Cyber Security Lessons from “The Martian”
Blog Article Published: 11/16/2015
By TK Keanini, Chief Technology Officer, Lancope First things first, if you have not seen the movie or read the book “The Martian,” stop right now and do not continue because there will be spoilers. You have been warned. On more than one occasion in my life as a security professional, I have felt like I was stranded on Mars – all alone with only my wits and spirit to survive. As I read The Martian, I kept thinking about what skills and practices would help a security practitioner in their day-to-day life. What would Mark Watney do? During an ongoing attack, there is no time to deploy new tools and there is no one else who is more familiar with your network environment than you. Instead, you must use the tools and knowledge immediately available to survive, and time is not on your side. Maybe that is why this book resonated so well with me. This post is the first in a two-part series. Watney’s approaches can be divided between methodologies and psychological skills, both of which are equally important in a stressful situation such as a cyber-attack. In this post, I’ll explore how Watney approached problem-solving and what logic he used to give himself the best chance of survival. Science is helpful for what can be explained by science Sciences like physics, chemistry and botany teach us that a small percentage of the future can be predicted if we play within the laws that are deterministic. It is within these formulas that we can predict the future outcome of an action, but what “The Martian” illustrates is even with all that science provides, the majority of the future cannot be determined and we just need to deal with it. Science only explains a very small percentage of what we as humans experience, so if you happen to be on the high horse of science, get off before you fall. Science only takes you so far; for the rest you are on your own. Adapt or die During the entire time on Mars, Watney needed to adapt to an unfriendly and deadly environment. He needed to assume the role of farmer, trucker and construction worker to survive. As a farmer, he used his limited resources to create an environment suitable for growing potatoes to sustain a diet until rescue. As a trucker, he had to get his entire living space mobile for the trek across plans and mountains to a rescue craft. As a construction worker, he needed to modify the craft and reduce weight and other properties so that he could get to orbit with the fuel that was on hand. All of these roles are crafts, which means they encompass not just processes and skills but resources and tools as well. Watney needed all of it to survive. It is likely that an individual in your organization fulfills multiple roles such as incident responder, business leader, IT operations, etc. as they go about their daily job. Adaptation is a survival skill on any planet. Utilize lateral thinking While Watney had advanced machinery and materials designed specifically for Mars, none of it was meant for use beyond 31 days. Watney had to stretch it for a year and a half and use it in ways it wasn’t intended. To do that, he had to get creative. He modified machines, adapted materials and jury-rigged a potato farm in his living quarters. In cyber-security, organizations cannot afford to buy a new tool for every specific need. In fact, attempting to do so is ineffective and can lower the overall security. Instead, we must adapt our tools. Oftentimes, we can use them for purposes the designer did not envision and make them work with our other tools in creative ways. Again, this is also applicable to processes. What doesn’t work at another organization may work in yours. Maybe your team is versatile and benefits from regular role reassignments. Maybe your tools are also beneficial to network operations, which can help garner more funding for future cooperative investments. Don’t be afraid to try new and crazy things. It just might save you. Plan for Failure A plan is good until it makes first contact with the enemy. Unfortunately, systems sometimes fail and processes may prove ineffective. You cannot rely on success. For every plan that Watney thought of, he tested and prepared for failure. Whenever he made modifications to the rover, Watney would drive it around his living area for days to see how it held up to use. When he reestablished communication with Houston using the remains of the Mars Pathfinder probe, he created a plan on how to provide updates via Morse code should communications fail. Of course, Watney couldn’t imagine every failure scenario, but he planned for enough to keep himself alive. In cyber security, we must plan for failures. Having strong network perimeter defenses are important, but they cannot be relied on as the sole source of security. Monitoring internal network traffic, utilizing proper segmentation and detecting anomalous and malicious behaviors are important measures to ensure attackers can be stopped after other measures fail. Also, don’t forget to save a nice meal for the day you survive something that should have killed you. Testing and rehearsals are critical According to Watney, “in space no one can hear you scream like a little girl.” We can plan for failure, but that doesn’t make it any less terrifying. To avoid that terror Watney tested and tested and rehearsed and tested some more before he did anything. His modified rover had days’ worth of travel time on the odometer before he drove further than walking distance from the Hab. He put his makeshift tent through the ringer, breaking it in the process, before he ever spent a night in it. Some failures are so complete that there are no possible backup plans, so we must push our tools and responses until they break in order to make them as strong as possible. This is the mentality behind penetration testing. Security teams need to know exactly what to do in the event of an attack. If they don’t know something, the need to be able to find it out – in minutes. Security tools must function properly under pressure, and responses need to be effective. Start with these questions: Do you have an incident response plan? (You should) Have you tested that plan? (You should) Do you know what to do in the event of an outside attack? What about an inside attack? What are the limits of your tools? Are there any critical blind spots or vulnerabilities in your network? How do you know? Rehearse attack scenarios to find out the answer to these questions. Then rehearse some more, and do it regularly. If you don’t identify your own weaknesses first, someone else will. Next week, I’ll cover what Watney did to stay sane in the face of isolation and death. I’ll also touch on what interpersonal factors were present in the entire Ares 3 crew, which ultimately allowed them to rescue Watney without losing a single person.