Six infosec tips I learned from Game of Thrones

In Westeros—the land of dark knights, backstabbing royals, dragons, wildings, wargs, red witches, and White Walkers—even the youngest ones have to learn basic self-defense if they’re to have any hope of surviving the cruel fictional world imagined by A Game of Thrones (GOT) author, George R. R. Martin. And so too, must every CISO and security pro learn the latest information security best practices if they’re to survive today’s Internet threat landscape.

If you’re a GOT fan, you’re probably excited about the recent launch of season four. Accordingly, the second article of my pop-culture/cyber-security series explores the information security tips you might extract from the morbidly dark, yet inescapably intriguing fantasy series. Here are six security tips I learned from Game of Thrones:

1. The sturdiest wall may conceal a hidden passage. In Game of Thrones, The Wall is a colossal fortification that protects the Seven Kingdoms from the mysterious and malignant beings (the Others), who live in the far north. Made entirely of ice, it runs more than 300 miles in length and stands 700 feet tall. Even from the defender’s side, riding the rickety lift to the top seems like a petrifying proposition, let alone trying to breach it from the outside. On the surface, The Wall offers an impressive, seemingly impenetrable defense.

So how does this relate to information security (infosec)? I could go the obvious route and talk about how your network needs a “wall” to defend its perimeter, or maybe mention the importance of manning your network wall the way the Night’s Watch guards the gates of the North. However, though those tips ring true, I’m going a more unconventional direction by reminding you there are cracks or holes hiding in every wall.

As impassable as The Wall seems, many groups were able to breach it throughout Martin’s narrative. For instance, a group of wildlings and Jon Snow simply climb over it at one point. Even Bran and his ragtag group of kids, with help from Samwell, find a secret passage called The Black Gate.

The point here is no defense is perfect. Every defense can fail under the right pressure, or miss certain types of attacks. This is why infosec experts have long relied on the basic concept of defense in depth.

Here’s a concrete example. If you manage a network, you need a firewall. However, firewalls—especially traditional ones—will miss many types of attacks. Today, most network attacks originate from the inside (your users clicking a link), and occur over ports you must allow through your firewall (80, 443). Most legacy firewalls miss these. In fact, no technical security control, no matter how advanced, can prevent every type of attack. This is why you need to layer multiple defenses together, so others can catch what the first layers miss.

While the final battle between the White Walkers and The Wall has yet to begin, I feel safe in predicting that if Westeros relies on The Wall alone for defense, they have a lot to fear!

2. Heed the warnings of ravens. In the Game of Thrones universe, maesters (and by extension the kings they serve) send important messages to one another through ravens; in the same way we used carrier pigeons in the past. However, over time these raven messengers developed an unfavorable reputation, likely since they often delivered bad news. “Dark wings, dark words,” as the in-world saying goes. Nonetheless, bad or not, these messages usually contain important news, and ignoring the news carries consequences.

In one such example, Aemon (maester to the Night’s Watch) bade Samwell to ready Castle Black’s forty-four ravens to send messages warning the Seven Kingdoms of the return of the White Walkers, and the impending threat on Castle Black. However, most of the kings ignored these messages, not believing the threat really existed. Ultimately, this would have ended in tragedy if not for one king. Eventually, Davos convinced King Stannis to heed the warning, and ride to Castle Black’s rescue. If not for this, the Seven Kingdoms may have fallen.

In network security, our ravens come in the form of log messages and reports. We deploy various network and security controls that monitor our computers and networks. They record logs of interesting or unusual activity, probable malicious activity, and even prevented attacks. However, if you don’t regularly inspect these logs and heed their potential warnings, you may miss the opportunity to take actions that could prevent an impending breach.

The recent Neiman Marcus and Target breaches are great examples of not heeding warnings. In both cases, forensic investigations uncovered that these organizations had security logs that identified malicious activity related to the breaches. Neiman Marcus’ systems apparently logged over 60,000 security events, and Target had an advanced threat protection solution that identified the POS malware in their systems. However, Target and Neiman Marcus either didn’t registers these warnings, or ignored them outright, and thus missed the opportunity to take actions that may have prevented the data theft.

In short, watch for ravens and heed their warnings. They may deliver the intelligence you need to withstand an attack. As an aside, if you think using birds to send digital messages sounds ludicrous, check out this fun RFC (1149).

3. Words carry more power than weapons. Game of Thrones likely enjoys a wider mass appeal than most fantasy since it spends more time exploring political intrigue and human sociology than it does swords and sorcery. Many of the fictional world’s conflicts are fought in council chambers, at dinner tables, and in gardens, not on battlefields. Lies and manipulations are the weapons of choice. In fact, many of the physically weakest characters, who don’t carry positions of authority, often wield much more influence and power than is first apparent.

Lord Varys (The Spider), Lord Baelish (Littlefinger), and Tyrion Lannister (The Imp), are all perfect examples of this type of smart, manipulative character and savvy politician. They use well-placed words and subtle suggestions to manipulate events to their liking, rather than armies or direct power. Often, their victims don’t even realize they are targets of attack, until it’s too late. When you see a sword being swung at you, it’s obvious to defend with your shield and counter attack, but how do you defend against malicious whispers and rumors that you may not even hear yourself?

In the security industry, we call this sort of threat actor a social engineer. Social engineers prey on weaknesses in human behavior to trick unsuspecting users into doing things they shouldn’t, rather than exploiting technological flaws to break into networks.

Unfortunately, our industry spends more time defending against technological threats than human ones. Social engineering attacks don’t rely on technical flaws, so the best mechanical defenses do little to stop them. While you should certainly bolster your technical defenses, don’t forget to spend time educating your users to make them aware of the tricks social engineers exploit. You may have erected a castle wall, but that won’t prevent an attacker from tricking an untrained guard into opening your gates.

4. Beware the insider threat. While you’re considering the manipulative characters in Game of Thrones, don’t forget that these characters often attack people in their own group. If, say, the Lannisters used every shady, backhanded, manipulative trick in their book to defeat an obviously evil enemy, such as the White Walkers, you’d probably forgive them. However, the manipulators in GOT target members of their own kingdom, council, and even family, for personal gain. In other words, they are insiders carrying out insider attacks.

Spoiler alert: Avoid the next paragraph if you haven’t watched the latest TV episodes.

Perceptive viewers just saw a perfect example of an insider attack during the latest TV episode (S4EP2), when King Joffery dies under mysterious circumstances (hurrah!). If you’ve read the books, or noticed some of the subtle visual cues in the episode, you may have already guessed the culprit. But even if you have no clue whodunit, you probably still suspect poison, and realize that Joffrey’s attacker must have been close. One second he was drinking a cup of wine without issue, the next second a sip of wine resulted in swift death; a classic insider job.

The take-away here is obvious, but still quite important. Inside attackers are not fiction. Malicious insiders have carried out many real-world security breaches and data leaks. It’s easy to overlook the insider threat, since malicious insiders are harder to identify and do anything about (they already have elevated access), but you need to remain wary of the threat.

Some basic defensive advice includes vetting your employees and partners carefully, implementing internal segmentation and access control to enforce least privilege principles, and leveraging data loss prevention technology to identify leaks, even when they come from within.

5. The best training makes the best defenders. One of the things I like most about A Game of Thrones is its strong female characters. Unlike in stereotypical, outdated fantasy troupes, most women in this story aren’t princesses in need of saving. One of my favorite female characters is Arya Stark. When we first meet Arya, she’s a small, nine-year-old girl. Initially, most would not suspect her to be a character of much consequence in an epic tale about battles with medieval knights, wicked sorcerers, mystical zombies, and dragons. Yet, Ayra develops into one fierce warrior.

What makes the difference? Well, Arya’s heart and attitude have much to do with it, but ultimately, I would argue training is what makes her the accomplished fighter she becomes. Arya hones her skills every chance she gets. Early in the series, the girl strives to receive bow training that the menfolk typically reserve for boys. In King’s Landing, she trains in a graceful style of swordplay called Water Dancing, chasing cats to improve her balance. Finally, for those who read the books, she joins the guild of Faceless Men, where she receives even more specialized training from the Kindly Man. Through this training Arya becomes a formidable character, and as a result, I’m sure we’ll see great things from her.

Like the best warriors out there, the best network defenders are those who train the most. The more you immerse yourself in information security knowledge, news, and practices, the better you’ll be at defending your organization. While every pundit has a different view of the various certifications out there, all of them require some study, which means you are training in your field. If you are passionate about protecting your network, continue to learn all you can about infosec. Play with attacker tools (many are freely available in Kali linux), not just security controls. Read the latest research from the smartest whitehat hackers. Simply put, the more you train in your field, the better you’ll get at it.

6. Winter is coming (or stay vigilant). Even if you’ve not caught a single episode of Game of Thrones, or cracked any of the books, if you follow Internet pop culture you’ve probably seen references to the phrase “Winter is coming.”

“Winter is coming” is the motto of House Stark, one of the main GOT protagonist families. As a family of the North, the Starks’ forefathers were directly affected and closely involved in “The Long Night,” which was the first time the White Walkers invaded the lands of Westeros. As a result, the Starks better remember the atrocities and sufferings of that time, whereas other citizens dismiss it all as legend. The motto “Winter is coming” is the Starks’ way of reminding their descendants to stay vigilant against future strife and attacks.

The advice to “stay vigilant” directly applies to information security. In fact, if I could only give one piece of security advice, it would be to stay vigilant. The techniques blackhat hackers exploit to breach our networks will continue to change, our defenses depreciate over time and need updating, but one thing remains constant. There is a threat actor somewhere on the Internet who wants your digital information. Constant vigilance means you accept that the threat is real, and remain continually cognizant of potential new attacks. Even if you don’t have the latest, high-tech security gadget or largest team of crack security experts, your vigilance will allow you to recognize and react to real digital attacks much quicker than the apathetic administrators who ignore the threat entirely.

There is a second part to the Starks’ motto, which is left unsaid. Winter is coming-¦ prepare for it.

The Game of Thrones world often seems like an overly dark universe, where our beloved characters perish and the perceived “good guys” lose as many battles as they win. However, you can learn from their mistakes. Follow theses six security tips and perhaps you’ll prevail when the digital White Walkers storm your network gates.

Don't miss