[BreachExchange] Cyberattacks Are Here: Security Lessons from Jon Snow, White Walkers & Others from Game of Thrones

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jul 20 20:21:46 EDT 2017


https://blog.cloudsecurityalliance.org/2017/07/19/cyberattacks-
security-lessons-jon-snow-white-walkers-others-game-thrones/

As most of you have probably seen, we recently announced our new human
point brand campaign. Put simply, we are leading the way in making security
not just a technology issue, but a human-centric one. In light of this, I
thought it would be fun to personify threats to the enterprise with one of
my favorite shows – Game of Thrones. Surprisingly, there are a lot of
lessons that can be learned from GoT in the context of security.

Before we start, I’d like to provide a few disclaimers:

- This is meant to be tongue in cheek, not literal, so take off your troll
hat for the sake of some interesting analogies.
- This is not comprehensive. Honestly, I could have written another 5,000
words around ALL the characters that could be related to threats.
- This is based off of the Game of Thrones television series, not the books.
- And finally, spoilers people. There are spoilers if you are not fully
caught up through Season 6. You’ve been warned 🙂

Now, let’s dive in, lords and ladies…

What makes this Game of Thrones analysis so interesting is that these
characters, depending on external forces, can change drastically from
season to season. Therefore, our favorite character could represent a
myriad of threats during a given season or the series overall. This concept
relates to what we call ‘The Cyber Continuum of Intent’ which places
insiders in your organization on a continuum which can move fluidly from
accidental to malicious given their intent and motivations. There are also
many instances where a character is a personification of a cyber threat or
attack method.

Let’s start with one of the most devious characters – Petyr Baelish aka
Littlefinger. Littlefinger is a good example of an advanced evasion
technique (AET) that maneuvers throughout your network delivering an
exploit or malicious content into a vulnerable target so that the traffic
looks normal and security devices will pass it through. As Master of Coin
and a wealthy business owner, he operates in the innermost circle of King’s
Landing, while secretly undermining those close to him to raise his
standing within Westeros. He succeeds, in fact, by marrying Lady Tulley to
ultimately become the Protector of the Vale with great influence over its
heir – Robyn Arryn of the Vale. Looking at his character from another
angle, Littlefinger could also be considered a privileged user within a
global government organization or enterprise. He is trusted by Ned Stark
with Ned’s plans to expose the Lannister’s lineage and other misdoings, but
he ultimately uses that information and knowledge for personal gain –
causing Ned’s demise. And let’s not forget that Littlefinger also betrays
Sansa Stark’s confidence and trust, marrying her to Ramsay Snow.

Varys and his ‘little birds’ equate to bots, and collectively, a botnet.
Botnets are connected devices in a given network that can be controlled via
an owner with command and control software. Of course, Varys (aptly also
known as the Spider) commands and controls his little birds through his
power, influence and also money. When it comes to security, botnets are
used to penetrate a given organization’s systems – often through DDoS
attacks, sending spam, and so forth. This example is similar to Turkish
hackers who actually gamified DDoS attacks, offering money and rewards to
carry out cybercrime.

Theon Greyjoy begins the series as a loyal ward to Eddard Stark and friend
to Robb and Jon, but through his own greed and hunger for power becomes a
true malicious insider. He also is motivated by loyalty to his family and
home that he has so long been away from. He overtook The North with his
fellow Ironborns, fundamentally betraying the Starks.

Theon Greyjoy and Ramsay Bolton (formerly Snow) are no strangers to one
another, and play out a horrific captor/captive scenario through Seasons 4
and 5. Ramsay is similar to Ransomware as it usually coerces its victims to
pay a ransom through fear. In the enterprise, this means a ransom is
demanded in Bitcoin for the return of business critical data or IP.
Additionally, Ramsay Snow holds RIckon Stark as a hostage in Season 6. He
agrees to return Rickon to Jon Snow and Sansa Stark, but has his men kill
Rickon right as the siblings reunite. This is often the case in Ransomware
that infiltrates the enterprise – often, even if Ransom is paid, data is
not returned.

Gregor Clegane, also known as The Mountain, uses sheer brute force to cause
mayhem within Westeros, which would be similar to brute force cracking.
This is a trial and error method used to decode encrypted data, through
exhaustive effort. The Mountain is used for his strength and training as a
combat warrior, defeating a knight in a duel in Season 1, and in Season 4
defeating Prince Oberyn Martell in trial by combat – in a most brutal way.
He could also be compared to a nation state hacker, with fierce loyalty to
the crown — particularly the Lannister family. He is also a reminder that
physical security can be as important as virtual for enterprises.

Depending on the season or the episode, this can fluctuate, but 99% of the
time I think we can agree that Cersei Lannister is a good example of a
malicious insider and more specifically a rogue insider. She is keen to
keep her family in power and will do whatever it takes to maintain control
over their destiny. My favorite part about Cersei is though she is
extremely easy to loathe, throughout the entire series it is clear she
loves her children and would do anything for them. After the last of her
children dies, she quickly evolves from grief to rage. As the adage says,
sad people harm themselves but mad people harm others. Cersei can be
related to a disgruntled employee who intends to steal critical data with
malicious intent that is facing challenges from within or outside of the
workplace.

If we take a look at Seasons 4 and 5, and the fall of Jon Snow, many of the
Night’s Watch members are good examples of insiders. Olly, for example,
starts out as a loyal brother among the Night’s Watch. If he happened to
leak any intel that could harm Jon Snow’s leadership or well-being, it
would have been accidental. This could be compared to an employee within an
organization who is doing their best, but accidentally clicks on a
malicious link. However, as Snow builds his relationships with the
wildlings, Olly cannot help but foster disdain and distrust toward Snow for
allying with the people that harmed his family. Conversely, Alliser Thorne
was always on the malicious side of the continuum, having it out for Snow
especially after losing the election to be the 998th Lord Commander of the
Night’s Watch. Ultimately, Thorne’s rallying of the Night’s Watch to his
side led to Snow’s demise (even if it was only temporary).

Sons of the Harpy mirror a hacktivist group fighting the rule of Daenerys
Targaryen over Meereen. They wreak havoc on Daenerys’s Unsullied elite
soldiers and are backed by the leaders who Daenerys overthrew – the
‘Masters’ of Meereen – in the name of restoring the ‘tradition’ of slavery
in their city. They seek to overthrow Daenerys and use any means necessary
to ensure there is turmoil and anarchy. Hacktivists are often politically
motivated. If the hacktivist group is successful, it can take the form of a
compromised user on the Continuum – through impersonation. After all, the
most pervasive malware acts much like a human being.

Let’s not forget about the adversaries that live beyond The Wall – The
White Walkers. The White Walkers represent a group of malicious actors
seeking to cause harm in the Seven Kingdoms, or for this analogy, your
network. What is interesting about these White Walkers is that they are a
threat that has been viewed as a legend or folklore except for those that
have actually seen them. However, we know that this season they become very
real. Secondly, what makes the White Walkers so remarkable is that we do
not know their intentions or motivations, they cannot be understood like
most of these characters seeking power or revenge. I argue that this makes
them the most dangerous and hardest threat to predict. And lastly, if we
think about how the White Walkers came to be, we know that they were
initially created to help defend the Children of the Forest against the
First Men. But, we now know that they have grown exponentially in number
and begun to take on a life (pun intended) of their own. This is equated to
the use of AI in the technology space which some fear will overtake us
humans.

In my mind The Wall itself could be considered a character, and therefore a
firewall of sorts. Its purpose is to keep infiltration out; however, as we
learned at the end of Season 6, this wall is penetrable. This leads me to
the main takeaway – enterprises and agencies face a myriad of threats and
should not rely on traditional perimeter defenses, but have multi-layered
security solutions in place.

With all of these parallels, it becomes clear that people are the true
constant complexity in security. It is known that enterprises must have
people-centric, intelligent solutions to combat the greatest threats like
those faced in Westeros.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170720/edd8255a/attachment.html>


More information about the BreachExchange mailing list