Combating the Insider Threat

Security can be a difficult topic to talk about. This is especially true for organizations combating insider threats. Can social deduction games break the ice? Recently a game called “Among Us” garnered mass popularity across the internet. It’s especially popular among streamers and on video platforms like Twitch and YouTube. The description from the developers tells us to “Join your crewmates in a multiplayer game of teamwork and betrayal!” The basic premise is that as a player, you have a crew.  Some of your crew are imposters, trying to sabotage the rest of the team. Meanwhile, the “good” part of the crew is just trying to do their job and get home.

Playing, watching and theorizing about the game though, gives off a certain vibe as a social engineer. The game hints at something we deal with day-to-day. Before we get into the connection though, let’s explain a little more about the game, and the history of social deduction games.

A Brief History of the Social Deduction Games

One of the first successful versions of a social deduction game in modern history is accredited to Dimitry Davidoff. Davidoff created the game, called “Mafia,” eventually known as Werewolf” reportedly at Moscow State University’s psychology department in 1986. The game is a result of Davidoff attempting to combine psychological research with his teaching duties. These kinds of games include an informed minority (Mafioso, werewolf, impostors) and an uninformed majority (villagers, crewmates, etc.). The premise is usually that those in the know are trying to hide their identities from the innocent parties. They try to eliminate other players, or sabotage players through various means.  Until only the “villainous” faction is left, or they trigger some sort of other game-over condition.

Various versions, such as board games, card games, rulesets for party-games, and video games were spawned in the decades following its initial conception. The concept traveled globally, with video games popularizing it even more. The premise behind most of these games puts a high value on information gathering, deception, and getting people to like and trust you… Starting to sound familiar yet?

Among Us

Among Us is built on a crew of up to 10 people, with one or two of the “crewmates” being “impostors,” or the bad guys. The goal of the impostors is to get rid of the rest of the crew, and they can do this in a few ways. The first way is to simply do it themselves. They have a special action and animation to quickly and discreetly eliminate other crewmates. However, they often try to do so in out-of-the-way areas of the ship, as you’ll learn why.

Thirdly, there’s communication in-game, usually through a voice-chat feature. Whenever a body is discovered and reported, or an “emergency meeting” is called, the crew can get together and vote one of the crew members off to eliminate them, impostor or innocent. The meetings themselves are one of the most important parts of the game. This is because, outside of that, the crew can’t talk to each other. It’s one of the few ways to gather information or, in the case of the impostor, spread falsehoods, misinformation, and distrust.

Modeling the Insider Threat

Watching others play the game led to patterns forming. By experimenting in the game, correlations to the security industry become clearer. Specifically, it helps in understanding and dealing with an insider threat, one of the most potentially dangerous issues facing companies today. What is an insider threat? Well, the Department of Homeland Security’s fact sheet defines it as “the potential violation of system security policy by an authorized user.” What that breaks down to is that someone on the inside, an “impostor,” is working against the best interests of a company or organization. But how do you stop it?

To test out a theory, a number of games were played with different online groups. People who both knew the social engineer involved to an extent, and people who were mostly strangers. As a crewmate, they had to pay attention to how they both won and lost. In addition, they paid attention to what “sabotage” techniques were the most devastating. They also looked for what were the most effective ways to figure out who was “sus” (the coined phrase for potential imposters, short for suspicious).

As an impostor, social engineering techniques were applied, such as pretexting as (or playing the role of) a newbie (which indeed they were at first) who needed help or didn’t understand what to do. First, they deliberately made false statements, and happily accepted correction to garner trust. Next, they made themselves appear as harmless as possible, and always had an alibi, fake or not. Then, they learned to describe their tasks instead of utilizing the proper names for them. Lastly, they learned to let the silence hang. To keep quiet, and let other people, who kept a higher profile, develop suspicion while keeping a low profile themselves. Sabotage though, led to some very interesting conclusions.

Information is King

Some of the most effective players, as both crewmates and impostors, were well-informed. For instance, they knew what the maps looked like and how to get from place to place via both normal routes and secret ones. Additionally, they knew the timing of each task crewmates were supposed to do, and the best order in which to do them. Finally, they used this knowledge intelligently and creatively, both in catching out people who were acting outside of the “norm,” and in elicitation and interrogation during the “meeting” phases of the game. The main takeaway learned from this is that having an understanding of how things were supposed to work gave a player a huge advantage on both sides of the gameplay, but especially as a crewmate.

Controlling people’s attention via sabotage was one of our social engineer’s favorite things to do as an impostor, and one of the best ways they found to do that was to turn off the lights. This limited the information a crewmate could get and allowed an impostor to isolate them in a portion of the map. Once they did that, an impostor basically had free rein to do what they wanted and then pin it on someone else, diverting attention away from themselves as they went to “fix” the lights they had just sabotaged. Also, toward the endgame, some of the cleanest, or most satisfying wins were had by sabotaging the instant-game-over sections and waiting for someone to respond. They had to respond or lose at that point, and you could take advantage of that by preventing someone from ever reaching their destination.

Practical Takeaways for Organizational Security

There were a few things that felt immediately applicable from the lessons learned in this social deduction game.

It is unlikely that you’ll spot a liar by instinct alone. In a conglomeration of studies with over 24,000 participants total, the average accuracy of detection was 54%. Trusting your security teams and hardworking employees to spot deceptive individuals will most likely result in failure. So, what can you do?

    1. Information is King. Your employees, especially management should be highly aware of your security policies. Your teams should know the “normal” behavior of other departments. They should be educated and informed about what is okay to share, and what is not.
    2. Trust but Verify. When no one could trust or verify one another the games quickly fell apart and impostors won. The same thing can happen in a company. There needs to be open communication between departments when something suspicious happens. In addition, there needs to be a clear chain for people to report issues, problems, or threats. Ultimately, there also needs to be a way to verify real employees from imposters.
    3. Limit and Monitor Information. What’s true for the impostor is true for the crew. If they don’t have the necessary information, they are less effective in their attacks. Not everyone needs to know every detail of a company’s technical infrastructure. There should be clear demarcations between what departments know, and critical information should be monitored and logged for access

Approaching Security Together

Security can be a difficult topic to understand for many, and difficult for professionals to explain. Games are a huge part of our culture today and making connections between things like Among Us and other social deduction games can make it more accessible. Use what people know to educate and make your user base more aware. Maybe even get together and play a few rounds so people can see how easy it is to be led astray and deceived. Have fun, learn together, and above all, leave them feeling better for having met you.