“The Sting,” “The Taking of Pelham One Two Three,” “Ocean’s 11,” “The Lavender Hill Mob” — such heist movies depict smart people coming up with elaborate schemes to steal something while equally smart people try to stop them. You don’t have to search Netflix for these films to experience the excitement of a “good heist,” though.
Today’s applications are like a vibrant, growing, open city. Sophisticated attackers stealthily infiltrate the city, establish a foothold and laterally spread their influence to gain control of assets. The way this plays out is a heist movie script on par with anything that’s graced the silver screen.
The plot of a good heist movie mirrors the concept of the cyber kill chain, based on a military model to understand the techniques of an adversary.
The plot begins with reconnaissance. Can an attacker find a weak point? They weaponize, building a tool to exploit that weak point and deliver the tool.
Successful delivery results in an exploit, followed by installation of a more persistent point of access. The attacker then establishes a network of command and control. We’re one step away from the climax of our heist movie!
In the final scene, the attacker strikes for their objective. Whether it’s exfiltration of data, compromise of assets or theft of resources, everything is in place for the final heist.
A screenwriter will draw from a library of scenes and set pieces in different ways to drive the narrative.
Cyber attackers create their own strategy in exactly the same way. Many of their techniques and tactics are documented in the MITRE ATT&CK framework. This models the behavior of real-life attack groups, identifying the types of target they each seek and the tactics they are each skilled in using.
In the spirit of “know your enemy,” learn the tactics and techniques an attacker might use in their heist script.
A good heist story plays out on an exciting, high-stakes stage. Perhaps the attackers caper across an entire city. Your infrastructure and the applications within it are the location for your heist story.
You’ll deploy hurdles to block an attacker. Web application firewalls (WAFs) as a security checkpoint, authentication to control access. These of course are not sufficient; almost every heist movie involves the antagonist evading checkpoints or stealing a key!
In the movie, the attacker might seek out a disgruntled member of staff to gain intel on security patrols or pick a lock to a disused metro station to gain access across the city. In your movie, the attacker seeks vulnerabilities and misconfigurations they can exploit.
Modern applications almost always depend on large numbers of third-party components. Vulnerabilities in these components can be exploited, and attacks can be deployed on an industrial scale. So many attacks begin with an unpatched bug in an unregarded library or component, for instance.
Your Starring Role in the Movie
In most movies, the screenplay casts the criminals as the heroes, and we all root for their success.
Not in this movie. The criminals are exactly that, and the protagonist is you. Intercepting the attack, preventing the heist, saving the day — that’s your job!
Step 1: Build a Map of the City
A good detective knows the city like the back of his or her hand. They know what the targets might be, how they are secured, and where the weak underbelly of the city can be found.
You need to do the same with your infrastructure and apps.
Sure, you can’t do this based on gut instinct and 20 years of experience walking the streets of your city. You’re going to need help to automate the task of discovering the attack surface, identifying vulnerabilities and building a master threat map.
Build or acquire security tools that help you do this. Knowing the ever-changing threat map is key for the next part of your defense.
Step 2: Watch and Observe
What does our movie detective — you, the star of the film — do next? They watch and observe.
You could rely on citizens to call in when they see a minor crime taking place. These are “indicators of compromise”: a process crashed unexpectedly, a file modified on disk, an unexpected configuration change.
If you rely on these alone, you’re forever playing catch-up. You’ll burst into a room to find the criminals have just left, leaving only an open window and drifting dust.
Our hero detective has sources everywhere and gathers intel about events before any crime has taken place.
A dog barks. An odd package is mailed to an empty house. A security guard starts flashing some newfound wealth. All of these and more are clues that something might be happening.
Look for equivalent “signals of attack.” Is an attacker reconnoitering for a weak point from outside? Are they prowling the streets, looking for an open door? Is there unusual SSH or C2C traffic that indicates an attack is unfolding?
These signals are subtle, preceding the more brutal indicators of compromise. They give you the intel you need to keep one step ahead of the attackers’ playbook.
Step 3: Correlate and Infer
In a heist movie, the genius detective often thrives on hunches to the annoyance of his superiors. He correlates unusual activities within the city against a detailed understanding of the weaknesses, and suspicions are raised when they come together.
You, too, have the threat map, indicators of compromise and signals of attack. You need to correlate these across both time and space.
A signal of attack might correspond to an Apache Struts OGNL or SQLi attempt through the firewall, yet your threat map shows that the target services are not vulnerable to this type of exploit. Without further context, this alone is just noise.
An indicator of compromise might reveal that an unanticipated change has happened within an application. Without context, this may also be insignificant, but if you can correlate this to a potential vulnerability or you observe matching signals of attack, that’s worth investigating.
Develop or acquire tools that help you to sift through the massive volumes of data to correlate signals of attack against known vulnerabilities and observed indicators of compromise. Then you’re ready to raise your suspicions quickly when a sophisticated attack is unfolding.
Step 4: Act on the Intelligence
When your suspicions are raised, you need to act fast. This is not a Michael Bay movie, where seven city blocks are razed to the ground and a statewide car chase leaves a trail of carnage in pursuit of the criminals.
Like a city, your application must follow cloud native principles to be resilient and scalable. Then, if a service or container is suspected to be compromised, you can quarantine it, and the orchestrator will start clean instances as needed. If signals of attack originate from an internal or external IP address, block it. If C2C traffic is detected, firewall it; if an authentication token is implicated, revoke it.
Act quickly, with surgical precision, to break the kill chain the attacker is following. Neutralize them, and stop the attack from unfolding further.
Our Heist Movie Ends
We all benefit from safe and secure cities. Businesses flourish. Transactions take place without danger. Personal and commercial data is safe from exploitation.
The movie industry will continue to make heist movies; we all love these box-office hits. Attackers will continue to try to exploit applications and infrastructure for gain. Map, observe, correlate and act, and you won’t find yourself starring as the victim in tomorrow’s cyber heist.
To learn more about security and other cloud native technologies, consider coming to KubeCon+CloudNativeCon North America 2021 on Oct. 11-15.
Featured image via Pixabay.