Editor's note: Contains major spoilers for the TV show Squid Game.
Squid Game, the edgy, dystopian Netflix show, has captivated audiences around the globe, resulting in a fever-pitch TV moment reminiscent of Game of Thrones. On the surface, the show is rife with societal commentary and anti-capitalist messages about topics such as wealth inequality. However, viewing the show through the lens of a cybersecurity enthusiast also yields several lessons for the security community.
In this post, we'll reflect on situations in the oddly twisted world of Squid Game and translate them into six lessons for cybersecurity professionals.
Prepare for Unknown Threats
Much like the players of the Squid Game — who must find a way to win at a series of children's games without knowing what game they will be subjected to until they start playing — security professionals must find ways to defend their organizations against unforeseen threats.
This has always been true in security. Attackers have an advantage over security teams because, much like the Squid Game host, they get to pick the attack type and vector (game), while the security teams must find ways to defend against countless known or unknown threats, and any of them can result in a breach (or death for the players).
Build a Diverse Team
After the first game, the Squid Game players quickly decided that forming an alliance would help them survive. Not only did it help them live through the violence of the "midnight fight" where roughly 15 players were ruthlessly murdered by their peers, but it helped the main characters defeat a much stronger team in tug-of-war using a strategy Player 001 remembered from his childhood.
The lesson for cybersecurity pros? Building a diverse team and skilled team increases the chances that someone on the team knows the right strategy, skills, or knowledge to win (stop or respond to a cyber threat).
Use the Right Tools
Two players were able to smuggle in tools after the games were reconvened — Sae-byeok (Player 067) and Mi-nyeo (Player 212), who brought a knife and lighter, respectively. The knife allowed Sae-byeok to gain foreknowledge of the first game by accessing the air ducts and spying on the workers and was used in the midnight fight. The lighter helped two players complete game 2 by heating their needles to melt the honeycomb at a rapid pace with little risk of breaking the wafer itself.
Similarly, security teams need the right tools to successfully tackle the threats they face. Security practitioners need to constantly update their tooling in order to be able to find and fix new attack tactics and to close the gaps in their security program. This means periodically reflecting on your organization's capabilities, security posture, and trying to objectively identify the gaps that can be filled given the available budgets, time, and staff.
In addition to having the right people and tools, players in the Squid Game also benefited massively from taking the correct approach to playing a game. This was quite literally the difference between life and death on many occasions. When Gi-hun discovered he could lick the honeycomb to dissolve the sugar, it gave him a massive advantage over chipping away at his wafer with the needle.
Similarly, when the glass manufacturer figured out he could see the difference between the normal and tempered glass based on how it refracted light, it allowed him to advance several squares further along the glass bridge with much less risk than he would have otherwise incurred.
It's also true that security practitioners benefit from using the right approach to solving specific problems. For example, insider threats are best tackled using behavior analysis. It's also important for security teams to document their process such that they can repeat them across different staff members and get the same result. Once one team member has perfected a technique for something, like investigating malware in your environment with your tooling, they can share that knowledge with the rest of your team. The final benefit of finding and documenting your approaches is that they can then be automated with orchestration tools.
Defense in Depth Works
Parallels can be made between assembling an effective security posture and hosting a successful Squid Game. In both cases, you're looking to eliminate threats (to your organization, or to your prize money) in a successive set of filters. In Squid Game, this was accomplished by subjecting the participants to children's games and eliminating the losers. Each game eliminated a percentage of players until only one remained. The chart below shows the effectiveness of this approach.
Security teams should take this same approach, but instead of killing players, they can stop attacks using complementary tools. For example, implementing network security tools (e.g., firewalls) alongside application security controls (e.g., a Web app firewall), endpoint security (e.g., endpoint detection and response), email security, and identity and authentication solution (e.g., multifactor authentication). Each successive layer of control makes it that much harder for attackers to succeed. This approach isn't about building an "attacker-proof" security posture, it's about slowing down hackers and making your organization less attractive as a target. The more layers of the onion attackers need to peel to obtain their objective, the less likely they are to want to continue. Additionally, these layers slow down attackers such that security teams have more time to react.
Insiders Can Also Be Threats
Squid Game has both malicious and compromised insiders. The police officer, Hwang Jun-ho, snuck into the game to find his brother by killing and stealing the identity of worker 29. This is analogous to a compromised insider: Jun-ho was inside the game's security perimeter, used a known identity and credentials, and was misaligned with the host's intentions.
The organ harvesting ring is analogous to malicious insiders; they are employees of the host organization but are knowingly abusing their access privileges to their own ends. In both cases, these threats were discovered the same way you should discover them in your IT environment, by finding abnormal behavior that differs from the baseline behavior of the individuals involved or their peers.