t hard to understand: give up something initially in order to gain later. Continuing on, the security meme, what do you do when presented with unknown network traffic? You either shut it down or investigate to understand it*. If you shut it down, you win, but lose right afterward, since you don’t know what originated the traffic, its meaning, and tons of other questions that you need to answer. If you choose to lose, or let the traffic continue while you monitor and investigate, you win later since you answer those questions (why, how, what, etc.).

The Vietnamese reference for this principle is encapsulated in “hien hoa”, which means wise and harmonious or peaceful and harmonious, if you will. The concept is to accept defeat for the sake of buying time or more appropriately, not defeat, but a strategic pull back to re-plan your strategy. We might say “lose the battle so you can win the war.”

A part of a good security program is monitoring internet properties to detect typosquatters, phishing attacks, fraud and corporate espionage. Issuing a takedown notice without understanding the context, possible use, origin and other essential elements of information means you win — but lose in the long run. Accepting to “lose” in the short run to gather that information means you can “win” later. After all, armed with that knowledge means you can potentially observe the adversary and type their actions; enumerate more of the adversary’s infrastructure; see a potential incoming attack; or, issue a takedown notice anyway, but only after gaining greater insight into possible enemy courses of action.

What has been outlined, is the straightforward application of the principle. Those are direct “lose now, win later” scenarios. Indirect “lose now, win later” means entering a situation choosing to lose, while gaining experience to convert that into a win later. Sports illustrate this concept well, such as a new team losing repeatedly until they practice enough to gain the skill to win.

In the intelligence wheelhouse of security, we enact this concept version of “lose now, win later” when we investigate phishing that’s not impacting our security. The “lose” is the time and effort expended on an element unrelated to immediate security. The “win” is the understanding gained of the techniques, procedures and tactics employed. That understanding becomes the means to deter and mitigate phishing campaigns that will be or are directed at us.

It is likely you leverage this principle without knowing it. Especially, if you drive any kind of vehicle. Who hasn’t chosen to go a longer route (“the lose”) to avoid a wreck or traffic jam to arrive at a destination (“the win”)? A goal would be to do so consciously, especially in the frame of security.

* You could ignore it, but that’s never a good strategy to take.

To learn more about our services and approach visit:  https://cyberdefenses.com/services/managed-security-services/threat-hunting/.

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.