4 things ‘Among Us’ can teach security professionals about authentication

December 29, 2020 5 minute read

You’re making good progress on this task. One more data upload and then you’re out of here. But right before you can complete the upload, a klaxon blares. There’s been an attack! Time to head to the meeting room for the usual finger-pointing and scapegoating before the team decides who to jettison from the ship.

Of course, I’m describing a scene from the wildly popular game Among Us. But, I could equally have been describing a day in the life of a security professional.

For the uninitiated, Among Us is a game of suspense and betrayal. Players are crew mates on a spaceship (or a similar fictional venue) and must determine which fellow crewmate among them is a hidden imposter—before they all become victims. 

While most security professionals don’t spend their days on a spaceship evading murderous imposters, there are more similarities between their day-to-day activities and the game than you might think. The very conditions that have contributed to Among Uss breakout success in the pandemic are the same ones that have sent cyber attack numbers soaring. 

Maybe you’ve heard Among Us mentioned among colleagues, or perhaps you have kids at home who will be obsessively playing the game during holiday break. Better yet, maybe you’ve actually played the game yourself. Whatever the case, a comparison of the two serves as a useful reminder of the fundamentals of today’s cyberthreat landscape. 

The threat is already inside

The whole point of Among Us is that the attacker is, well, among us—hiding in plain sight. Players quickly learn to trust no one, that anyone could be a threat. That, of course, is the very premise of Zero Trust security. Assume everyone attempting to access your apps or services cannot be trusted until you have authenticated them. Whether they’re coming from outside the network or are already inside, they must be considered equally untrustworthy until proven otherwise. As the perimeter all but disappears amid the shift to remote work, the only option is to adopt a security posture that assumes nothing and authenticates everything.

The bad actor is an impostor

Among Us hinges on pretence. The attacker, of course, is known as the impostor and they must fool other players into believing they are one of them. In order to lure victims into situations where they can strike, the impostor fakes tasks and pretends to be earnestly engaged in the crew’s mission. Just like a hacker launching a phishing attack, the imposter entreats others to take actions that seem innocent but only further their nefarious cause. The victims never discover the impostor’s true identity until it’s too late. As security professionals, it is our constant refrain to users: you must not assume that the sender of the email is who they say they are; you must always be alert to suspicious communications.

Impostors thrive on chaos 

For much of the time in the game, players are alone and not permitted to speak with one another. A meeting is only called when a player finds a victim. Then, players congregate to loudly debate the evidence and make accusations about who the imposter could be. Amid those frenzied discussions, chaos is the impostor’s ally and best chance at pinning the blame on an innocent crew mate who, say, fails to remember exactly which tasks they were performing in the reactor room three minutes ago. Chaos is also the perfect breeding ground for cybersecurity attacks: when users are distracted or confused they are far more likely to fall for a phishing ruse. The current political, economic, and health uncertainties mean security professionals must stay on high alert (as we discuss in this webinar on protecting remote workers).

Attacks derail players from getting work done 

Between attacks, crewmates are engaged in a variety of tasks, which they must finish in order to win the game. The discovery of an attack means players must stop mid-task and head to the meeting room. This unplanned interruption, and ensuing pandemonium, wreaks havoc on the crew’s productivity and is easy to compare to the impact of a cyberattack on an entire company. Unlike in the game, however, a cybersecurity breach takes weeks, months, or even years to recover from. No quick reset and restart option here. 

Among Us has become a runaway success since the pandemic began. It’s not hard to see why. This is a game uniquely appropriate for the circumstances in which we all find ourselves: it is both a suspenseful and engrossing form of escapism and an eerie metaphor for the events that have characterized 2020 so far (as this article in Vice so eloquently explains). It is a game perfectly suited to the current environment. Just like the hacking industry, which has flourished since COVID took off, capitalizing on current social dynamics such as remote working, social distancing, anxiety, and fear. The difference, of course, is that cyber attacks are no game. The financial, social, and political repercussions are well known to all of us. 

For now though, if you’re in need of some relaxation after a long day fighting cyber attacks, hunting impostors in Among Us might be just the thing you need. Because, like any good security professional, you’re never truly off duty.