The Game Theory of an Attacker

You have an MSP.

You have tools.

You have alerts.

You may have email filtering, endpoint protection, MFA, backups, firewalls, remote monitoring, logging, and a ticketing system full of evidence that work is being done.

Those things matter. A good MSP and a good toolset can reduce a lot of risk.

But there is still an important question:

Who is thinking like an attacker and mapping out what happens when one of those controls does not work?

That is where many businesses have a gap.

Security is not only about whether a tool is installed. It is about what an attacker can do when something slips through.

Start With a Simple Phishing Email

Suppose your company has spam filtering in place.

That is good.

But no spam filter is perfect. None of them are. Sooner or later, a phishing message may land in an employee’s inbox.

Now the real questions begin:

  • What happens if the employee clicks the link?
  • What happens if they enter their Microsoft 365 password?
  • Does MFA stop the login, or can the attacker trick the user into approving it?
  • What systems does that employee have access to?
  • What customer information can they reach?
  • What files are stored locally on the laptop?
  • Are browser passwords saved?
  • Are there VPN profiles, mapped drives, or cached credentials?
  • Can that laptop talk to servers, file shares, printers, cameras, or accounting systems?
  • Can it make outbound connections to almost any destination on the internet?

This is the game theory of an attacker.

The attacker is not thinking, “Can I beat the whole company in one move?”

They are thinking, “If I get this one user, what can I reach next?”

The First Click Is Usually Not the Whole Attack

Many businesses think about phishing as a password problem.

That is part of it, but it is not the whole picture.

The first click may lead to a fake login page. It may lead to a malicious attachment. It may lead to a remote access tool. It may lead to a browser session hijack. It may lead to a conversation where the attacker slowly builds trust before asking for money, data, or access.

Once the attacker has a foothold, they start making decisions.

They may look for:

  • Email rules that hide replies or forward messages externally
  • Recent invoices, wire instructions, or vendor conversations
  • Shared mailboxes
  • OneDrive or SharePoint folders
  • Passwords in files, browsers, or notes
  • VPN access
  • Admin tools already installed on the machine
  • Remote desktop paths
  • File shares with broad permissions
  • Security tools they can disable or avoid

This is why “we have a spam filter” is not the end of the conversation.

It is the beginning of the risk conversation.

Tools Help, But Attackers Adapt

You might have ThreatLocker, endpoint detection, antivirus, application control, DNS filtering, or a managed detection and response service on the laptop.

Those controls can be valuable.

But attackers are good at adapting.

They may avoid dropping obvious malware. They may stay in memory. They may obfuscate their tools. They may use PowerShell, Windows Management Instrumentation, remote monitoring tools, scheduled tasks, browser sessions, OAuth tokens, legitimate cloud storage, or other tools that already exist in the environment.

This is often called “living off the land.”

In plain English, it means the attacker tries to use your normal tools against you.

That matters because some environments are built in a way that gives a compromised laptop too much freedom.

For example:

  • The user is a local administrator.
  • The workstation can reach internal servers it does not need.
  • Outbound firewall rules allow almost anything.
  • Sensitive data is stored locally without a clear reason.
  • Shared folders are open to broad groups.
  • Administrative tools are installed on normal user machines.
  • Logs exist, but nobody has tuned alerts around the most important behavior.
  • There is no clear playbook for isolating a device or revoking sessions.

None of those issues sound dramatic by themselves.

Together, they can give an attacker room to move.

The Question Is Blast Radius

One of the most useful security questions is:

If this one thing fails, how bad can it get?

If a user clicks a phishing link, is the damage limited to that user account, or does it open the door to finance, HR, customer files, cloud systems, and internal servers?

If a laptop is compromised, can it only access the internet and a few required business apps, or can it freely scan the internal network?

If an employee’s password is stolen, does MFA, conditional access, device compliance, and session monitoring reduce the impact, or can the attacker log in from anywhere?

If ransomware starts on one machine, can it reach every mapped drive?

If an attacker creates a mailbox rule, would anyone notice?

If a remote access tool appears on a workstation, would it be blocked, logged, or ignored?

This is where security starts to become practical.

You stop asking only, “Do we have a tool for that?”

You start asking, “What would actually happen here?”

Your MSP Is Important, But Security Risk Hides in the Corners

An MSP can do a lot of the work.

They can manage systems, deploy patches, configure firewalls, support users, maintain backups, monitor alerts, and respond to issues. A strong MSP is a major asset.

But security risk hides in the corners.

It hides in old firewall rules nobody remembers creating. It hides in local admin rights that were granted during an emergency and never removed. It hides in shared folders named “Archive” that contain years of customer data. It hides in a laptop used by a high-access employee who also has saved browser passwords and broad VPN access.

It hides in assumptions.

The MSP may know the tools. The business may know the operations. But someone has to connect the two and ask uncomfortable questions before an attacker does.

That is the role of an information security specialist or vCISO.

Not to replace the MSP.

Not to sell a pile of new tools.

The value is in helping the business understand the actual risk, prioritize the right fixes, and build a realistic plan.

Practical Improvements That Change the Game

Thinking like an attacker does not always lead to expensive recommendations.

Sometimes the best improvements are boring and effective.

For example:

  • Remove local administrator rights from standard users.
  • Segment the network so workstations cannot reach systems they do not need.
  • Tighten outbound firewall rules instead of allowing every port to the internet.
  • Limit VPN access by role and device.
  • Require MFA, but also review conditional access and session risk.
  • Reduce broad file share permissions.
  • Move sensitive data out of local storage when possible.
  • Block or tightly control remote access tools.
  • Alert on suspicious mailbox rules and forwarding.
  • Test whether endpoint controls stop common attack paths.
  • Build a simple incident playbook for isolating devices, disabling accounts, and revoking sessions.
  • Review which logs are collected and which alerts someone actually investigates.

None of these controls are magic.

But each one changes the attacker’s decision tree.

The goal is to make every next step harder, noisier, slower, or less useful.

That is how you reduce blast radius.

A Better Question for Leadership

Instead of asking, “Are we secure?” ask:

If an attacker gets one normal employee account or one normal laptop, what can they do next?

That question leads to better conversations.

It helps leadership understand risk in business terms. It helps the MSP understand which controls matter most. It helps prioritize security work based on likely impact instead of fear, vendor pressure, or whatever alert happened to be loudest this week.

It also makes cybersecurity feel less abstract.

You are not trying to solve every possible threat at once.

You are mapping the paths an attacker would take and closing the ones that matter most.

Get a Game Plan

Your MSP, tools, and alerts are all part of the picture.

But you still need someone in your corner who can think through the attack path, map the blast radius, and help decide which improvements make sense for your business.

MN Risk & Cybersecurity Advisory can help review your environment, identify the gaps that matter, and build a practical security roadmap.

If you want help getting a game plan together, contact MNRISK.