This tweet got me wondering about parallels between the recent Pokémon GO phenomenon and cybersecurity. Those familiar with the game will be amused at the thought of people showing up at the New York Times to battle fictional creatures on their phones. For those not in the know, this kind of activity can be strange and even unsettling at times. Why are random people coming to my place of business? Who are these people congregating outside my house? And why do I keep hearing someone yell, “Aw man, Magikarp!”
All weirdness aside, how can we relate random people showing up unexpectedly at an office building to the world of cybersecurity?
Pokémon GO is an augmented reality game that turns your mobile device into a portal to another world. Using your phone, you travel around the physical world collecting creatures called pokémon. While capturing pokémon, you check in at landmarks to collect items, stop at gyms to fight and train them, and along the way bump into other players and awkwardly ask if they're playing the game too. (Hoping they know what you’re talking about and don’t give you strange looks.)
Released this past Thursday, Pokémon GO has rocketed to the top of the Apple and Google Play app stores and hit 7.5M downloads by Monday. As you’re going about your regular day, the person next to you may be interacting with the world completely differently and in a way you can’t see and don’t yet understand.
Observe the Situation
In any security scenario, it’s essential that you observe and monitor events. It’s critical that you observe behavior and know the difference between what is expected and what is unexpected. Take note of this scene of a Friday night in a town square:
Seeing this mass of people standing in a large group, it would be natural to question who they are and what they’re doing. The local pharmacy isn’t usually this happening on a Friday night. So you make a few observations based on questions like the following:
- What are the ages of the people? Are the people similar in age?
- What is the typical traffic flow for the area? Is anything abnormal?
- Where do people typically congregate? Is what we’re seeing tonight abnormal?
- What relationship do the people have with their devices? Are they preoccupied with them?
- Are individuals off on their own, or have they formed small groups?
Asking critical questions like these is the first step to understanding an event. At this point, we have observed the scene, and by asking key questions, we have developed a detailed picture of what is going on. Before we an act, however, we need to do a threat assessment.
Perform a Threat Assessment
It’s natural at this point to want to act. Something is happening, and it needs a response. However, until you know more, how can you react appropriately? You’re likely to under react and place your organization at risk, or over react, which will eventually lead to alert fatigue.
Pokemon Go app prompts 'suspicious persons' calls for police https://t.co/ktCIxSIMte— WCVB-TV Boston (@WCVB) July 11, 2016
You must be able to accurately distinguish between benign behavior and malicious behavior in order to take act effectively.
In this case, once you’re able to classify the people as Pokémon GO players, it’s easy to realize that they’re benign:
Or, the individuals could be an annoyance as they congregate at your business and potentially obstruct your paying customers:
At worst, they could be criminal trespassers:
Context — a detailed picture of the event — is the key to determining whether the behavior you’re seeing is a threat or not, and it helps you determine the the level of response to employ. A group of adults clustered in a children’s park, talking on their phones isn’t necessarily a threat, even though it might not be everyday behavior. In contrast, a group roaming a Coast Guard base at night would require a much swifter and more thorough response.
Once you’ve made a threat assessment, it’s time to act — or not act. How many Pokémon GO players might have been spared a visit by the police if those around them had just watched the 11 o’clock news (i.e., critically observed the situation and completed a threat analysis)?
If it is time to act, then choose the correct approach. Do the police need to be called, or is a quick conversation enough to resolve the alert? Think about how you might wake people up to escalate an overnight alert or leave the situation for follow up on the next day. Use your best judgement. Once you have a response, make the action repeatable.
For issues that require no intervention, adjust your monitoring to prevent the issue from interrupting someone in the future. Don’t bother responders when nothing needs to be done (or you’ll risk alert fatigue and desensitizing them to situations that do require action.)
Pokémon GO and Security
So what did we learn from Pokémon GO? When observing a new and unexplained situation, it’s important to assess the situation accurately so you can respond appropriately. When you notice a new phenomenon, it’s critical to first observe — to build a complete understanding of what’s happening. Next, build a threat assessment by gathering details and developing a context that enables you to attach a why to the what that is happening. And then respond appropriately.
Finally, remember this: Threats evolve just like pokémon do! Make sure you’re always training and leveling up to master threats.