Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Keith Graham
Keith Graham

4 Lessons Die Hard Teaches About Combating Cyber Villains

With proper planning, modern approaches, and tools, we can all be heroes in the epic battle against the cyber threat.

This year marked the 30th anniversary of Die Hard's release. Often considered a holiday movie, it set a standard for action films — a lot of high-energy, edge-of-your-seat action scenes, an intense plot (punctuated with humor), a protagonist who saves the day, and possibly one of the greatest cinematic villains of all time.

For those of us in the cybersecurity field, the movie offers uncanny, familiar parallels between the villain's attempted mission and the kinds of cyber threats we see today.

Parallel #1: The "Exceptional Thief" Continues to Evolve

"I am an exceptional thief, Mrs. McClane." — Hans Gruber

Hans Gruber (played by the late Alan Rickman) is a well-organized villain who stays one step ahead of John McClane (played by Bruce Willis) by adjusting his tactics throughout the movie, although he doesn't remain so lucky in the end. While other movie villains fail when the protagonist thwarts their plans, Hans pivots and evolves. 

The evolving tactics reflect centuries of actual criminal history. For example, Butch Cassidy was considered an exceptional thief in the late 19th century, going from town to town, robbing banks, trains, and mine stations for 10 years until he was caught in South America by mounted soldiers. Alan Golder was considered a "Master Thief" under the Genovese crime family who robbed celebrities of their jewels and sold them on the black market.

Exceptional thievery has evolved over time. Like modern-day business, thieves have undergone a digital transformation of their own. For example, today's cyber attackers are well organized, patient, and able to work from home. They are exceptional in stealing and monetizing data and information, and even engaging in espionage and sabotage. 

Parallel #2: Blend in to Breach the Perimeter
What made Die Hard's Gruber stand out was how well organized he was. Gruber had a determined mission, strategy to execute, and contingency plans in place. One example is when he came face to face with McClane and impersonated a hostage to prevent getting caught.

His behavior was not unlike any well-organized attacker. In fact, one of the most effective tactics used by attackers is blending in with normal day-to-day activity, most often through the use of stolen, valid credentials, which can make it difficult to detect an attacker in the network and applications.

The 2017 Verizon Data Breach Report reported that 81% of breaches are due to compromised or stolen credentials. These days, there are a multitude of ways an attacker can penetrate the enterprise and establish a foothold using stolen credentials. They don't even have to orchestrate the complexities of an initial spearphishing attack. Attackers can guess, socially engineer, obtain from the Dark Web, and use malware to obtain valid user credentials. Then they gain access and credentials, escalate privileges, and move laterally within the network among applications and sensitive data until their mission is complete.

To thwart these attacks, organizations are moving beyond passwords and basic two-factor authentication methods. If an attacker has valid credentials — or even a spoofed phone number to receive a second-factor one-time passcode — adaptive authentication and risk analysis could identify a suspicious login attempt from other factors. Those factors include the location of the login, the device being used, or determining whether the IP address is suspicious or malicious. It essentially renders stolen credentials useless.

Parallel #3: Think Like an Attacker
Gruber had clear motives. He wasn't looking for worldwide domination; he sought monetary gain. He wanted to be "sitting on a beach earning 20%," with the Nakatomi Corporation vault his primary target. With good plans and all the resources he needed, he wouldn't make mistakes.

McClane had to outthink and outmaneuver him, just as IT security teams do against cyber threats. They have to think like an attacker in order to understand and reduce the threat surface. Assessments need to be conducted to consider how their organization is a target, what data and sensitive information is stored, how attackers move around the environment, what they would do with that stolen information, which employees or end users are vulnerable, and how attackers could exploit these, and so on.

Conducting risk assessments is a best practice, similar to thinking like an attacker. With advanced penetration testing skills and tools, real-world attack scenarios can be created proactively to test IT infrastructures and uncover risks and vulnerabilities that could lead to an attacker completing their mission. From penetration testing reports, security teams can proceed to actions beginning with patches, to prioritization and remediation plans, leading ultimately to a more secure enterprise.

Parallel #4: Keep Emergency Lines (or the SOC) Clear

Emergency Responder System in Die Hard: "This channel is reserved for emergency calls only."

John McClane: "No kidding, does it sound like I'm ordering a pizza?"

This scene is reminiscent of the security operations center (SOC) of an enterprise. Many of the hundreds and thousands of alerts flooding the SOC lack context around how identities are being misused. This can best be described as looking for multiple moving needles in a barn full of haystacks.

IT security teams are already overwhelmed. They're sifting through too much information to find meaningful data on failed login attempts for remediation, what needs urgent attention, and what constitutes a threat. The M-Trends 2018 report revealed the global dwell time for an attacker is just over 100 days. That's 100 days of presence on a victim's network before even being detected. Interestingly, the first 20 minutes of Die Hard are also action-free.

Today, SOCs are able to laser through floods of information and speed up identification and remediation with advanced threat-detection services. Threat detection is important in providing visibility into activities on the network and endpoint devices that otherwise would go undetected in the noise.

Modern threat-detection services integrate multiple different providers of threat intelligence and threat information to provide greater coverage and protection. Beyond typical IP reputation feeds, effective threat services give the SOC actionable intelligence on a given threat (e.g., actor type, malware family, etc.). IT teams can use this information to aid SOC staff and incident responders alike, so they know what to focus on during an investigation.

Conclusion: We Can All Be John McClane
McClane went on to win (incident responding?!) against the bad guys in four sequels (with another on the way!). We, too, will continue to face many cyber threats. But with the proper planning, modern approaches and tools in place, each of us can protect, detect, and prevent the threats from the Grubers of the world, ensuring our people, data, and information remain safe and secure.

Related Content:

Keith Graham is the chief technology officer at SecureAuth. With 17 years in security, product management, product development and consulting, Graham is recognized as an industry leader in developing adaptive identity security and access control solutions. Today as CTO, he ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.