Save Your Security Team!
Editor’s Note: Our Hobbit theme is in honor of Hobbit Day
“You - shall not - pass!” This could easily be the refrain of any security team, but these words were uttered by one of Tolkien’s characters, Gandalf, deep in the Mines of Moria in the movie the "Fellowship of the Ring."
If you think about it, the entire sequence in the Mines of Moria is an intriguing allegory about cybersecurity practices. But my burning question is, should the Fellowship be viewed as a company of bad actors or are they a security team?
Barriers to Entry
The Fellowship finds themselves at the entrance of the mines, which is where our comparison begins. There is a hidden sign posted on the doors that reads “The Doors of Durin, Lord of Moria, Speak Friend and Enter.” Firstly, the door for entry is hidden and needs to be hacked to determine the parameters that need to be passed for entry. Secondly, we witness a team using brute force password attempts to get past the barrier. After using combinations of complex phrases they find that the simplest shared admin password, the word “friend,” is the key to get them past the security measure.
In this scenario, we can compare the door with the security perimeter organizations have traditionally used for protection . While this approach to security has stood the test of time, in today's digital world it lacks a certain luster and needs an upgrade. Protecting our businesses with a single gateway or entry point is no longer adequate, because we have more points of entry than we ever did before. Think of remote workers and contract workers who may not be inside of the network; or the adoption of applications hosted in the cloud.
With multiple entry points, we need strong security measures that rely on verifying the user attempting access. It is not viable to assume trust in those who have the password; we have to continuously verify the identity that is attempting access. One way businesses are doing this is by adopting a zero-trust security approach for the workforce, which starts with the implementation of multi-factor authentication (MFA).
But is MFA enough?
As the Fellowship descends deeper into the Mines of Moria, they come under attack in Balin’s Tomb. One team member curiously touches a skeleton, exposing a vulnerability that sets off a chain of events. The group is set upon by a hoard of attackers, goblins and orcs and they are tested and tried in a harrowing battle where the main protagonist of the saga, the hobbit Frodo, is ultimately struck down. Thankfully a Mithril vest protects him. Could you imagine where the story would have gone if he had been compromised? It would have been game over. The same concept applies if your admin credentials were ever hijacked and you had no protection in place – you’d have goblins running amuck masquerading as a friendly hobbit.
Back to the vulnerability that was exposed by the actions of an unsuspecting user. Is the user to blame? Perhaps the skeleton should have been more secure. If we consider the elements that reside in our infrastructure, how can we be sure that there are no potential vulnerabilities that could be exposed? Think of the devices or endpoints that access sensitive resources in an environment; are they all up to date with the latest patches? Or is there perhaps one weak point that could set off an undesired chain of events?
By verifying the devices and endpoints that have access to sensitive applications in our environments we can mitigate the risk of an attack. If there had been a check in place in the Tomb of Balin before the skeleton was touched, the vulnerable component could have been isolated and there wouldn’t have been an entry opportunity exposed to the attackers.
The Team
I still can’t decide if the Fellowship is a security team or a group of bad actors though. I think I need to go deeper into the mines, perhaps to Durin’s Bridge, or the Bridge of Khazad-dum, where the famous phrase above was said to find my answer.
It turns out the events in the tomb set off a cascade of catastrophic issues as the attackers start to move laterally through the mine, sound familiar? The Fellowship is forced to flee only to face an even more serious threat, a Balrog (a demon of the ancient world) which could be parallelled to a data breach. Gandalf claims this threat is beyond any of the team and he alone steps up to block the Balrog from further access to the environment. An epic battle of fire and lighting ensues and ultimately Gandalf sacrifices himself after successfully denying the Balrog passage.
Here we see a fearless team leader who fights the fires and sacrifices themself, their sleep and sanity, to ensure that the organization is protected. That settles it: the Fellowship is a security red team. But as evidenced, this isn’t a sustainable model for security. While the access policies set by Gandalf result in mitigating the threat to the broader group, wouldn’t it have been more effective if the team had worked together?
Just think, if everyone had followed appropriate security practices, they probably wouldn’t be in the dire situation and fighting for their lives (or to protect their data) in the first place.
The fact that the Fellowship knew the password to get into the mines solidifies that they were, in fact, the security team from the very beginning. The goblins and orcs were the bad actors who gained access when they shouldn’t have been able to, and the entire sequence is the security team trying to save themselves from the attack.
So what did we learn?
If the Mines of Moria had multi-factor authentication in place from the start, the bad actors wouldn’t have been able to impersonate the administrator and gain access. If there were endpoint or device validation in place in the Tomb to prevent a vulnerability from being exposed, then the attackers wouldn’t have been able to move laterally through the environment. Lastly, access policies shouldn’t be reliant on just one person. Even though Gandalf was effective at thwarting the threat on Durin’s Bridge, if there had been a team approach to security and enforcing access policies no one would have needed to be sacrificed.
If only the Dwarves of Moria and Fellowship had known about zero trust for the workforce and the tools that Duo Security provides.
Don’t be like the Fellowship, learn more about how zero trust can help you protect the expanding perimeter.
Sign up for a trial of Duo today to see how you can prevent the goblins and orcs from infiltrating your organization. Save your security team from needless sacrifice.