Cybersecurity is Like Playing Dungeons & Dragons
How our security operations mirror the fantasy tabletop role-playing game
In our current security operations’ workflows, qualifying threats, understanding the threat’s scope, and determining root cause closely resemble how players interact with their Dungeon Master (DM). With each alert, analysts must determine which ‘paths’ to investigate. There isn’t sufficient time to explore each and everything path. This means that if an analyst doesn’t ask the right question or interpret the response correctly, they find themselves going down the wrong path all too easily.
Take this example from a group playing Dungeons and Dragons
(based on http://hackslashmaster.blogspot.com/2012/05/on-missed-treasure.html):
DM: You have come across a clearing in the forest. In the clearing is a small pond.
Ranger: Are there signs of animals in the pond?
DM: You see a giant floating frog corpse about five feet in length.
Ranger: Are there signs the frog was killed or eaten by anything?
DM: The frog corpse is fairly intact. To get closer to it you will need to either get in the pond or pull it closer to you somehow.
Fighter: Is it obviously dead?
DM: It doesn’t appear alive. Its lying belly up floating in the pond.
Fighter: Can I check it with a rock?
Ranger: No, I’ll grapple it.
DM: OK, you grapple the frog. You now have a frog corpse near the shore.Ranger: Can we see anything on the frog?
DM: You see several gashes all over the lower stomach as if it’s been stabbed a dozen times with a short blade. The wounds look ragged.
Warlock: Are they in a pattern, like teeth marks?
DM: No.
Ranger: Are the punctures facing inward or outward?
DM: Sorry?
Ranger: Could the marks be from something coming out of the frog as opposed to it being stabbed?
DM: It’s possible.
Alchemist: Let’s dissect it.
Warlock: Sounds gross.
Fighter: Right, let’s just move on.
Ranger: Yes, we decide to keep walking in the forest.Narrator: And thus ends the tale of how the body of the gnome Hyusi-bigglebag and his magical sword (among other valuable possessions), who was swallowed by a giant frog that died from his repeated dagger stabs, was never discovered. The body was later eaten by a Grue.
If this story seems familiar it’s because it happens far too often in security. If we retell the story as a threat investigation, it goes something like this:
Security Information and Event Management (SIEM): Alert — The firewall just allowed traffic from an internal IP to an external IP, right after the IPS blocked traffic from the same external IP to the internal IP.
Security Analyst: OK, SOAR, what’s the playbook for this?
Security Orchestration, Automation and Response (SOAR): Get contextual data for the external IP and pivot search on the target IP’s activities.
Security Analyst: SIEM, what do you know about this external IP?
SIEM: No hits from any threat intelligence list. Want me to get the registrar info from whois?
Analyst: No. Hey EDR, can you show me everything that happened on the internal IP 10 minutes before and after the alert?
Endpoint Detection and Response (EDR): OK, there are a dozen parent processes with a few hundred child processes running.
Analyst: Who is on the system?
EDR: There are two users with running sessions, root and bsmith.
Security Analyst: What has Root been doing?EDR: No recent activity. Root is the owner of several services that have a long uptime.
Security Analyst: What was the network traffic that was allowed through the firewall?
NextGen Firewall (NGFW): An HTTPS get request.
Security Analyst: Was there a response?
NGFW: No.
Security Analyst: Are there any EPP events for this host during this time frame?
Endpoint Protection Platform (EPP): No.
Security Analyst: OK, this sounds like a false positive. I am going to move onto the next alert.Narrator: And thus ends the story of how the COMpfun remote access trojan (RAT) capable of carrying out man-in-the-middle (MitM) attacks on encrypted traffic wasn’t discovered until much later after compromised account information was already successfully exfiltrated. The security analyst was later eaten by a Grue.
Similar to D&D, there are multiple paths for the security analysts. However, the security analyst does not have the luxury of time. Its not always intuitive which path to investigate, even when guided by prior experiences and playbooks. While playing D&D and exploring multiple paths is enjoyable, it’s highly stressful to rely on guesswork to perform security investigations. There are too many paths to investigate with dead ends that reach inconclusive results.
It is time technology began to work more intelligently to guide us down the right path. Note, this isn’t a playbook for how to investigate, but a mechanism to tell us what to investigate. This looks like technology evaluating investigation paths on the security analysts’ behalf to determine which provides the clearest evidence that qualifies the threat indicator and shines details on its root cause and the threat’s scope.