Vulnerabilities / Threats

10:00 AM
Orion Cassetto
Orion Cassetto
Connect Directly
E-Mail vvv

Breaches Are Coming: What Game of Thrones Teaches about Cybersecurity

Whether you're Lord Commander of the Night's Watch or the CISO of a mainstream business, it's not easy to defend against a constantly evolving threat that is as deadly as an army of White Walkers.

**Warning - potential spoiler alert**

The popular Game of Thrones series starts with the ominous warning that “Winter is Coming” and in the mythical Westeros, children are raised hearing stories of "the Long Night," a winter that happened thousands of years ago and supposedly lasted a generation. It was during this Long Night, that man first encountered the White Walkers, an ancient race of ice creatures looking to devour all things good and cover the lands in ice and snow.

In the far less fantastic world in which you and I live today, there is also a growing threat. Like the White Walkers, this threat is the subject of countless stories which haunt the nightmares of modern CISOs: security breaches. Before you scoff, let me point out that mega hacks like Target and Home Depot were so serious that every day non-security people changed their buying habits. The repeated occurrence of huge, public data breaches, the increasingly stringent compliance regulations, and the brand reputational damages associated with breaches are just a few of the things that have elevated cybersecurity from an afterthought to a board-level discussion.

Even scarier, like the White Walkers, security breaches and the hackers causing them show no sign of going away.

Of the many qualities that make the White Walkers such formidable opponents, one stands out as the most impactful: their ability to reanimate corpses of the dead as soldiers in their army. The ramification of this necromancy is a positive feedback loop which has enabled the White Walkers to amass a staggering number of undead troops.  As their numbers swell, their ability to combat the living increases, thus producing more dead that join the ranks.

Likewise security breaches are also growing.  According to data from the last several Verizon Data Breach Investigation Reports, the annual number of security breaches has grown from 759 in 2011 to 1,935 in 2017. This works out to be an average annual growth rate of roughly 22%. There are scores of factors influencing this steady rise in data breaches, among them: a growing sprawl of software available to consumers (which may potentially contain security coding flaws), the fact that more and more devices are connected to the Internet (and thus potential targets), and that human users are still the weakest link in the security equation because they often ignore 'light lifting' security measures like updating passwords.

Game of Thrones seasons one through seven conveniently line up perfectly with this period of time, so we can actually attempt to map data between the series and the DBIR report. While Verizon has a soundly scientific methodology for determining what counts as a data breach and how many occur each year, the actions of White Walkers and their undead servants are not so cut-and-dry.  With that said, we do get hints about the White Walkers with each season that we can use to draw some totally subjective conclusions. And if we overlay our totally scientific data, with our wildly subjective GoT data, we get the following chart. 

Image Source: Exabeam
Image Source: Exabeam

You might disagree with my analysis of the WW army growth trends, but what I’m sure that we both can agree on is that the army is growing rapidly and poses an ever-present threat to the North. That brings me to my next point, what to do about these security threats?

Prepare for the Worst

While it might be the case that The Wall will hold off the White Walkers forever.  Alternatively, it  may only buy the poor folk of Westeros some time before they join the ranks of the undead.  In other words, the longstanding defense mechanisms put in place by the IT security teams of yore (i.e. firewalls, access controls, WAF, etc.), might stave off cyber attackers or they might simply slow them down.

Whether you’re the Lord Commander of the Night’s Watch or CISO of a tech upstart or mainstream business, it’s your job to prepare your organization to defend itself against hackers and threats. You’ll need to understand your adversary, pool and distribute your resources, and invest in the people, processes, and technology necessary to combat the peril your organization is facing. 

Related Content:


Orion Cassetto, senior product maester at Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Strategist
8/14/2017 | 1:14:56 PM
What GOT teaches...
"Winter is here".
User Rank: Apprentice
8/15/2017 | 9:44:23 AM
They deserved what they got
I read that the administrator passwords were stolen. Why is any enterprise still using passwords (and not one-time-password tokens)? Even ssh keys might have helped.
User Rank: Strategist
8/17/2017 | 11:15:45 AM
Re: What GOT teaches...
As the people of the world prepared for white walkers so aslo must the CISO prepares for Cyber attacks. It will come. With the ransome demands from HBO more will come. What HBO need to do is to protect itself from more invasion or penetration into it business. They need to upgrade themselves by teaching their employee Cyber Security Educationas to protect them from further nightmares. We lives in a digital world now, where anything can be acess from anywhere in the world. It takes only a keyboard to do an irreparable damages to business and people lives. They need to create a Framework to protect from external agressions. such frameworks could be.

1. Developing a contigency plan.

2. Risks assessment 

3. Preparation

4. Detection

5. Containment

6. Eradication

7. Recovery.

8. Post incident.


Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/23/2017 | 8:43:02 PM
Paying attention, being prepared
Winter is coming and related GoT lessons ultimately come down to paying attention to what's happening and what's been happening -- and being prepared accordingly.


I wrote a similar piece recently on CIO lessons from Game of Thrones ( here: ). One of my takeaways discussed the unfortunate decision by Daenerys and Tyrion to send poorly secured Greyjoy ships with key allies to Dorne when they knew Euron was out looking for Yara and Theon Greyjoy -- resulting in, effectively, "transmission loss."

Make sure you understand your network pathways and you properly secure your transmissions and your network architecture so you too don't lose key packets. ;)
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/23/2017 | 8:49:26 PM
Re: What GOT teaches...
@jimmy: I think that too many frameworks place not enough attention on the post-incident -- response and recovery. The NIST Cybersecurity Framework particularly comes to mind, where there are far fewer aspects and standards tied to the "Respond" and "Recover" branches compared to the other three branches (Identity, Protect, and Detect). While security should be proactive over reactionary, there are always more things to do and things to learn from incidents in the post-mortem.
User Rank: Apprentice
8/28/2017 | 4:04:45 PM
Re: What GOT teaches...
@Jimmy - I agree. That's a pretty solid framework.

@ Joe - I also agree that we need more emphasis on response and remediation.  Returning to our analogy from the article...

**Spoiler alert - if you haven't watched the Season 7 finale, read no further** 

Now that part of the Wall has come down, the North is in dire need of response and recovery.

Security teams would do well to start investing in automation for the back half of the framework you laid out. Items 5 through 8 have lots of manual steps.  Automation, data science, and ML may be able to help amplify analyst post -ncident prodictiivty.
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-06-20
Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 may be susceptible to a race condition (or race hazard). This type of issue occurs in software where the output is dependent on the sequence or timing of other uncontrollable events.
PUBLISHED: 2018-06-20
Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 could be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels.
PUBLISHED: 2018-06-20
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, OS command injection is possible as a result of incorrect processing of the res_buf parameter to index.cgi.
PUBLISHED: 2018-06-20
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, a reflected Cross-Site Scripting (XSS) attack is possible as a result of missed filtration for special characters in the "Search" field and incorrect proc...
PUBLISHED: 2018-06-20
In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account.