I was watching the movie Heat today. For those of you that don’t know anything about the movie, it’s an amazing cops and robbers story featuring an all star cast that includes Robert Dinero, Val Kilmer (while he was still a good actor), Al Pacino, and many others. If you haven’t had the chance to watch the flick, go check it out.. It’s worth your time.
While I was watching the movie, there is a scene where the criminals spend an astronomical amount of time watching a bank they were going to rob. They got their hands on facilities maps, timed the guards, checked out police response times, tracked the comings and goings of every person in the facility and much more. They essentially tracked every single piece of the puzzle in minute detail to make sure that they were going to be successful when the time came to finally rob the bank.
How Cyber Attacks Occur
That scene got me thinking about how cyber attacks occur. In general, a typical cyber attack doesn’t just happen. The hacker doesn’t sit down at their computer, click a few buttons and type a few commands and “voila” they are in. That’s just in the movies. Attacks take time. They take research, data, and telemetry on what every piece of information looks like. It’s nearly identical to the process that the criminals in the movie “Heat” did.
In today’s modern world, attackers think in graphs. It’s not enough to identity that a single S3 bucket containing sensitive PII exists in the wild. Attackers have to understand all cyber asset telemetry that exists around that S3 bucket. Who has access to the bucket, how much cyber security training have they had, how often do they change their password and do they use good password hygiene, what applications have access to that S3 bucket and are the permissions properly designed or over extended, and much much more. Attackers don’t think linearly about how to execute an attack, they think in a graph model that allows them to mentally visualize and comprehend what the attack surface looks like and where trust scenarios can be abused or destroyed.
Defender Graphs vs Attacker Graphs
The problem that defenders have is that they don’t yet think in the form of graphs. Defenders tend to think linearly focused on security tooling and processes instead of focusing on the cyber asset collection in the enterprise and how it all connects and operates together. A collection of data around what exists in your environment is only so valuable without understanding the “how” and “why” behind the assets.
Instead of focusing on the tooling stack linear based protection, we should focus on the connections and relationships between our cyber assets. If we adopt a more modern approach to security such as this, we will quickly understand where the risks live and how they can be mitigated. Having an inventory of our asset base is only so valuable. If we really want to understand and comprehend our security posture we also have to map the relationships between all of our assets - and that starts with a graph!
One Missed Relationship Can Determine Your Fate
By the way… in the movie heat they don’t get away with the robbery. They missed one relationship and that cost them. Don’t let this be the fate of your enterprise security.