Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

8/24/2017
01:00 PM
Orion Cassetto
Orion Cassetto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

GoT & the Inside Threat: Compromised Insiders Make Powerful Adversaries

What Game of Thrones' Arya Stark and the Faceless Men can teach security pros about defending against modern malware and identity theft.

**Warning: Potential Spoilers for Game of Thrones**

Let's assume for a moment that you're not a security practitioner, at least not in the cyber sense, and instead you're the Commander of the Guards at one of the many forts or castles that pepper the landscape of Westeros. The local lord (hopefully not a Lannister) has charged you with protecting the castle and its inhabitants from various threats, including the occasional band of raiders, drunken ruffians, and their ilk, and even opposing armies. In each case, you've used your past experiences to accurately assess the threat you're facing, select the appropriate countermeasures, and dispatch your foes.   

Typically this boils down to:

  1. Using past experiences to predict your potential exposure or vulnerability
  2. Preventing attacks by fortifying your castle's defense mechanisms (walls, gates, moats, etc.)
  3. Putting in place detection mechanisms such as guards and scouts to sound alarms when threats are discovered
  4. Having troops available to respond to threats as needed

Interestingly, modern security personnel follow an eerily similar methodology for addressing cyberthreats, except that they've added the word "fire" to their "walls" and replaced drawbridges and gates with usernames and passwords. Sounds great, right?  Almost. Except for what happens when the threat comes from a trusted party. 

Stolen Credentials Enable Fabulous Attacks
To illustrate the danger compromised insiders pose to an organization, let's discuss Arya Stark's storyline. In season five, Arya embarked upon a journey to the House of Black and White in Braavos to train with the Faceless Men, a powerful guild of assassins with the unique ability to steal the faces (and identities) of their victims. This ability lets the faceless men mask their activities and go undetected until they reach their ultimate targets.  

Source: Orion Cassetto, Exabeam
Source: Orion Cassetto, Exabeam

 

Traditional Security Doesn’t Stand A Chance
Passwords, gates, moats and firewalls, are all designed to keep the bad guys out. They may be great at keeping Wildlings out of your castle, but cease to be effective if the threat comes from the inside; from your employees, allies, or bannermen. Most security solutions — modern or otherwise — have no graceful answer for insider threats. These attacks prove just as difficult for today's security teams as they would be for the guards of the best-fortified castle in Westeros. Why is that?

Compromised insider attacks use legitimate credentials, leverage known devices, and make use of valid access privileges. When hackers use stolen credentials or a compromised machine, the attack appears normal from the point of view of point security products. "Legitimate" behavior doesn't trip alarms and it doesn't create security alerts that can be investigated. This situation is further compounded when lateral movement is involved because one part of the attack might use one identity or machine, while the other part of any attack may leverage a different identity, IP address, or device. 

A strong parallel can be drawn between the tactics of the Faceless Men and modern malware. For those unfamiliar, malware means "malicious software," and it includes a wide variety of nefarious programs including viruses, worms, ransomware, Trojans, and more. What all malware has in common is that it is programmed to take control of resources such as machines, credentials, and accounts, and then use them to do the bidding of the attacker. Similar to the tactic of the Faceless Men, stolen credentials and machines often are used to freely navigate through a corporate network looking for high-value targets and sensitive data. These attacks are difficult to detect because they leverage legitimate identities and access privileges to do their dirty work. In other words, by stealing the identity of someone with the gate key, malware can walk freely through the castle instead of spending time trying to break down the gate.

How Compromised Insiders Leverage Lateral Movement
To get a better understanding of the similarities between the Faceless Men and compromised insiders, let's compare the attack chain of Arya with Barbara, an employee who has been infected with malware. 

Source: Exabeam
Source: Exabeam

Observing Behavior May Still Prove Effective
While hackers may disguise their attacks with legitimate credentials and access privileges, they still can be uncovered by understanding how users normally behave and by looking for anomalous activity. For example, is it normal for the stable boy to raid the armory at night, or your HR coordinator to login remotely from Ukraine and back up the payroll database? Maybe the stable boy needs a knife to pry off a horseshoe, or perhaps this midnight trip to the armory is a sign that Arya or Jaqen is plotting their next move.

By using machine learning and data science to baseline the behavior of all users and machines in an organization, it's possible to automatically identify risky, anomalous behavior that may indicate a threat. This approach provides security teams — or guards — the ability to automatically detect compromised users even if the attacker is using advanced tactics such as lateral movement or stolen faces.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Orion Cassetto, senior product maester at Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:28:11 PM
Spoiler alert
@Orion: Great minds think alike: This analogy is exactly what has been on my mind this season with Arya and her storylines, and I've remarked on the same when watching the show.

(It's been even more on my mind of late with recent events and possible theories as to what last episode's events might possibly be building up to.)
Exabeam_Orion
50%
50%
Exabeam_Orion,
User Rank: Apprentice
8/28/2017 | 12:37:38 PM
Re: Spoiler alert
@Joe -I love it.  Now if we can only come up with a proper security analogy for zombei ice dragons! ;)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:37:45 PM
Re: Spoiler alert
"zombei ice dragons! " Yes, that is true, we may be able to apply the same analogy.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2017 | 1:03:40 PM
Re: Spoiler alert
@exabeam: Tons, I imagine.

1) Be ready for anything.

2) Beware the dangers of offensive security, a.k.a. "hacking back"

3) Prioritize and protect anything proprietary lest you suffer the ill effects of reverse engineering.

That's just off the top of my head!

Are they "ice"? I couldn't tell if it was ice, really hot blue fire, or a some kind of fire/ice combination.
Exabeam_Orion
50%
50%
Exabeam_Orion,
User Rank: Apprentice
8/29/2017 | 1:19:31 PM
Re: Spoiler alert
@ Joe - No, not really ice, but "Zombie Ice-Dragon" has a little "Je ne sais quoi".

It rolls off the tongue in ways that "Undead, ultra hot blue-fire breathing dragon" doesn't. ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2017 | 6:53:00 PM
Re: Spoiler alert
I once saw Zombie Ice Dragon open for Peter Frampton.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:34:49 PM
Re: Spoiler alert
"possible theories as to what last episode's events might possibly be building up" Wondering the same things, this is a good analogy tough.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
8/28/2017 | 11:11:26 AM
Wonderful Story about Patton
During the 1930s he was taking a night walk around his command with an aide when they came upon a sentry.  (Call that the sentry the firewall).  While Patton watched in the dark, the aide came to the sentry and asked "Soldier, where you do expect trouble to come from?"   The sentry saluted, turned and pointed INSIDE the compound.  Astonished, the aide asked "Why?"  The sentry quickly responded " Sir, you asked where trouble would come from - that is different fron where the enemy would come from.  I know sir that if I failed to do my job, the commanding officer of the post (pointed inside) would come at me with a ton of trouble.  Sir"  Patton roared with laughter and said "Don't bother that man anymore, he knows how to do his job."
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:36:49 PM
Re: Wonderful Story about Patton
"Don't bother that man anymore, he knows how to do his job." That makes sense. Awareness is the key.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2017 | 1:20:43 PM
Re: Wonderful Story about Patton
Of course, fearing the "trouble" from internal teams/people more than the "trouble" from outside threats/"enemies" can be quite dangerous for an organization's security posture. Shadow IT comes to mind -- particularly where employees are reluctant to self-report for fear of retribution up to and including termination.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:32:54 PM
Authorization
For insider threats; in addition to authentication one can apply authorization strategies so not everybody gets everything but only what they need. That may minimize the threat.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2017 | 6:54:24 PM
Re: Authorization
@Dr.T: Sure, but Waldur Frey was the head of House Frey -- in effect, the CEO/Chairman.

Who's going to deny authorization to the CEO?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/28/2017 | 4:39:25 PM
machine learning
Machine learning is a great idea to to minimize insider threats, it would not be possible to identify it otherwise.
alfredoc.burgess
50%
50%
alfredoc.burgess,
User Rank: Apprentice
2/16/2018 | 11:41:15 PM
Managerial Accounting help
Thanx for sharing such useful post keep it up :)

 
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.