July 19, 2022

Playing Chess with the Adversary: Value in Security Controls

Securing an IT infrastructure is often compared to a game of chess in which pieces are strategically played on a board to capture your opponent’s pieces and trap its king whilst protecting your own. Consider your pieces to be security controls which are parameters put in place to secure various types of data and infrastructure that’s critical to a business, to protect the most crucial piece on the board: the King. Your opponent is an adversary whose pieces are Tactics, Techniques, and Procedures (TTP) such as spoofing, tampering, denial of service to commit a cybercrime.  

On a chess board, there’s six types of pieces on the board (Queen, Rook, Bishop, Knight, King, Pawn) which moves and captures accordingly based on rules they’re bounded by. The value of a piece is determined by its range of motion and ability to capture other pieces as well as its relevance in the game. In chess the Queen is most valuable as it may move through an unlimited number of unoccupied squares in any direction in contrast to the pawn who can only move forward one or two spaces at time. In comparison, an EDR solution could prevent malicious processes through advanced measures whereas an antivirus is limited to capturing only signature-based threats. Understanding the absolute and relative values of your security controls is crucial in winning against the adversary.  

Absolute vs Relative Value, and Why Does it Matter?

A piece’s value may change anytime during the game but will always have a potential worth known as absolute value. Many people mistakenly believe that a piece's worth is constant during the whole game. In actuality, the items around it and their placement have a significant impact on the piece's value. The more pieces in play on the board the more limitation in their movement. As the number of pieces diminishes throughout the course of the game, most remaining pieces become more mobile, which raises their worth. Like chess, security controls in your environment have both absolute and relative value.

The absolute value of a chess piece is estimated by assessing its range of action if it were alone on the playing board. If you were to construct the hierarchy of your security controls in the same manner, you’ll probably apply a value from high to low in the following order: EDR (Queen), VPN Firewall (Knight), Folder ACL (Rook), Encryption (Bishop), Strong Password (Pawn). The critical data (King) has the least value because of lack of mobility but is the most important in the game.

To put this analogy in perspective, when all pieces are in play the Knight may seem more valuable vs the Rook in terms of movement or protecting the “King”. But if an adversary’s “Pawn” captures the Knight with stolen credentials, the value of the “Rook” increases as the opportunity for to make a move on the board as it becomes the next line of defense for the “King”. The circumstances of the Rook’s position keep its absolute value but increases its relative value to protect the King. The relative value of a chess piece is given by its current position on the playing board and often changes when the game passes one phases to another.  

Adversaries exploit the potential relative value of their pieces to commit their malicious acts. In chess, a Pawn is often viewed as the piece with the least absolute value but can become the most valuable towards the end of the game if it reaches across the playing board to get promoted to Queen. Do privileged escalation and lateral movement sound familiar?  

Tips: Strategy & Tactics

Grasping the value of your pieces in chess allows you to devise a strategy to deliberately outwit your opponent. Chess strategy, unlike tactics, has long-term objectives and is typically concerned with king safety, pawn structure, space, piece activity, etc. A game's fate can be determined by tactics, but the potential for tactical shots is first created by sound strategic play. You may think of strategy as the nursery for tactics for defensive and offensive.  Here's a couple popular strategies:


In chess, castling is a move that allows you to move your king to safety and bring your rook and other pieces into play. It’s like Defense in Depth (DID), which layers several defensive techniques to protect sensitive data and information. If one mechanism fails, another steps up immediately to thwart an attack. You must overcome the moat, ramparts, drawbridge, towers, battlements, and other obstacles before you may enter a castle.


Every security control, like chess pieces, move a certain direction and has a specific function. A firewall can only provide protection at the gateway. EDRs are more functional and capable than Anti-Virus. Logging is invaluable to managing, maintaining, and investigating. Access Control Lists provides granular control of user and group permissions.  


If Indicators of Compromise (“IOC”) and/or Indicators of Attack (“IOA”) are detected in your environment, some of your pieces may have been taken. You’ll need to take back some of the adversary pieces while figuring out which security controls you are able to sacrifice.


Get ahead of your adversary by deploying a honey pot or canary files as a pawn for your first move. Pawns move one square at a time and open pathways for your bishop and queens to enter the game.  


Always look at possibilities and moves that an adversary would make to capture your pieces and threaten your king. Research attack lifecycles such as the MITRE ATTACK Framework to improve the strategic positions of your pieces and ability to work with each other to protect your King. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.  


The endgame starts when you and your opponent swap pieces and you're left with only a few Operatives. Consider the relative value in all your pieces instead of relying on the absolute value of your stronger suites. Victory depends on our ability to comprehend both the strategy and tactics used by our opponents as well as the plan and tactics we employ in response. When your opponent suggests using one of his pieces to capture the king on his subsequent move, the king is in check. But an adversary can’t call checkmate if the king is encrypted!

For more information or if you need help with a current incident, contact MOXFIVE at ask@moxfive.com or use our Contact form.

Veralle Witter

Veralle is an Associate Director at MOXFIVE where he provides technical advisory and solutions to complex problems in the event of a cyber matter. He has a passion & talent for aligning security architectures, plans, controls, processes, policies & procedures with operational goals. His experience extends over many years in distinct areas such as system architecture and policy, major incident management & technical recovery. He holds a Masters Degree in Cybersecurity & Information Assurance and has accreditations with (ISC)², EC-Council & CompTIA.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 


Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More