Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

01:00 PM
Orion Cassetto
Orion Cassetto
Connect Directly
E-Mail vvv

GoT & the Inside Threat: Compromised Insiders Make Powerful Adversaries

What Game of Thrones' Arya Stark and the Faceless Men can teach security pros about defending against modern malware and identity theft.

**Warning: Potential Spoilers for Game of Thrones**

Let's assume for a moment that you're not a security practitioner, at least not in the cyber sense, and instead you're the Commander of the Guards at one of the many forts or castles that pepper the landscape of Westeros. The local lord (hopefully not a Lannister) has charged you with protecting the castle and its inhabitants from various threats, including the occasional band of raiders, drunken ruffians, and their ilk, and even opposing armies. In each case, you've used your past experiences to accurately assess the threat you're facing, select the appropriate countermeasures, and dispatch your foes.   

Typically this boils down to:

  1. Using past experiences to predict your potential exposure or vulnerability
  2. Preventing attacks by fortifying your castle's defense mechanisms (walls, gates, moats, etc.)
  3. Putting in place detection mechanisms such as guards and scouts to sound alarms when threats are discovered
  4. Having troops available to respond to threats as needed

Interestingly, modern security personnel follow an eerily similar methodology for addressing cyberthreats, except that they've added the word "fire" to their "walls" and replaced drawbridges and gates with usernames and passwords. Sounds great, right?  Almost. Except for what happens when the threat comes from a trusted party. 

Stolen Credentials Enable Fabulous Attacks
To illustrate the danger compromised insiders pose to an organization, let's discuss Arya Stark's storyline. In season five, Arya embarked upon a journey to the House of Black and White in Braavos to train with the Faceless Men, a powerful guild of assassins with the unique ability to steal the faces (and identities) of their victims. This ability lets the faceless men mask their activities and go undetected until they reach their ultimate targets.  


Traditional Security Doesn’t Stand A Chance
Passwords, gates, moats and firewalls, are all designed to keep the bad guys out. They may be great at keeping Wildlings out of your castle, but cease to be effective if the threat comes from the inside; from your employees, allies, or bannermen. Most security solutions — modern or otherwise — have no graceful answer for insider threats. These attacks prove just as difficult for today's security teams as they would be for the guards of the best-fortified castle in Westeros. Why is that?

Compromised insider attacks use legitimate credentials, leverage known devices, and make use of valid access privileges. When hackers use stolen credentials or a compromised machine, the attack appears normal from the point of view of point security products. "Legitimate" behavior doesn't trip alarms and it doesn't create security alerts that can be investigated. This situation is further compounded when lateral movement is involved because one part of the attack might use one identity or machine, while the other part of any attack may leverage a different identity, IP address, or device. 

A strong parallel can be drawn between the tactics of the Faceless Men and modern malware. For those unfamiliar, malware means "malicious software," and it includes a wide variety of nefarious programs including viruses, worms, ransomware, Trojans, and more. What all malware has in common is that it is programmed to take control of resources such as machines, credentials, and accounts, and then use them to do the bidding of the attacker. Similar to the tactic of the Faceless Men, stolen credentials and machines often are used to freely navigate through a corporate network looking for high-value targets and sensitive data. These attacks are difficult to detect because they leverage legitimate identities and access privileges to do their dirty work. In other words, by stealing the identity of someone with the gate key, malware can walk freely through the castle instead of spending time trying to break down the gate.

How Compromised Insiders Leverage Lateral Movement
To get a better understanding of the similarities between the Faceless Men and compromised insiders, let's compare the attack chain of Arya with Barbara, an employee who has been infected with malware. 

Observing Behavior May Still Prove Effective
While hackers may disguise their attacks with legitimate credentials and access privileges, they still can be uncovered by understanding how users normally behave and by looking for anomalous activity. For example, is it normal for the stable boy to raid the armory at night, or your HR coordinator to login remotely from Ukraine and back up the payroll database? Maybe the stable boy needs a knife to pry off a horseshoe, or perhaps this midnight trip to the armory is a sign that Arya or Jaqen is plotting their next move.

By using machine learning and data science to baseline the behavior of all users and machines in an organization, it's possible to automatically identify risky, anomalous behavior that may indicate a threat. This approach provides security teams — or guards — the ability to automatically detect compromised users even if the attacker is using advanced tactics such as lateral movement or stolen faces.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Orion Cassetto, senior product maester at Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks, and Armorize ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
8/28/2017 | 4:32:54 PM
For insider threats; in addition to authentication one can apply authorization strategies so not everybody gets everything but only what they need. That may minimize the threat.
User Rank: Apprentice
8/28/2017 | 12:37:38 PM
Re: Spoiler alert
@Joe -I love it.  Now if we can only come up with a proper security analogy for zombei ice dragons! ;)
User Rank: Ninja
8/28/2017 | 11:11:26 AM
Wonderful Story about Patton
During the 1930s he was taking a night walk around his command with an aide when they came upon a sentry.  (Call that the sentry the firewall).  While Patton watched in the dark, the aide came to the sentry and asked "Soldier, where you do expect trouble to come from?"   The sentry saluted, turned and pointed INSIDE the compound.  Astonished, the aide asked "Why?"  The sentry quickly responded " Sir, you asked where trouble would come from - that is different fron where the enemy would come from.  I know sir that if I failed to do my job, the commanding officer of the post (pointed inside) would come at me with a ton of trouble.  Sir"  Patton roared with laughter and said "Don't bother that man anymore, he knows how to do his job."
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2017 | 7:28:11 PM
Spoiler alert
@Orion: Great minds think alike: This analogy is exactly what has been on my mind this season with Arya and her storylines, and I've remarked on the same when watching the show.

(It's been even more on my mind of late with recent events and possible theories as to what last episode's events might possibly be building up to.)
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.