Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

8/24/2017
01:00 PM
Orion Cassetto
Orion Cassetto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

GoT & the Inside Threat: Compromised Insiders Make Powerful Adversaries

What Game of Thrones' Arya Stark and the Faceless Men can teach security pros about defending against modern malware and identity theft.

**Warning: Potential Spoilers for Game of Thrones**

Let's assume for a moment that you're not a security practitioner, at least not in the cyber sense, and instead you're the Commander of the Guards at one of the many forts or castles that pepper the landscape of Westeros. The local lord (hopefully not a Lannister) has charged you with protecting the castle and its inhabitants from various threats, including the occasional band of raiders, drunken ruffians, and their ilk, and even opposing armies. In each case, you've used your past experiences to accurately assess the threat you're facing, select the appropriate countermeasures, and dispatch your foes.   

Typically this boils down to:

  1. Using past experiences to predict your potential exposure or vulnerability
  2. Preventing attacks by fortifying your castle's defense mechanisms (walls, gates, moats, etc.)
  3. Putting in place detection mechanisms such as guards and scouts to sound alarms when threats are discovered
  4. Having troops available to respond to threats as needed

Interestingly, modern security personnel follow an eerily similar methodology for addressing cyberthreats, except that they've added the word "fire" to their "walls" and replaced drawbridges and gates with usernames and passwords. Sounds great, right?  Almost. Except for what happens when the threat comes from a trusted party. 

Stolen Credentials Enable Fabulous Attacks
To illustrate the danger compromised insiders pose to an organization, let's discuss Arya Stark's storyline. In season five, Arya embarked upon a journey to the House of Black and White in Braavos to train with the Faceless Men, a powerful guild of assassins with the unique ability to steal the faces (and identities) of their victims. This ability lets the faceless men mask their activities and go undetected until they reach their ultimate targets.  

 

Traditional Security Doesn’t Stand A Chance
Passwords, gates, moats and firewalls, are all designed to keep the bad guys out. They may be great at keeping Wildlings out of your castle, but cease to be effective if the threat comes from the inside; from your employees, allies, or bannermen. Most security solutions — modern or otherwise — have no graceful answer for insider threats. These attacks prove just as difficult for today's security teams as they would be for the guards of the best-fortified castle in Westeros. Why is that?

Compromised insider attacks use legitimate credentials, leverage known devices, and make use of valid access privileges. When hackers use stolen credentials or a compromised machine, the attack appears normal from the point of view of point security products. "Legitimate" behavior doesn't trip alarms and it doesn't create security alerts that can be investigated. This situation is further compounded when lateral movement is involved because one part of the attack might use one identity or machine, while the other part of any attack may leverage a different identity, IP address, or device. 

A strong parallel can be drawn between the tactics of the Faceless Men and modern malware. For those unfamiliar, malware means "malicious software," and it includes a wide variety of nefarious programs including viruses, worms, ransomware, Trojans, and more. What all malware has in common is that it is programmed to take control of resources such as machines, credentials, and accounts, and then use them to do the bidding of the attacker. Similar to the tactic of the Faceless Men, stolen credentials and machines often are used to freely navigate through a corporate network looking for high-value targets and sensitive data. These attacks are difficult to detect because they leverage legitimate identities and access privileges to do their dirty work. In other words, by stealing the identity of someone with the gate key, malware can walk freely through the castle instead of spending time trying to break down the gate.

How Compromised Insiders Leverage Lateral Movement
To get a better understanding of the similarities between the Faceless Men and compromised insiders, let's compare the attack chain of Arya with Barbara, an employee who has been infected with malware. 

Observing Behavior May Still Prove Effective
While hackers may disguise their attacks with legitimate credentials and access privileges, they still can be uncovered by understanding how users normally behave and by looking for anomalous activity. For example, is it normal for the stable boy to raid the armory at night, or your HR coordinator to login remotely from Ukraine and back up the payroll database? Maybe the stable boy needs a knife to pry off a horseshoe, or perhaps this midnight trip to the armory is a sign that Arya or Jaqen is plotting their next move.

By using machine learning and data science to baseline the behavior of all users and machines in an organization, it's possible to automatically identify risky, anomalous behavior that may indicate a threat. This approach provides security teams — or guards — the ability to automatically detect compromised users even if the attacker is using advanced tactics such as lateral movement or stolen faces.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Orion Cassetto, senior product maester at Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:28:11 PM
Spoiler alert
@Orion: Great minds think alike: This analogy is exactly what has been on my mind this season with Arya and her storylines, and I've remarked on the same when watching the show.

(It's been even more on my mind of late with recent events and possible theories as to what last episode's events might possibly be building up to.)
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
8/28/2017 | 11:11:26 AM
Wonderful Story about Patton
During the 1930s he was taking a night walk around his command with an aide when they came upon a sentry.  (Call that the sentry the firewall).  While Patton watched in the dark, the aide came to the sentry and asked "Soldier, where you do expect trouble to come from?"   The sentry saluted, turned and pointed INSIDE the compound.  Astonished, the aide asked "Why?"  The sentry quickly responded " Sir, you asked where trouble would come from - that is different fron where the enemy would come from.  I know sir that if I failed to do my job, the commanding officer of the post (pointed inside) would come at me with a ton of trouble.  Sir"  Patton roared with laughter and said "Don't bother that man anymore, he knows how to do his job."
Exabeam_Orion
50%
50%
Exabeam_Orion,
User Rank: Apprentice
8/28/2017 | 12:37:38 PM
Re: Spoiler alert
@Joe -I love it.  Now if we can only come up with a proper security analogy for zombei ice dragons! ;)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:32:54 PM
Authorization
For insider threats; in addition to authentication one can apply authorization strategies so not everybody gets everything but only what they need. That may minimize the threat.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:34:49 PM
Re: Spoiler alert
"possible theories as to what last episode's events might possibly be building up" Wondering the same things, this is a good analogy tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:36:49 PM
Re: Wonderful Story about Patton
"Don't bother that man anymore, he knows how to do his job." That makes sense. Awareness is the key.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:37:45 PM
Re: Spoiler alert
"zombei ice dragons! " Yes, that is true, we may be able to apply the same analogy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:39:25 PM
machine learning
Machine learning is a great idea to to minimize insider threats, it would not be possible to identify it otherwise.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2017 | 1:03:40 PM
Re: Spoiler alert
@exabeam: Tons, I imagine.

1) Be ready for anything.

2) Beware the dangers of offensive security, a.k.a. "hacking back"

3) Prioritize and protect anything proprietary lest you suffer the ill effects of reverse engineering.

That's just off the top of my head!

Are they "ice"? I couldn't tell if it was ice, really hot blue fire, or a some kind of fire/ice combination.
Exabeam_Orion
50%
50%
Exabeam_Orion,
User Rank: Apprentice
8/29/2017 | 1:19:31 PM
Re: Spoiler alert
@ Joe - No, not really ice, but "Zombie Ice-Dragon" has a little "Je ne sais quoi".

It rolls off the tongue in ways that "Undead, ultra hot blue-fire breathing dragon" doesn't. ;)
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13842
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
CVE-2020-13843
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
CVE-2020-13839
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
CVE-2020-13840
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
CVE-2020-13841
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).