Vulnerabilities / Threats //

Insider Threats

8/24/2017
01:00 PM
Orion Cassetto
Orion Cassetto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

GoT & the Inside Threat: Compromised Insiders Make Powerful Adversaries

What Game of Thrones' Arya Stark and the Faceless Men can teach security pros about defending against modern malware and identity theft.

**Warning: Potential Spoilers for Game of Thrones**

Let's assume for a moment that you're not a security practitioner, at least not in the cyber sense, and instead you're the Commander of the Guards at one of the many forts or castles that pepper the landscape of Westeros. The local lord (hopefully not a Lannister) has charged you with protecting the castle and its inhabitants from various threats, including the occasional band of raiders, drunken ruffians, and their ilk, and even opposing armies. In each case, you've used your past experiences to accurately assess the threat you're facing, select the appropriate countermeasures, and dispatch your foes.   

Typically this boils down to:

  1. Using past experiences to predict your potential exposure or vulnerability
  2. Preventing attacks by fortifying your castle's defense mechanisms (walls, gates, moats, etc.)
  3. Putting in place detection mechanisms such as guards and scouts to sound alarms when threats are discovered
  4. Having troops available to respond to threats as needed

Interestingly, modern security personnel follow an eerily similar methodology for addressing cyberthreats, except that they've added the word "fire" to their "walls" and replaced drawbridges and gates with usernames and passwords. Sounds great, right?  Almost. Except for what happens when the threat comes from a trusted party. 

Stolen Credentials Enable Fabulous Attacks
To illustrate the danger compromised insiders pose to an organization, let's discuss Arya Stark's storyline. In season five, Arya embarked upon a journey to the House of Black and White in Braavos to train with the Faceless Men, a powerful guild of assassins with the unique ability to steal the faces (and identities) of their victims. This ability lets the faceless men mask their activities and go undetected until they reach their ultimate targets.  

Source: Orion Cassetto, Exabeam
Source: Orion Cassetto, Exabeam

 

Traditional Security Doesn’t Stand A Chance
Passwords, gates, moats and firewalls, are all designed to keep the bad guys out. They may be great at keeping Wildlings out of your castle, but cease to be effective if the threat comes from the inside; from your employees, allies, or bannermen. Most security solutions — modern or otherwise — have no graceful answer for insider threats. These attacks prove just as difficult for today's security teams as they would be for the guards of the best-fortified castle in Westeros. Why is that?

Compromised insider attacks use legitimate credentials, leverage known devices, and make use of valid access privileges. When hackers use stolen credentials or a compromised machine, the attack appears normal from the point of view of point security products. "Legitimate" behavior doesn't trip alarms and it doesn't create security alerts that can be investigated. This situation is further compounded when lateral movement is involved because one part of the attack might use one identity or machine, while the other part of any attack may leverage a different identity, IP address, or device. 

A strong parallel can be drawn between the tactics of the Faceless Men and modern malware. For those unfamiliar, malware means "malicious software," and it includes a wide variety of nefarious programs including viruses, worms, ransomware, Trojans, and more. What all malware has in common is that it is programmed to take control of resources such as machines, credentials, and accounts, and then use them to do the bidding of the attacker. Similar to the tactic of the Faceless Men, stolen credentials and machines often are used to freely navigate through a corporate network looking for high-value targets and sensitive data. These attacks are difficult to detect because they leverage legitimate identities and access privileges to do their dirty work. In other words, by stealing the identity of someone with the gate key, malware can walk freely through the castle instead of spending time trying to break down the gate.

How Compromised Insiders Leverage Lateral Movement
To get a better understanding of the similarities between the Faceless Men and compromised insiders, let's compare the attack chain of Arya with Barbara, an employee who has been infected with malware. 

Source: Exabeam
Source: Exabeam

Observing Behavior May Still Prove Effective
While hackers may disguise their attacks with legitimate credentials and access privileges, they still can be uncovered by understanding how users normally behave and by looking for anomalous activity. For example, is it normal for the stable boy to raid the armory at night, or your HR coordinator to login remotely from Ukraine and back up the payroll database? Maybe the stable boy needs a knife to pry off a horseshoe, or perhaps this midnight trip to the armory is a sign that Arya or Jaqen is plotting their next move.

By using machine learning and data science to baseline the behavior of all users and machines in an organization, it's possible to automatically identify risky, anomalous behavior that may indicate a threat. This approach provides security teams — or guards — the ability to automatically detect compromised users even if the attacker is using advanced tactics such as lateral movement or stolen faces.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Orion Cassetto, senior product maester at Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2017 | 6:54:24 PM
Re: Authorization
@Dr.T: Sure, but Waldur Frey was the head of House Frey -- in effect, the CEO/Chairman.

Who's going to deny authorization to the CEO?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2017 | 6:53:00 PM
Re: Spoiler alert
I once saw Zombie Ice Dragon open for Peter Frampton.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2017 | 1:20:43 PM
Re: Wonderful Story about Patton
Of course, fearing the "trouble" from internal teams/people more than the "trouble" from outside threats/"enemies" can be quite dangerous for an organization's security posture. Shadow IT comes to mind -- particularly where employees are reluctant to self-report for fear of retribution up to and including termination.
Exabeam_Orion
50%
50%
Exabeam_Orion,
User Rank: Apprentice
8/29/2017 | 1:19:31 PM
Re: Spoiler alert
@ Joe - No, not really ice, but "Zombie Ice-Dragon" has a little "Je ne sais quoi".

It rolls off the tongue in ways that "Undead, ultra hot blue-fire breathing dragon" doesn't. ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2017 | 1:03:40 PM
Re: Spoiler alert
@exabeam: Tons, I imagine.

1) Be ready for anything.

2) Beware the dangers of offensive security, a.k.a. "hacking back"

3) Prioritize and protect anything proprietary lest you suffer the ill effects of reverse engineering.

That's just off the top of my head!

Are they "ice"? I couldn't tell if it was ice, really hot blue fire, or a some kind of fire/ice combination.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:39:25 PM
machine learning
Machine learning is a great idea to to minimize insider threats, it would not be possible to identify it otherwise.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:37:45 PM
Re: Spoiler alert
"zombei ice dragons! " Yes, that is true, we may be able to apply the same analogy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:36:49 PM
Re: Wonderful Story about Patton
"Don't bother that man anymore, he knows how to do his job." That makes sense. Awareness is the key.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:34:49 PM
Re: Spoiler alert
"possible theories as to what last episode's events might possibly be building up" Wondering the same things, this is a good analogy tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:32:54 PM
Authorization
For insider threats; in addition to authentication one can apply authorization strategies so not everybody gets everything but only what they need. That may minimize the threat.
Page 1 / 2   >   >>
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.