Like many of you, I spend my days immersed in the world of cybersecurity and identity. Nights and weekends, however, are times for friends, family, and hobbies. My hobby of choice is board games. At the time of this post, I own over 140 games. I have played over 400 different games, regularly host two game nights a week, and attend a board game conference (yes, they exist!) once a year.
Hobbies are meant to take us away from the day-to-day of our jobs. They are a way to pursue new knowledge or a new skill. Humans have been playing board games for at least 5,000 years. There are even a few games featured prominently on Egyptian hieroglyphics or etched into the base of Assyrian winged lions so that the sentries could play. Board games not only allow us to enjoy time with friends and family, but they transport us to new places and allow us to take on new personas.
One day I was playing some games with my game group and, without my conscious effort, my hobby and my day job mixed. The result was interesting and provided me some insight I’d like to share.
The first time my hobby and my job crossed over, I was playing BANG! The Dice Game – a hidden role game set in the wild west. It is a struggle between the law – the Sheriff and Deputies – and the lawless Outlaws and Renegades. In this game, we only know the Sheriff’s role. All other players keep their role hidden. The key to the game is the win conditions. The Sheriff and Deputies win when all the Outlaws and Renegades are dead. The Outlaws win when the Sheriff is dead. The twist in the game, however, is the win condition for the Renegade. The Renegade wins if the Sheriff dies and they are the last player standing. What this means for the Renegade is that they pose as a Deputy early in the game and work alongside the Sheriff and other Deputies to remove the outlaws before turning on the law to pursue a victory.
With that context in mind, let’s take this full circle back to identity. While identity doesn’t often feel like fun and games, we can adopt strategies and lessons from board games and apply them to your identity programs.
The Renegade is the insider threat.
The Renegade initially plays as if they are a Deputy, only to turn when it’s most advantageous and kill the Sheriff (steal the critical data).
The best way to figure out who’s who in these games is via activity.
Outlaws will quickly start shooting at the Sheriff; deputies will then aim their fire at the outlaws. Activity is the key to figuring out who’s who. We do similar things in identity when we ask, “What are people doing with the access they have?”
The presence of a traitor makes it harder for the “good guys.”
This is, of course, obvious for Identity professionals. If it weren’t for the insider threat, many of us wouldn’t have jobs. The key insight here, however, is that we have to find a way to root out the traitor without causing ourselves too much harm. It’s not uncommon, for example, for experienced Deputies to start shooting at each other in the hopes of rooting out the Renegade. Waiting too long to take on the Renegade can mean that both deputies and outlaws are too weak to handle the Renegade when he turns. On the other hand, weakening other deputies is a significant risk.
The traitor is often looking for “dark corners” to do bad things.
The worst possible outcome for the Renegade is that they are “figured out” early in the game. Because of this, they need to find ways to look and act like a Deputy. Sometimes this means doing something “bad” in a way that the other players can’t tell it was you. This isn’t dissimilar to what we see in breaches today. The “bad guys” typically aren’t at their stand-up desk in the middle of a crowded area at work during the workweek downloading privileged information. More often, they are in areas where people can’t see them (physically or digitally) using credentials or badges that aren’t theirs. As identity professionals, we are often tasked with shrinking the “dark corners” and deny the insiders the opportunity to breach.
Lastly, and most interestingly, being the traitor is difficult.
If the Sheriff and Deputy build trust and deny the traitor the ability to find “dark corners,” being the traitor is impossible. In the end, the traitor is just one person (or a small team) going against a much larger, more powerful team. Stealth is their best weapon but robbed of that they are easily defeated.