Rewatching Catch Me If You Can Through The Lens of Modern Cybersecurity
Apr 27, 2021
Principal Solutions Architect
I watched the 2002 crime drama Catch Me If You Can for the fourth time over the weekend. The movie is based on a true story about Frank Abagnale Jr. (portrayed by Leonardo DiCaprio), who was able to make millions of dollars creating fake identities as a PanAm pilot, physician and legal prosecutor.
There are a lot of things that draw me towards it: how dangerously familiar it looks to me as someone who has been in the security industry for some time; the fact that large established organizations can be so easily fooled even today; or that no matter how much you try, human emotions can be manipulated with minimal effort by bad actors.
The movie very accurately depicts the sequence of events that occurred in the 1960s. When asked during a 2017 “Talks at Google” presentation about whether what happened back then can happen today or not, Abagnale said it’s four thousand times easier today than when he did it.
Abagnale also said that he had analyzed numerous breaches over the years and found two common themes: employees did what they were not supposed to do and they didn’t do what they were supposed to do. In today’s DevOps-heavy world, I would extend this to include systems along with the employees.
I learned some interesting things from the movie that I think are really relevant even in today’s highly digitized world:
Pan Am was a large organization. Large enterprises are just as vulnerable, if not more vulnerable, as small and medium sized businesses.
Partnerships can be a weak link when it comes to security. United allowed a Pan Am employee (Abagnale) to board its flight, and their checks were not stringent enough.
FBI agent Carl Hanratty (played by Tom Hanks) couldn’t have solved the case without behavioral analysis. He identified an anomaly in Frank’s behavior of cashing checks in a bank 2,000 miles away from where he lived. Without this behavioral analysis, he would have continued to search for Abagnale in the wrong places.
Hanratty had to anticipate Abagnale’s next move. But he had to accept help from Abagnale’s wife to do so. Systems alone cannot accurately tell you what the next move will be.Tracking each and every move becomes critical.
Frank Abagnale Sr. tells his son, “Yankees always win because the other teams can’t stop staring at those pinstripes.” As long as you keep looking in the wrong places, intruders will continue to evade the security systems in place.
Abagnale changed his identity three times. Identity change is fundamental in modern day attacks. Identifying malicious activities that are related but executed by seemingly different people is critical in preventing breaches.
In his 2017 Google talk, Abagnale also said that with all the controls in place in airport systems today, it is still 40 times easier to evade them. That is disturbingly true about modern day security breaches. Organizations are going to get breached sooner or later. Having necessary detection mechanisms to identify a full attack campaign holistically is ever more critical.
So what would a modern day Frank-like imposter do?
Sit behind a desk at his Command & Control system
Identify a vulnerability in the systems and exploit it
Try to establish some connections back to his Command & Control systems from where he can execute attacks
Try to lie low and go slowly with the attack because he knows the SIEMs are not very good at capturing and correlating data that spans across time
Try to change user identities to avoid getting detected
Make lateral movements and harvest data that can lead him to the “crown jewels” from where he can cash the checks (data exfiltration)
How can Confluera be the Carl Hanratty of this very real scenario that, sadly, happens quite regularly?
Confluera’s detection and response platform can identify Abagnale as soon as he breaches the environment through patented technology that continuously captures all trails and in real-time identifies a malicious trail. It is like embedding a chip in Abagnale as soon as he executes some commands and makes lateral movements through the environment. Every action, every move is monitored and tracked, regardless of whether they are executed immediately or months later.
Confluera can very accurately track lateral movement in real time to show which systems Abagnale visited and what information he harvested from the systems.
Confluera can identify Abagnale regardless of his identity and map it to the same malicious story, something that Hanratty had a tough time doing. Abagnale was able to cash the checks as a doctor, a lawyer and as a co-pilot. He wouldn’t be able to evade this with Confluera’s storyboarding functionality.
The bottom line: Real-time Threat Storyboarding is foundational to quickly detecting and responding to threats before attackers can steal valuable data from “crown jewels.” Traditional SIEMs/EDRs/NDRs are not sufficiently equipped to accurately map out an attack progression and to take precise actions based on that information to quickly kill the chain of attacks.