What Squid Game Reminds Us About Cybersecurity

October 28, 2021 CyberArk Blog Team

What Squid Game Reminds Us About Cybersecurity

This Halloween, you’re likely to see a lot of green tracksuits, thanks to the pop culture juggernaut that is Netflix’s Squid Game. In case you’re still, somehow, in the dark, the South Korean television series is like a mix of Hunger Games and The Running Man, as it follows a desperate group of people lured into playing deadly versions of children’s games like “Red Light, Green Light” and “Tug-of-War” for a slowly increasing pot of money that swells into the billions.

For those in the cybersecurity community, seeing the concept of “survival of the fittest” put through the ringer in such brutal ways strikes a particularly familiar chord (the show itself has even had its own data exposure problems). The climactic (and titular) “squid game” involves one person, the “defender,” trying to prevent another, the “attacker,” from passing through a narrow entry point before they can reach their end goal. Could there be a cybersecurity metaphor more on the nose?

So, in honor of one of the bloodiest, most intense shows you’ll likely watch this Halloween season (take note Michael), here are some cybersecurity takeaways from Squid Game and its varied games. (Spoiler alert: If you haven’t seen the show, you may not want to read past this line until you do.)

“Red Light, Green Light” and the Importance of Permission and Privilege

It’s a schoolyard classic — one player stands with their back to the others and says, “green light,” prompting players to traverse as much ground toward a designated finish line as possible. Upon hearing the “red light” cue, everyone must freeze. The show takes this innocent game to a deadly level, as a (super creepy) robot doll scans players for even the slightest hint of movement, then sets off computer-guided guns to eliminate the disqualified — for good.

Today’s organizations can assume that at least one “player” in their network is inching forward without permission. By enforcing “red lights” and continuously validating the need for individual identities to have access to data and resources, security teams are in a better position to stop attackers from escalating privileges and reaching the finish line to accomplish their goal.

“Dalgona” and Working Smarter Not Harder Against Cyber Threats

In one of Squid Game’s most intense sequences, participants are given dalgona, a common Korean street treat (also known as Ppopgi, which is basically a very brittle candy made of brown sugar and baking soda). Street vendors will impress simple shapes into them, like stars or circles, and ask children to break out the shape without cracking it, which is very difficult to do. In the show, some characters are given triangles, while others are stuck with more complicated shapes, such as umbrellas.

Just like dalgona, cybersecurity systems should be built to slow attackers down: throw in some jagged edges or looped curves like an umbrella handle — anything to add layers of difficulty that inhibit an attacker’s progress and raise red flags faster. These systems should also incorporate ways to automate and simplify security processes. Squid Game’s protagonist Seong Gi-Hun offers a valuable strategy here. By licking the back of the honeycomb candy, he can melt the shape out rather than try to crack it — much like how threat detection and analytics capabilities can speed the process of finding and blocking threat actors to limit, or even prevent, damage.

“Tug Of War” and the Need for Security-Productivity Balance

We’ve all likely played this one. Teams on either end of a long rope try to pull one another over a designated “out of bounds” area. This game of “survival of the fittest” closely mirrors the constantly back-and-forth struggle between attackers and defenders.

Security teams face their own constant tug of war between two directly opposing, yet equally important, needs: one side pulling for stronger security measures to protect the business, the other pulling to speed rollouts and boost user productivity. The only way to win is to act intelligently, not aggressively. “Wins” can be achieved on both sides if  Zero Trust measures are adopted across the entire “game” or cycle of accessing critical assets. That’s where Identity Security solutions come in. For instance, contextual authentication methods can help verify every user is who they claim to be — without making users jump through lots of hoops. And by granting proper permissions the second they’re needed (and taking them away the second they’re not), organizations can more intelligently implement least privilege controls, finally ending the back-and-forth stalemate between security and productivity.

“Marbles” and the Power of (Zero) Trust

In one of the most open-ended games in the series, participants are divided into teams of two. Each is given a bag of 10 marbles and instructed to obtain all their partner’s marbles by any non-violent means. One of the characters, Cho Sang-woo, devises a scheme for him and his partner to both win and his partner trusts him. Bad call, of course: Cho Sang-woo wins by deceit.

Although the least structured of the games in the series, it may be the most direct. This is Zero Trust in human form, a true insider threat. Even if someone appears to be trustworthy, you shouldn’t hand them all of your marbles (let alone one) until they are properly vetted and verified.

“Glass Bridge” and Learning from Early Adoption

Straying from the idea of simple children’s games, the fifth challenge in Squid Game involves a long glass bridge the remaining participants must cross. The challenge is that some of the panels of glass are solid, while others are weak, tempered glass that will shatter instantly and send them tumbling to their deaths.

The impetus to innovate and find new ways to combat threats — in essence, to be the first one to barrel along the glass bridge — can be rewarding, but it can also be treacherous. Getting ahead of advanced threats is the goal but realizing that it can sometimes take time to suss out the needs of your business or organization is also important. Plus, sometimes it takes learning from an attack to properly illuminate the right path forward.

“Squid Game” and Assume Breach

As we mentioned earlier, the titular squid game is something actually played on South Korean playgrounds. Children draw a large diagram in the dirt or sand, resembling a house with a simple square base and a triangular “roof,” separated by a wall with an opening in the middle. Two circles are then drawn on the ends of the diagram. The goal is simple: one team of defenders must keep a team of attackers from getting through the small opening and into their circle at the top of the triangle by any means necessary.

In the digital world, distinct “lines” delineating corporate networks no longer exist. Instead of trying to guard a constantly morphing perimeter, cybersecurity teams are turning inward to protect what matters most. This is when the concept of “assume breach” comes into play (and actually does on the show as well). Defender Cho Sang-woo assumes attacker Seong Gi-Hun will get through the opening and opts to protect the prized circle at all costs, instead of trying to keep him out of bounds.

Although brutal, Squid Game is ultimately (and arguably) a fun exercise in “what would I do in this situation?” for most viewers — with extra resonance for those making a living protecting shifting landscapes, navigating invisible walls and pathways, and snuffing out untrustworthy visitors in the digital world. The wearing of green tracksuits is optional, of course (but be careful with those dalgona in your candy bucket).

 

Previous Article
Why Reporting Cybersecurity Business Impact is About Seeing the Forest from the Trees
Why Reporting Cybersecurity Business Impact is About Seeing the Forest from the Trees

You know when you get stuck sitting next to that one relative who takes forever to tell a story or get to t...

Next Video
The Evolution of PAM - Episode 2: Today (but with lots of 80s references). ‘Teams were just stuck in this continual design process’
The Evolution of PAM - Episode 2: Today (but with lots of 80s references). ‘Teams were just stuck in this continual design process’

Privileged. Access. Management. CyberArk’s Global Technology Office goes Podcast. Episode 2: Today (but wit...