This year marked the 30th anniversary of Die Hard's release. Often considered a holiday movie, it set a standard for action films — a lot of high-energy, edge-of-your-seat action scenes, an intense plot (punctuated with humor), a protagonist who saves the day, and possibly one of the greatest cinematic villains of all time.
For those of us in the cybersecurity field, the movie offers uncanny, familiar parallels between the villain's attempted mission and the kinds of cyber threats we see today.
Parallel #1: The "Exceptional Thief" Continues to Evolve
"I am an exceptional thief, Mrs. McClane." — Hans Gruber
Hans Gruber (played by the late Alan Rickman) is a well-organized villain who stays one step ahead of John McClane (played by Bruce Willis) by adjusting his tactics throughout the movie, although he doesn't remain so lucky in the end. While other movie villains fail when the protagonist thwarts their plans, Hans pivots and evolves.
The evolving tactics reflect centuries of actual criminal history. For example, Butch Cassidy was considered an exceptional thief in the late 19th century, going from town to town, robbing banks, trains, and mine stations for 10 years until he was caught in South America by mounted soldiers. Alan Golder was considered a "Master Thief" under the Genovese crime family who robbed celebrities of their jewels and sold them on the black market.
Exceptional thievery has evolved over time. Like modern-day business, thieves have undergone a digital transformation of their own. For example, today's cyber attackers are well organized, patient, and able to work from home. They are exceptional in stealing and monetizing data and information, and even engaging in espionage and sabotage.
Parallel #2: Blend in to Breach the Perimeter
What made Die Hard's Gruber stand out was how well organized he was. Gruber had a determined mission, strategy to execute, and contingency plans in place. One example is when he came face to face with McClane and impersonated a hostage to prevent getting caught.
His behavior was not unlike any well-organized attacker. In fact, one of the most effective tactics used by attackers is blending in with normal day-to-day activity, most often through the use of stolen, valid credentials, which can make it difficult to detect an attacker in the network and applications.
The 2017 Verizon Data Breach Report reported that 81% of breaches are due to compromised or stolen credentials. These days, there are a multitude of ways an attacker can penetrate the enterprise and establish a foothold using stolen credentials. They don't even have to orchestrate the complexities of an initial spearphishing attack. Attackers can guess, socially engineer, obtain from the Dark Web, and use malware to obtain valid user credentials. Then they gain access and credentials, escalate privileges, and move laterally within the network among applications and sensitive data until their mission is complete.
To thwart these attacks, organizations are moving beyond passwords and basic two-factor authentication methods. If an attacker has valid credentials — or even a spoofed phone number to receive a second-factor one-time passcode — adaptive authentication and risk analysis could identify a suspicious login attempt from other factors. Those factors include the location of the login, the device being used, or determining whether the IP address is suspicious or malicious. It essentially renders stolen credentials useless.
Parallel #3: Think Like an Attacker
Gruber had clear motives. He wasn't looking for worldwide domination; he sought monetary gain. He wanted to be "sitting on a beach earning 20%," with the Nakatomi Corporation vault his primary target. With good plans and all the resources he needed, he wouldn't make mistakes.
McClane had to outthink and outmaneuver him, just as IT security teams do against cyber threats. They have to think like an attacker in order to understand and reduce the threat surface. Assessments need to be conducted to consider how their organization is a target, what data and sensitive information is stored, how attackers move around the environment, what they would do with that stolen information, which employees or end users are vulnerable, and how attackers could exploit these, and so on.
Conducting risk assessments is a best practice, similar to thinking like an attacker. With advanced penetration testing skills and tools, real-world attack scenarios can be created proactively to test IT infrastructures and uncover risks and vulnerabilities that could lead to an attacker completing their mission. From penetration testing reports, security teams can proceed to actions beginning with patches, to prioritization and remediation plans, leading ultimately to a more secure enterprise.
Parallel #4: Keep Emergency Lines (or the SOC) Clear
Emergency Responder System in Die Hard: "This channel is reserved for emergency calls only."
John McClane: "No kidding, does it sound like I'm ordering a pizza?"
This scene is reminiscent of the security operations center (SOC) of an enterprise. Many of the hundreds and thousands of alerts flooding the SOC lack context around how identities are being misused. This can best be described as looking for multiple moving needles in a barn full of haystacks.
IT security teams are already overwhelmed. They're sifting through too much information to find meaningful data on failed login attempts for remediation, what needs urgent attention, and what constitutes a threat. The M-Trends 2018 report revealed the global dwell time for an attacker is just over 100 days. That's 100 days of presence on a victim's network before even being detected. Interestingly, the first 20 minutes of Die Hard are also action-free.
Today, SOCs are able to laser through floods of information and speed up identification and remediation with advanced threat-detection services. Threat detection is important in providing visibility into activities on the network and endpoint devices that otherwise would go undetected in the noise.
Modern threat-detection services integrate multiple different providers of threat intelligence and threat information to provide greater coverage and protection. Beyond typical IP reputation feeds, effective threat services give the SOC actionable intelligence on a given threat (e.g., actor type, malware family, etc.). IT teams can use this information to aid SOC staff and incident responders alike, so they know what to focus on during an investigation.
Conclusion: We Can All Be John McClane
McClane went on to win (incident responding?!) against the bad guys in four sequels (with another on the way!). We, too, will continue to face many cyber threats. But with the proper planning, modern approaches and tools in place, each of us can protect, detect, and prevent the threats from the Grubers of the world, ensuring our people, data, and information remain safe and secure.