The first Matrix movie in 18 years is about to hit theaters, and like most people, we at Red Canary have been preparing ourselves by rewatching the first three, in order. While tech has developed rapidly over the past two decades, we are willing to bet that Neo’s Nokia 8110 is still working somewhere and able to play Snake. So, what did we learn from rewatching The Matrix trilogy? Quite a lot, actually.
Spoilers below. You’ve been warned!
#1: There is no time to waste
You need certain knowledge to survive, whether you’re living in an augmented future or the here and now. Luckily for Neo, the Matrix offered pre-formatted rooms and scenes which allowed him to refine his defense skills. The Nebuchadnezzar crew–the rebel group led by Morpheus–had the ability to load a pre-packaged script into Neo’s mind, which almost instantaneously taught him Jiu-Jitsu. The time saved to complete this task provided huge value to Neo’s training and enabled him to respond in near real-time.
While we’re still waiting for downloadable wisdom drops to become a thing (we’re only in 2021 after all), we do have automation. Similar to executing Jiu-Jitsu, defenders can now respond to detections with notifications, isolation, hash bans, and more. This allows Incident response (IR) practitioners to respond quickly to neutralize threats in mere seconds and proactively defend against future attacks with a couple of clicks.
#2: Sentinels are much like today’s botnets
The Sentinels established a strong and intelligent presence throughout the Matrix. A persistent challenge for the humans, these artificially intelligent robots received signals and orders primarily from Deus Ex Machina–the central interface of the Machine City.
Nowadays, it’s easy to draw similarities between Deus Ex Machina and Malware-as-a-service (MaaS). In both cases, a single entity controls a botnet with the prime objective to destroy, or at least compromise the intended target(s). While Neo was able to communicate with Deus Ex Machina to stop the war and command the Sentinels to stand down, it isn’t as easy to get MaaS authors (or their customers) to have a sudden change of heart.
The good news is, there is strength in numbers from the defensive side. There are droves of Information Sharing and Analysis Centers (ISAC) dedicated to analyzing and sharing research about malware and other prevalent threats. These organizations–which are often sector or industry specific–are like the hivemind for defenders.
#3: Insider threats can do a lot of damage
Insiders who don’t believe in your mission are a continual risk. Morpheus and the Nebuchadnezzar crew trusted Cypher and didn’t expect him to be working with the other side. Cypher had access to critical infrastructure and did a large amount of damage in a short amount of time. The possibility of an insider threat was not something that the crew focused on (nor prepared for) and is something that many companies nowadays miss as well.
One thing we have–in our world–is the power of behavioral-based detections. Such detections are even more valuable when paired with a Security Information and Event Management (SIEM) software like Splunk as a way to see user behavior (i.e., endpoint, identity, and access logs) through a single pane of glass. If you happen to have Morpheus’s email or phone number let us know, we think he could use a good ally.
#4: Trust but verify
In The Matrix Reloaded, Neo approaches the Oracle and asks, “How can I trust you?” The Oracle responds with something to the effect of: there is no way for you to know my true motives. In the first movie, we learned that Neo has the power to see the Matrix at the code level, enabling him to analyze programs beyond their appearances, which he undoubtedly did.
As defenders, it’s our job to heed the warning and dig into what may be hiding under the hood of a suspicious file or command. At Red Canary, using telemetry to understand intent or behavior is our bread and butter. But, whether data is being processed and run through unique detectors or picked apart by a keen eye, we must always approach alerts through a skeptic’s lens and ask the very question Neo asked the Oracle.
#5: Expand your optics: take both pills
We all know red and blue makes purple, right? While the intended lesson of the red pill vs. blue pill metaphor is probably about making a choice between blissful ignorance and woeful enlightenment, the red team vs. blue team connection is a little too coincidental and convenient to ignore in the context of security.
Who knows what would’ve happened if Neo took both pills, but mixing red and blue definitely delivers the best outcome for us. The red team plays the role of the enemy whose goal is to improve cybersecurity posture by demonstrating successful attacks. Whereas, the blue team is responsible for defending and maintaining the infrastructure’s cybersecurity posture. These roles are important, however sometimes things get lost in translation and the actions taken from one team to another are disjointed, resulting in poor results. When we mix blue and red teams together, a purple team is formed. The purple team’s purpose is to enhance both the red and blue teams’ capabilities and collaborate from one specialist to another to better understand and create defenses against complex threats.
#6: Be like Neo: evolve constantly
Luckily, the adversaries in the hybrid reality in which we live today remain human. Maybe one day that won’t be the case. Either way, one thing remains constant: Adversaries continue to evolve. This means that as defenders, we must always be tuning our mechanisms and mindsets in order to precede their advancements. We have to overcome complacency to identify what’s a real threat and what’s not. Likewise, defenders need to anticipate and prepare for all scenarios (phishing, ransomware, exfiltration, etc.), just like Neo. To your users, you are “the chosen one.”
So, who’s in the Matrix now?