Six infosec tips I learned from Game of Thrones

Follow these six security tips to prevent the digital White Walkers from storming your network gates.

In Westeros - the land of dark knights, backstabbing royals, dragons, wildings, wargs, red witches and White Walkers - even the youngest ones have to learn basic self-defence if they’re to have any hope of surviving the cruel fictional world imagined by A Game of Thrones (GOT) author, George RR Martin. So too must every CISO and security pro learn the latest information security best practices if they’re to survive today’s internet threat landscape.

Here are six security tips I learned from Game of Thrones:

1. The sturdiest wall may conceal a hidden passage. In GOT, The Wall is a colossal fortification that protects the Seven Kingdoms from the mysterious and malignant beings (the Others), who live in the far north. Made entirely of ice, it runs more than 480 km in length and stands 210 m tall. Even from the defender’s side, riding the rickety lift to the top seems like a petrifying proposition, let alone trying to breach it from the outside. On the surface, The Wall offers an impressive, seemingly impenetrable defence.

So how does this relate to information security (infosec)? I could go the obvious route and talk about how your network needs a ‘wall’ to defend its perimeter, or maybe mention the importance of manning your network wall the way the Night’s Watch guards the gates of the North. However though those tips ring true, I’m going a more unconventional direction by reminding you there are cracks or holes hiding in every wall.

As impassable as The Wall seems, many groups were able to breach it throughout Martin’s narrative. The point here is that no defence is perfect. Every defence can fail under the right pressure, or miss certain types of attacks. This is why infosec experts have long relied on the basic concept of defence in depth.

Here’s a concrete example. If you manage a network, you need a firewall. However, firewalls - especially traditional ones - will miss many types of attacks. Today, most network attacks originate from the inside (your users clicking a link) and occur over ports you must allow through your firewall (80, 443). Most legacy firewalls miss these. In fact, no technical security control, no matter how advanced, can prevent every type of attack. This is why you need to layer multiple defences together, so others can catch what the first layers miss.

2. Heed the warnings of ravens. In the GOT universe, maesters (and by extension the kings they serve) send important messages to one another through ravens, in the same way we used carrier pigeons in the past. However, over time these raven messengers developed an unfavourable reputation, likely since they often delivered bad news. “Dark wings, dark words”, as the in-world saying goes. Nonetheless, bad or not, these messages usually contain important news, and ignoring the news carries consequences. 

In network security, our ravens come in the form of log messages and reports. We deploy various network and security controls that monitor our computers and networks. They record logs of interesting or unusual activity, probable malicious activity and even prevented attacks. However, if you don’t regularly inspect these logs and heed their potential warnings, you may miss the opportunity to take actions that could prevent an impending breach.

The recent Neiman Marcus and Target breaches are great examples of not heeding warnings. In both cases, forensic investigations uncovered that these organisations had security logs that identified malicious activity related to the breaches. Neiman Marcus’ systems apparently logged over 60,000 security events, and Target had an advanced threat protection solution that identified the POS malware in their systems. However, Target and Neiman Marcus either didn’t register these warnings or ignored them outright, and thus missed the opportunity to take actions that may have prevented the data theft.

3. Words carry more power than weapons. GOT likely enjoys a wider mass appeal than most fantasy since it spends more time exploring political intrigue and human sociology than it does swords and sorcery. Many of the fictional world’s conflicts are fought in council chambers, at dinner tables and in gardens, not on battlefields. Lies and manipulations are the weapons of choice. In fact, many of the physically weakest characters, who don’t carry positions of authority, often wield much more influence and power than is first apparent.

Lord Varys (The Spider), Lord Baelish (Littlefinger) and Tyrion Lannister (The Imp) are all perfect examples of this type of smart, manipulative character and savvy politician. They use well-placed words and subtle suggestions to manipulate events to their liking, rather than armies or direct power. Often, their victims don’t even realise they are targets of attack - until it’s too late.

In the security industry, we call this sort of threat actor a social engineer. Social engineers prey on weaknesses in human behaviour to trick unsuspecting users into doing things they shouldn’t, rather than exploiting technological flaws to break into networks.

Unfortunately, our industry spends more time defending against technological threats than human ones. Social engineering attacks don’t rely on technical flaws, so the best mechanical defences do little to stop them. While you should certainly bolster your technical defences, don’t forget to spend time educating your users to make them aware of the tricks social engineers exploit. You may have erected a castle wall, but that won’t prevent an attacker from tricking an untrained guard into opening your gates.

4. Beware the insider threat. While you’re considering the manipulative characters in GOT, don’t forget that these characters often attack people in their own group. If, say, the Lannisters used every shady, backhanded, manipulative trick in their book to defeat an obviously evil enemy, such as the White Walkers, you’d probably forgive them. However, the manipulators in GOT target members of their own kingdom, council and even family for personal gain. In other words, they are insiders carrying out insider attacks.

The take-away here is obvious, but still quite important. Inside attackers are not fiction. Malicious insiders have carried out many real-world security breaches and data leaks. It’s easy to overlook the insider threat, since malicious insiders are harder to identify and do anything about (they already have elevated access), but you need to remain wary of the threat.

Some basic defensive advice includes vetting your employees and partners carefully, implementing internal segmentation and access control to enforce least privilege principles, and leveraging data loss prevention technology to identify leaks, even when they come from within.

5. The best training makes the best defenders. One of the things I like most about GOT is its strong female characters. Unlike in stereotypical, outdated fantasy stories, most of the women aren’t princesses in need of saving. One of my favourite female characters is Arya Stark. When we first meet Arya, she’s a small, nine-year-old girl. Initially, most would not expect her to be a character of much consequence in an epic tale about battles with medieval knights, wicked sorcerers, mystical zombies and dragons. Yet Arya develops into one fierce warrior.

Like the best warriors out there, the best network defenders are those who train the most. The more you immerse yourself in information security knowledge, news and practices, the better you’ll be at defending your organisation. While every pundit has a different view of the various certifications out there, all of them require some study, which means you are training in your field. If you are passionate about protecting your network, continue to learn all you can about infosec. Play with attacker tools (many are freely available in Kali linux), not just security controls. Read the latest research from the smartest whitehat hackers. Simply put, the more you train in your field, the better you’ll get at it.

6. Winter is coming (or stay vigilant). Even if you’ve not caught a single episode of GOT, or cracked any of the books, if you follow internet pop culture you’ve probably seen references to the phrase “Winter is coming.”

The advice to stay vigilant directly applies to information security. In fact, if I could only give one piece of security advice, it would be to stay vigilant. There is a threat actor somewhere on the internet who wants your digital information. Constant vigilance means you accept that the threat is real and remain continually cognisant of potential new attacks.

* Corey Nachreiner is Director of Security Strategy and Research, WatchGuard Technologies

Image courtesy Game of Thrones