We can all learn a lot from nature. Recently I saw the amazing documentary My Octopus Teacher, wherein a diver befriended a common octopus for over a year and showed off some of the amazing survival skills it displayed over that time. An octopus is not the strongest, not the fastest, nor the toughest creature in the ocean. But it is the smartest and the most adaptable. It can use its intelligence and adaptability to outsmart and out maneuver much tougher creatures. There are many lessons a security focused organization or a security professional can learn from the common octopus. IT security threats are getting tougher, stronger, and more frequent. As an IT security professional, you may not be tougher, stronger or faster than every threat, but you can be smarter and more adaptable.

Be Adaptable

A snail only has its shell to protect itself. It has no defense against something that can crack or drill through it. An octopus has no shell, but it is not defenseless. It can fit into small cracks, it can pick up rocks to create a protective barrier, it can camouflage itself to hide, it can swim quickly, it can use its arms to walk along the sea floor, it can attack by engulfing threats in its arms, and they may also be able to use tools, they can even be seen carrying a coconut husk into open water as a portable shelter! Don’t be a snail in your IT defense strategy. If a tough outer shell is all you use to defend yourself, there will be threats stronger than you who can crack it. Be adaptable, like an octopus. Have a multifaceted strategy. Use multiple techniques that can mitigate your threat landscape from external and internal threats.

Change Quickly

An octopus has specialized cells in its skin that it can use to change its appearance. It can use chromatopores, iridophores and leucophores in different arrangements to create patterns and any imaginable color. Tiny muscles can also contract and relax to give its skin different textures. This change can happen in a fraction of a second. It can use these changes to blend in with its surroundings or to intimidate its enemies. In a blink of an eye it can go from a boring rock to a poisonous fish! Information security is not a static landscape. Threats are constantly changing, and your competition is always advancing. You can’t afford to be stuck in your ways or be reluctant to change. Always stay up to date on emerging trends and the latest technology. With the rapid pace of progress, even things that had been evaluated in the past may need to be revisited.

Be Playful, Stay Curious

Octopuses are highly intelligent. If they are in a tank without objects to stimulate them, they will become listless and appear bored. They appear to be curious and playful. Divers give anecdotal evidence of seeing them play with objects and air bubbles. Aquarium personnel will give them different toys to explore and will try to find ways to hide food to occupy the octopuses’ attention. Some approach information security in a purely numerical way, they perform audits and check the necessary boxes. Just sticking with this type of rote security is not enough. Don’t be satisfied with just a surface understanding, be curious. A good security researcher must be willing to ask the how and why of security. You also must be willing to experiment, test new technologies and explore new opportunities. This can help to keep you one step ahead.

Be Resilient

An octopus is resilient. If it is hurt, it can regrow limbs. If one of its arms is torn off, after only a few days, a tiny arm can be seen growing where the damaged limb used to be. A whole new arm, just as good as the old one can regrow in only a couple months. In IT security, sometimes disasters happen, and may be out of our control. Be resilient, be prepared for unavoidable failures and be ready to recover. During a disaster is not the time to start planning. A good recovery plan can get you back on your feet quickly and a well-practiced disaster response can keep the damage to a minimum. So, if disaster does strike you aren’t left permanently scared.

Automate, but Pay Attention

Over 2/3rds of an octopuses’ total neurons are present in its arms. Studies have shown that an octopuses’ arm can operate autonomously, they can move and seek out objects without direct command from the central brain. Its tentacles are always searching out the area the around the octopus, without the octopus needing to ‘think’ about it. But when they discover something interesting, it turns its attention to the arms and explore the interesting object. Wit its full attention it can work on the problem in front of it. Automated scanning systems are an important part of a solid security plan. No human being can monitor everything needed in a modern network. Get some extra automated arms to help! These automated tools can be used to catalog devices, search for vulnerable hosts, and find abnormalities. Its important that the information presented by these automated processes is well calibrated; if they are too noisy an important alert may be overlooked, but if they are not sensitive enough, they may not alert at all.

Air Gap

The octopus is being chased by a shark. The shark is faster and tougher than it is. There is nowhere for the octopus to hide and its attempts to defend itself have failed. Suddenly it does something remarkable to put itself somewhere the shark cannot follow. It used its arms to climb out of the water and onto a rock where it is safe from the shark. It has, quite literally, put an ‘air gap’ between the threat and itself! Some IT resources need to be protected more than others. Segregating them from other areas of your network may be the best approach. Some ways of accomplishing this can be only allowing secure administrative workstations to access core infrastructure components or utilizing a separate administrative network. It may be that some of your secrets need to be fully isolated on an air gapped network that cannot be accessed from outside the secure boundary. As another example, a root PKI may be kept powered off, except in extreme circumstances, so that there is no way that it can be compromised by an attacker.

Don’t Trust Your Partners

The octopus is a solitary creature. They live most of their life away from other octopuses. But they must come together to mate. When they do, the other octopush may be a threat, so they proceed with caution, never fully trusting or exposing themselves to the other octopus. No IT organization can exist in complete isolation. You will have business partners or use resources from outside vendors or providers. All these should be treated with caution. There are numerous examples of larger corporations being compromised because on of their subsidiaries or smaller partners were not well protected and an attacker was able to exploit that to get to the main business. Your software vendors are another attack vector, flaws or exploits in their code can be used against you. The increasing relevancy of supply chain attacks means that even well-intentioned upstream providers my unwittingly give attackers a back door into your systems. Therefore, it is important to not fully trust any solution and employ additional mitigations against any threat that may come from them. Build a defense in dept strategy and audit access logs. Keep you software up to date.

Nature can be one of our greatest teachers. The humble octopus has been fighting and winning in information warfare for thousands of years. If we take its lessons of adaptability, curiosity, resiliency and careful planning to heart, we can better secure our networks against the most dangerous information predators.