5 things infosec can learn from adventure games

As an active adventure gamer and a natural seeker of reusable patterns, I’ve noticed that some of the things I do to achieve success in video games can be applied to information security.

1. Objectively evaluate your capabilities and work to create a well-balanced “party”
In video games, there are typically different “classes” of characters, such as fighters, magic users, clerics, and so forth and there are also specializations within each class. Each of the character classes has different strengths, weaknesses, advantages and disadvantages which means they are not equally suited for every situation. When assembling a “party” of characters, it’s important to balance the members of your party to increase your ability to thrive in a wide variety of situations.

In information security, the same holds true – you have people with different specializations, such as networking, application security, attack, defense, incident detection & response, technical, social, forensics, and so forth. We can begin by assessing the capabilities of our team members (our party) based on a number of criteria, including technical skills, certifications, industry experience, natural abilities (i.e. problem-solving, thinking like an attacker, communications, etc.), and suitability to task.

I encourage organizations I work with to have informal information sharing discussions or brown bag lunches with their teams to capture who knows what, who’s done what, etc. and to revisit these skill sets when a specific problem arises. For example, when a security issue occurs, poll the team to find out who has expertise that might come in handy. And forget job titles or organizational role – I find infosec people to be notorious, boundary-crossing generalists.

As part of this assessment, you should also consider the capabilities of your extended teams – in other words, take a look at the competencies of your partners and service providers. Knowing what they can do ahead of time makes it easier to know how you can leverage them when a crisis arises.

Once you know what your skills are, it is also helpful to look for critical gaps in your capabilities. These gaps can be filled by hiring for different, complementary skills in the future, by finding a new partner, or by bringing in outside help through contractors.

2. Select countermeasures based on your threat environment
Another aspect of understanding your capabilities is knowing what countermeasures you have, where they help and – critically – where they don’t. In adventure gaming, this is where we spend time understanding the relative strengths and weaknesses of weapons, armors, and special items. The advantage in adventure games is that it is easy to find out if one item is better than another – for example, a +2 sword is generally better than a +1 sword – and there may be enhancements that make a particular weapon better in certain situations (i.e. resistance vs. cold attacks).

Unfortunately, in infosec we don’t have a common way of evaluating security controls – there is no such thing as a +3 firewall, for example. However, we can come up with our own factors to evaluate countermeasures so we can objectively compare one product to another.

The most important thing here is to anticipate the kind of threats you expect to encounter. In adventure games, for example, when we face fire-based adversaries we configure fire-resistant countermeasures. Similarly, in infosec if we expect to experience a lot of DDoS attacks, we should select products that perform well against those adversaries. We should also look for general purpose capabilities that help us in every situation, such as security hardening (akin to improving our armor class) and countermeasures that improve our visibility and discernment of our environment (such as detecting and identifying rogue devices or suspicious patterns).

3. Practice in single player mode or on safe servers
Have you ever joined a multi-player game and immediately had your head blown off? I know I have. What do you do – give up? No – you develop your skills through practice. In adventure games, that means playing in single-player mode or joining a different game server that is more suited for your current skill set. Later, once you’ve improved your abilities, you can re-join the advanced games and do just fine.

In infosec, this kind of preparation and practice is also necessary. You won’t discover your weaknesses until you test them, so use practice drills, testing labs, and security training to improve your skills in a safe environment. I’m a big fan of the hands-on training and Capture the Flag competitions at Black Hat, SANS, regional infosec events, local “HackerSpace” dojos, and other methods to practice attack and defense in safe, non-production environments. There is nothing like seeing what happens in a simulated attack to improve your comfort level when dealing with the chaos of a real security incident.

Make sure your teams have the chance to practice in a safe environment so they can increase their skills and confidence before things really hit the fan.

4. Learn from others’ experiences
This is a variant of #3 in that it is a way to prepare and develop your skills before you need them. In adventure gaming, I sometimes get stuck on a particular mission and turn to things like strategy guides, YouTube walk-throughs, and other players’ write-ups to figure out what I’m missing.

In infosec, there are a number of ways to learn from others’ experiences. For example, reading post-incident reports or even news articles about other organizations’ security incidents can help you determine your vulnerability to a similar attack. You can also join in ISAC’s (Information Sharing and Analysis Centers) if you happen to be in an industry that has an ISAC.

User groups, training classes, industry publications, online discussion forums, and even vendors can help you learn about how others have dealt with incidents you are either experiencing or expect to experience in the future. You don’t have to learn everything through the school of hard knocks.

5. Losing doesn’t mean you’re done
When you die in an adventure game, you’re seldom really done. In some games, you can restore an earlier progress point. In others, you have to start again, but you do so with more experience so you minimize the chances of falling victim to the same thing that killed you in the previous round.

In infosec, your reality is similar. Think about (and document) what you learn from every incident, as lessons learned can help you fare better the next time around, and they provide a way to increase the knowledge and skills of the rest of your team. If circumstances dictate that you should start a new game (i.e. get another job), you begin that new game with all of the experience from prior games. That makes you a better player over time, and enables you to provide greater value to your “party” and your company.

I hope these five elements have given you some ideas that will help you in the future. Remember, work is always work, but there is no reason work can’t include some fun, adventure, and the opportunity to get better at the game of infosec.