Why learn by grinding through dry security best practices when you can make education unique by mixing in a little geeky fun? In the third installment of my security pop culture series (see Part 1/Part 2), I share what Destiny – Bungie’s popular new MMOFPS video game – can teach you about network and information security. Learn how to become an Internet Guardian and fight the encroaching cyber Darkness with these seven tips:
1. Different enemies require different tactics – In Destiny, you fight four rival races, each with various classes of enemies. As with any video game, each enemy requires different tactics to take them down quickly. For instance, on Mars you’ll meet the Cabal’s Legionary enemy, who you can actually take head-on; literally running straight at them and shooting them in the head. Meanwhile, the shield-wielding Phalanx requires different tactics. Firing straight at them, into their shields, is about as effective as mowing your lawn by hand, one blade of grass at a time. Rather, you should flank these characters or lob grenades behind them. The point is, every enemy in Destiny has their own specific weakness. You’ll only do well in the game by finding those weaknesses and exploiting them.
There are different enemies in information security as well, each with their own tactics and weaknesses. You have “skript kiddies” who hack for the “lulz” and notoriety, hacktivist who hack for a cause, petty criminals who hack for small scores, organized cyber criminals who hack for big money, and nation-states who hack for politics and espionage. Each of these threat actors has different motivations, and thus uses different tools and tactics. As security “Guardians,” we need to know which threat actors affect our organizations the most in order to combat them efficiently. For instance, if you work for a logging company, Hacktivists might target you, so you probably want to be sure you can withstand big DDoS attacks. Understanding the threat actors helps you implement the right defenses for each actor’s particular brand of attack.
2. Use the right tool for the job – Just as Destiny’s enemies require different tactics to be defeated, they are also vulnerable to different weapons. Even if you haven’t played Destiny, you’ve surely seen this with other games (water defeats fire, fire defeats earth, earth defeats water, etc.). For instance, in Destiny, you’ll more easily handle powerful slow enemies (Ogres & Colossus) by sniping them from afar with a long-range rifle. You’ll take down fast, weak enemies (Thrall) more quickly with close-range melee attacks. If an enemy has an obvious weak point (the Legionary’s small head), precision aiming with the scout rifle works well. Along the same lines, enemies with blue shields are more susceptible to “Arc” weapons, while orange shields break down quicker from “Solar” weapons, and so forth. In a nutshell, you’ll win more Destiny matches by knowing the right tool for each specific job.
This is true for your infosec toolsets as well. Do you know the right security tools to defend against various types of attack? A stateful firewall is great at keeping adversaries from directly attacking certain network resources, but it doesn’t protect your users from visiting evil web sites. For those attacks, you need application-layer or next-generation firewalls that scan web sites for exploits and malware, using IPS, gateway antivirus, and reputation services. Meanwhile, these web security controls might protect your users from drive-by downloads, but what about your public web server? Firewalls (next generation or otherwise) only offer limited web server protections. You need to switch to WAF to provide more specialized web app protection. Furthermore, none of those controls can really protect you from the high bandwidth DDoS attacks being launched today. For those, you need yet another specific tool. As you can see, like Destiny, each attack requires different tools to defeat. You need to master a full arsenal of defensive weapons to combat today’s threats.
3. You won’t win the war without layered defense – The previous toolset discussion is a great segue for layered defense. In Destiny, as in infosec, there’s no single tactic or weapon that always guarantees a win. Crucible’s online player-vs-player (PvP) matches are a great example of this. For instance, in one type of Crucible match, called “Control,” one team of six defends a certain area from another team of six. There are a number of tactics you might employ to control each area. You can have your team camp directly on the control point, taking on any aggressors; you can monitor all the “ingress” points to the area to catch enemies before they arrive; or you can station long-range snipers to pick off targets from afar.
All these ideas have merit, but would fail if used individually. If your whole team camps on one spot, the enemy can snipe them from afar or lob a grenade into your group. If you only snipe from afar, the enemy might flood your control area at once, making it near impossible to shoot everyone. So what’s the answer? You should use a combination of all these tactics at once. By divvying up the tactics to different team members, you cover all your bases, ensuring you’re poised to react to any enemy countermeasure. Military strategists call this defense in depth or layered security, and the strategy works just as well for information security as it does for Destiny’s Crucible matches. There is no one tool or tactic in your arsenal that prevents every attack, so you need to implement many at once to defend your network.
4. Fix bugs or they’ll get exploited – If you’re a Destiny geek like me, you’ve probably heard of “loot caves.” Essentially, there are areas in the game where enemies respawn very quickly after dying, which basically provides you with an infinite stream of enemies to kill. Since killing enemies is tied to random loot drops, players camp near these loot caves to kill hundreds of enemies in minutes rather than hours. This increases their chance of finding rare loot. This probably isn’t what Bungie intended when they made Destiny; rather it’s a bug. As with all bugs, opportunistic “hackers” will exploit them for fun and profit, which became apparent in Destiny by the number of players you could find sitting for hours shooting into a cave.
Infosec professionals probably see a clear analogy here to the bugs and exploits found in business software as well. Hackers can’t magically take over your computer without your interaction, unless there is some sort of vulnerability in your software. However, when there are such bugs in critical software, attackers will find them and exploit them to infect our computers or steal data. The only way to prevent this is to fix the bugs. Bungie recently released a patch that closes the loot cave issue. Though Destiny is just a game, this loot cave incident shows how a small software bug might translate into a large unintended consequence. Hopefully, it reminds you of the importance of applying critical security patches quickly. Case in point; have you installed the Bash updates yet? If not, this might be a good time to do so.
5. You need to grind a bit to win – If you’ve played any role-playing game or video game with leveling, you’re probably familiar with the concept of grinding. There’s often a point in the game where the only way to get your character strong enough to take on the next challenge is to grind through repetitive tasks that give the character the experience needed to level up. This is true with Destiny. Later in the game, you get to a point where the only way to level up is to attain rare (legendary and exotic) armor and weapons. There are many avenues to do this, but all of them pretty much entail grinding through tasks you’ve done before. Go back and replay patrol missions you’ve done; keep playing multiplayer matches; repeat your strike missions again and again. In short, you just have to keep doing the same work to eventually get the experience to move to the next level.
Many of your daily security tasks probably feel like a grind. Checking your logs and visibility tools every day might get boring over time. Patching your Microsoft stuff the second Tuesday of every month probably starts to wear thin when you realize you’ll have to do it again next month. Cleaning up malware infections on a telecommuter’s laptop probably gets irritating after the tenth time you’ve done it—especially when it’s for the same telecommuter. However, as repetitive as these types of tasks seem, they make up the core responsibilities of a good first-level infosec engineer. When you are suffering through this grind, just remember that these little tasks are slowly improving the security of your organization, and giving you the experience needed to become an even better security professional.
6. When you lose, dust off and fight again – So let’s make this tip simple. If you’re like me and don’t have much time for gaming, you’ll die in Destiny’s player-vs-player (PvP) matches… a lot! When you ultimately fail, you have two choices; get mad at yourself and others and rage quit, or calm down and try again. Only one of those choices makes you a better player.
In infosec, we talk so much about attack prevention that you probably think the best measure of a security professional is a network that never gets breached. Guess what? That network doesn’t exist. Things happen, people make mistakes, and one day your organization will get breached. The best measure of a good security professional is how you react to the breach or vulnerability when it does happen. If you stay calm and learn from the experience, you’ll ultimately learn to become a better infosec Guardian. So next time you’re hit with a network disaster, dust yourself off, reevaluate your defenses, and fight another day.
7. Security is a constant arms race – When you play Destiny one thing becomes clear very quickly; there is always someone better than you, with stronger gear and weapons. Every time I get that one new gun that suddenly makes me feel ??ber powerful, a new enemy appears that takes four times the firepower. As soon as I start racking up multi-kills in PvP, some new guy logs on and totally smokes me. Destiny, like many video games, is a constant arms race where you must continually improve your skills, tactics, and weapons.
If there is one thing you can learn about infosec from Destiny, it’s that security is never static. As new technologies emerge giving us better defenses, attackers evolve and target new vectors with novel techniques. Everyone wants that fictional silver-bullet defense, but it doesn’t exist. You need to stay alert during this arms race, and continue to update your tools and tactics to adjust to the latest threats.
Like the Guardians from Destiny, infosec professionals must stay constantly vigilant to protect their networks and organizations from The Darkness threatening our online galaxy.