Like many, I’ve been preparing for the new Star Wars: The Force Awakens movie by revisiting all of the old ones. As a passionate security geek, I can’t help but consume my pop-culture through the filter of Information Security. I’m always surprised by the correlations you can find between the two subjects (if you look hard enough).
Last month, I explored some of the security tips that can be gleaned from Star Wars Episodes 4-6, so now lets dive into what the prequel series can teach us about InfoSec.
Protect Your Planet From DDoS Distraction Tactics
Early in The Phantom Menace, we learn that Viceroy Nute Gunray, of the Trade Federation, is planning a surprise attack on the planet Naboo. When asked if Queen Amidala suspects the attack, he replies that he doesn’t know, but that they must move quickly to disrupt communications. Later, the governor of Naboo says, “A communication disruption can only mean one thing. Invasion.”
This is a common military tactic. If you want your attack to remain hidden, you knock out your adversary’s communications to cause confusion and keep them from sharing information. Unfortunately, this has also become a relatively common digital attack tactic. Some advanced cyber attackers launch distributed denial of service (DDoS) attacks against their victims as a smoke screen. While you’re figuring out that overwhelming flood of traffic, the hacker launches his real attack, designed to infiltrate your network and steal your confidential information. You don’t notice the real attack because the DDoS attack caused confusion by disrupting your communications.
A great example of this was a 2013 cyber heist against a Californian financial institute. The hackers launched a DDoS attack to mask their real $900K cyber heist. In fact, examples of DDoS smoke screens go back even further, and some even mimic the physical, military attacks we see in Star Wars. Specifically, in 2008 Russian launched a military invasion against Georgia. Before that attack, Georgia reportedly suffered DDoS attacks. Finally, this tactic has become so popular that we even see fictional hackers use it (realistically) in shows like the Mr. Robot series.
In short, while DDoS attacks are a problem on their own, they can also signify that a more nefarious assault is underway. Learn from Naboo, and be sure to pay attention to your other systems if you ever become faced with a DDoS. It may just be hiding the attacker’s real motive.
If you’re the average geek, you can’t talk about the Star Wars prequels without moaning about Jar Jar Binks. While I have to admit that my 11-year-old found him amusing, most Star Wars fans I know are disgusted by his slapstick, comedic relief. Jar Jar often seemed to cause more trouble than he was worth; crashing into the heroes, clumsily stumbling around battlefields and acting seemingly brainless. Yet, somehow, Jar Jar’s bumbling always seemed to magically work out for the better.
Most IT professional probably have a story about a Jar Jar-like user in their organization. We’ve all seen them; the type of users that seem hapless around computers, and may fall for the simplest social engineering tricks, or take risky actions that threaten the organization. In fact, there are endless IT jokes, calling these types of people “Lusers,” or saying things like:
Truthfully, ignorant Jar Jar-like users can introduce risks to their organizations, making basic mistakes that let hackers in. And in the real world, things don’t always magically work out for the better. Jar Jar is a good example of an “accidental insider threat,” or a person that makes an unintentional mistake that threatens your business.
There’s no getting around the fact that users need security awareness training. One deadly mistake you can make with Jar Jar-like employees is to assume that they are hopeless. Of the IT jokes mentioned above, the one I hate is, “no patch for stupidity.” There is a patch: Education. You can’t expect everyone to intuitively have IT or security expertise. However, you can expect them to learn the basics, and improve their Jar Jar-like ways. Train your users so that they act more like the Jar Jar diplomat vs. Jar Jar the exile.
Beware of Malicious Sith Master Insiders Lurking in Your Organization
Friend: “Did you know that Jar Jar Binks is really a Sith Jedi Master?”
Me: “WHAT!!! No way. Jar Jar is an idiot and I hate that character.”
That was my reaction to a recent rumor a friend shared with me. If you aren’t aware, a thread on Reddit, and related video, have recently gone viral, describing a potential alternate story arc for Jar Jar. I won’t spoil the details (watch the video), but in the end the author makes a somewhat compelling argument that Jar Jar may be an evil Sith Master manipulating Princess Amidala and the Jedi. In the end, it’s probably just a fun conspiracy theory, but for the sake of argument, let’s imagine this possibility.
Although I just compared Jar Jar to an accidental insider based on his moronic nature, if this alternative theory was true, Jar Jar knowingly manipulated our heroes from the inside; making him a malicious insider.
Malicious insiders are something that can’t be ignored in information security. We’d all like to completely trust the people we work with, but there are cases involving ethically-challenged and disgruntled employees that pose a threat. These kinds of individuals have been known to take sensitive data or proprietary client information without authorization. To protect yourself from malicious “Sith” insiders:
- Implement the least privilege principle to prevent employees from touching data they shouldn’t have access too.
- Consider data monitoring or data loss prevention solutions that can keep track of how employees use data.
Believe it or not companies, lose more data from accidental insiders than they do from malicious insiders. If you only have one dollar to spend, you’re more likely to get a better return on security awareness training
This title might sound a bit risqué, but hear me out. Padmé was an adept security expert! A big reveal from the first movie was that “Queen Amidala” was a decoy, and that one of her “handmaidens” was actually the true Queen of Naboo. Padmé realized that she was at risk, so her security team assigned a bodyguard to impersonate her. During an assassination attempt, the attacker would go after the wrong person, giving Padmé the opportunity to identify the attack, and react or escape.
This is a great example of what the security industry calls a honeypot. Originally designed as a security research tool, honeypots are systems that pretend to be legitimate, but are actually designed to lure in hackers. They offer a safe way to attract malware and attacks for analysis that informs the creation of new defenses. Lately, however, organizations are starting to use honeypots to both deflect attacks from their real targets, and as a “canary in a coal mine” that informs you if you’ve been breached.
Companies hoping to protect their vital assets should consider some of the new forms of deception defenses like honeypots.
Watch Out for “Changeling” Threats Evading Your Defenses
While not everyone loves the prequel movies, one thing these films did well was bringing back the bounty hunters. It’s probably safe to say that Boba Fett is a fan favorite among Star Wars geeks, so including Jango Fett and his minions was a smart move.
In Attack of the Clones, there’s a scene where a seemingly female bounty hunter attempts to assassinate Amidala with poisonous worm-like creatures. Obi-Wan and Anakin sense the attempt, prevent it, and pursue the assassin through the skies of Coruscant. In the end, they corner the human assassin in a bar, only to learn that she is a changeling—an alien that can morph into other forms. Obviously, this is a great skill for an assassin or bounty hunter as they attempt to avoid capture or detection.
Changelings’ abilities are also a great metaphor for advanced malware. In order to evade signature-based defenses, which are looking for specific patterns, sophisticated malware is designed to constantly morph. Cyber criminals use technical tricks that continuously repack their malware so that it looks different on a binary level. In the end, it might be the same exact ransomware that you’ve seen before, but it’s repeatedly packaged in new ways to escape legacy defenses. The only way to catch this type of threat is to ignore the external packaging, and focus on the behavior of the threat.
If you want the Jedi skills required to catch advanced malware, consider more advanced threat protection solutions that use behavioral analysis and machine learning to catch new threats.
So, if you haven’t watched all three prequel films… spoiler alert! By the end of the series, we find that Senator Palpatine was the author of a series of deceptive machinations that led to his rise in power. He was behind the Trade Federation’s attacks, and leveraged the fear from those circumstances to remove the current Chancellor, ultimately gaining the position for himself. He exploited the risk posed by the Droid Army to grant himself “emergency powers,” and control of the Clone Army. And in the end, we learned he was Darth Sidious – a Sith Lord – all along. In summary, Palpatine exploited fear, uncertainty, and doubt (FUD) to get otherwise smart people to give up their freedom, by incrementally granting a single authority more and more power.
Does this sound familiar?
There have been many historical examples where nations have come under some real or perceived threat, and have reacted by looking for solutions to protect their citizens. Unfortunately, these situations are often fueled by fear; especially if they follow some real attack. When this happens, it’s natural to look for new and extreme ways to defend ourselves, including granting authorities new powers or capabilities.
However, we need to be careful how much power we give one entity. As they say, “absolute power corrupts absolutely.” Who knows if a “Darth Sidious” might one day rise through the ranks, and use those powers in ways that were never intended.
How does this relate to information security? The current encryption backdoor debate.
Recently, law enforcement and intelligence agencies have argued that they can’t continue to protect us from terrorist threats unless they have means to intercept and potentially read encrypted digital communications. They’ve suggested that commercial vendors need to design solutions that allow some way for authorities to recover certain communications. Sometimes, they also leverage our fear of recent threats to continue to push this agenda.
The problem is, we also use encryption to legitimately protect private and business communications from real criminals. Creating encryption backdoors—no matter how well intentioned—also creates a new weakness that bad actors might eventually leverage.
As you consider what cyber security powers the government should have in the future (including the ability to decrypt commercial data), remember the Darth Sidious story. Great powers, when left unchecked, may come back to overturn your Republic and launch a Dark Empire.
Whether or not you loved or hated the Star Wars prequels, they make good allegories for many important information security lessons. If you’re interested in what other security tips the Star Wars universe might reveal, join me in the next few weeks to explore Star Wars: The Force Awakens.