Trojan Horses, Payloads and Flamethrowers

Today I will use perhaps the single most overused symbol/metaphor used by the IT Security Industry: the Trojan Horse. I pride myself in avoiding clichés and overused metaphors, but in this case I think I have a slightly different spin.  What if Paris had a flamethrower?

The account of the Trojan Horse is all about shields and the reliance on those shields.  Unlike the shields we deploy today in IT security, the walls of Troy actually worked and had repelled attackers since anyone could remember, including a multiple year siege by the largest invading army ever amassed.

Eventually the relentless, highly trained, and well funded adversary (ring a bell?) built the wooden horse and filled it with 30 men.  They presented the horse as tribute at the gates of Troy and pretended to withdraw their army.  The Trojans willfully brought the horse into the walls of the city, forever consigning us to the Trojan Horse as the metaphor for a user willfully letting malicious software into their systems and launching hundreds of hackneyed advertisements, web site graphics and booth backdrops.

However, I would suggest that too much emphasis is placed on the delivery mechanism rather than on the payload.  The wooden horse did not bring down Troy, it fell because of what was in the wooden horse.  It was the payload – the 30 Greek soldiers that crept out and opened the gates to the city – that ultimately spelled the demise of the city.  Had the horse been filled with tradeshow booth giveaways, there is no real story.  Sometimes in IT security we get so swept up in how something made it to a machine that we forget that it is the payload that ultimately does the damage.

I would also call to attention the emphasis on the perimeter. The people of Troy became so dependent of their perimeter defenses that I suspect they rarely thought of the defense of an attacker that had successfully breached those defenses. Once the horse and its payload were inside the city walls, the perimeter defenses were irrelevant.  And from the story there appears to be no protections inside the city. Today we focus on a disproportionate amount of our diligence on the perimeter, when the attackers are after what is on individual machines.

Now to the flamethrower.  If you read the various accounts of the Trojan Horse, there were one or more people in Troy that had serious misgivings about the Trojan horse.  Something did not feel right – it was anomalous.  What if Paris, son of the King of Troy, had taken the warnings to heart, picked up his new flamethrower given to him by Apollo, and reduced the Trojan Horse and its payload to embers?  We all might be speaking Trojan today! Paris was an accomplished archer so one flaming arrow would have done the trick.

Less dramatically, what if Paris had assigned someone to watch the horse?  Given it was anomalous, that would make sense.  Once the Greek soldiers began to emerge, the sentry could have initiated a rapid detection and response protocol and quickly acted to stop the Greeks before they could open the gates.

The story of the Trojan Horse is a contemporary warning about the over-reliance on perimeter defenses and the lack of tools for rapid detection and response when the perimeter defenses fail.  Because unlike Troy, your perimeter defenses are failing and things are getting through.  To make matters worse your defenses don’t see the wooden horses that are making it to the host machines, so they most certainly are not seeing the harmful payloads.

The new lesson of the Trojan Horse: now is the time to implement a rapid detection and response tool to complement those lovely walls you keep trying to make breach-proof in the face of all evidence to the contrary.  At least invest in a flamethrower.