This post is the fourth in the series, "The 12 Days of HaXmas."

As you venture from the world of defense, including protecting and monitoring systems, into the realm of active defense, who can be your mentor? Who can make you as cool as Frosty?

Does anyone know enough about active defense to make a movie out of it?


Macaulay Culkin is the mentor you are looking for. More precisely, Kevin McCallister, from the Home Alone franchise.

Why is an 8 year old better at security than a lot of companies are? Because he realized that no matter what, the house will be breached, or at the very least, targeted, and that what happens after the initial discovery or intrusion will be critical in limiting the impact of the incident.

In this article, we will look at 7 of the best tricks Kevin has up his sleeves, and how they relate to CYBER. Basically, the Elfabet of HaXmas defense.

Active Deception

At around 8m35s into the first movie, Kevin's dad tells one of the burglars, Harry, disguised as a police officer, that they only use standard security measures, such as timers for the lighting.

While Kevin's dad is simply getting phished for information, he accidentally succeeds and ends up deceiving the attacker. He was completely unaware of the security controls Kevin would later implement.

Another failure almost occurs  at around 11m, when Kevin's mom reveals that they're going to Paris.  Luckily, Kevin notices the policeman's tooth-bling, a fact that he checks into in his mental threat intelligence feed.

In the second movie, Kevin has to slow down a different attacker, Sneaky-Face-Spying-Hotel-Employee.  Again, misinforming the attacker helped prevent the attack.

Note: Why was he in the room to begin with? Did he want to steal Kevin's cashews and drinks, or was he going to execute an evil maid attack on Kevin's laptop?

Kevin says: Be careful about how much you reveal on your attack surface, as well as how you protect it. When hiring, why not look for people who have experience with many different security tools, instead of just those you own and use? That way, your job descriptions will not be a tidy list of things to break into, but a list of multiple products you may or may not use.

Zip-Line Cutting

Kevin moves to his tree house. The main path from the house to the tree house is a zip-line.

Clearly, Kevin is trying to teach us that network segmentation should always be in place, and that connectivity between zones should be limited to known, authorized systems, such as him over TCP/zipline.

During the incident, Kevin decides to eliminate connectivity from the main network (house) to the restricted network (tree-house). He simply cuts the zip-line, an obvious methaphor for an ACL, as the attackers are trying to reach it.

Kevin says: Network segmentation has always been important, but why not make it more fun by reacting to specific situations and disabling some types of connectivity when needed, by modifying ACLs on firewalls or host-based firewalls, based on attack data discovered on honeypots, IDS or other systems, or by completely sinkholing suspicious systems?

Cracking and Stapling

Kevin shoots the burglars with a BB gun.

Specifically, he shoots Harry in the Christmas Bells, and Marv on the forehead.

In Home Alone 2, he repeats the same type of exploit (wait, are these movies repetitive? Oh my!), but with a staple gun.

This is a great example of what not to do. Nobody has the right to shoot anyone in the gingerbread, and, like "hacking back", it is probably illegal in many countries.

Kevin says: Only staple HaXmas lights, or OCSP.

Kevin says you should avoid: Publicly taunting adversaries: "Our new widget is so secure, nobody will ever be able to hack it!". Shooting people in the Christmas Bells. Running BeEF against systems you do not own so you can get a shell on the attacker's machine, before even talking to your lawyer!

Low Friction Ingress Points

Kevin covers the stairs to both the front and rear entrances with ice.

He knows these ingress points are vulnerable, highly privileged entry points into the house, and that slowing down attackers or increasing their pain levels is extremely valuable. In Home Alone 2, he performs roughly the same task by using green soap. Please, tell me that was actually soap.

Kevin says: Make important, highly privileged ingress points slippery, by controlling ACLs strictly, blocking specific geolocations that are not required, using non-default ports to reduce noise in the logs generated from automated attacks or scans, monitoring those logs and blocking suspicious sources.

Tool Management

Kevin, like most CSOs, has many tools at his disposal, but has been having issues hiring. Left with only tools, and no brain power to use them but himself, he has a hard decision to make: Should I buy more tools, or should I throw them all directly in the face of attackers? He makes sure his tools hurt them like a freight train.

Kevin says: Identify the systems that you have, and make sure that you are using all the features that could be useful to you. No more "passive IDS" with nobody reading the logs, no more "sandbox in monitoring mode" with logs going to /dev/null, and no more WAF in learning mode. If you bought it, it should be tuneable to a level that makes it useful, and if you leave it in monitoring mode, there better be somebody monitoring for real. If you bought it, can't tune it, can't monitor it, then disconnect it. Spend your money elsewhere and reduce your attack surface.

Kevin says you should avoid: Physically throwing security appliances, as it quickly gets expensive.

Being a Chess Nut

Kevin, like a true Kasparov of security, knows how real attacks play out. That is why he knew that if he set someone's head on fire, they would go to the obvious target system to extinguish it: a very dirty toilet.

In this analogy, Kevin is using the toilet to represent honey. The bear wants the honey, because he doesn't know it's actually paint thinner.

Prior to this response, Kevin used a similar technique, knowing that the attackers would use a specific entry point, to send them to an isolated network, with no actual access to the production house.

Kevin says: Use easy to manage honeypots to detect attackers scanning your network from the inside. Use various other types of honey: honey tokens, to detect stolen credentials, honey tables, to detect unauthorized database access, or even honey files to detect access to files that should never be read. If your coworkers have a tendency to steal candy, make sure you only have blue candy, so you can detect it later on.

Third Party Relationships

Kevin thought the incident was almost over, and all he had to do was to wait for the police to show up. Soon later, he slipped on an unexpected patch of ice, and realized that his issue might be too complicated for him to resolve by himself.

Luckily, Kevin had leveraged third party help, and had access to Incident Response services from a woman and many pigeons, who made sure to end the incident completely.

Kevin says: Know what your team's skills are, and make sure that you know when external help will be needed. Know Who You're Gonna Call™ before the plane takes off without you, and make sure the process and communication plan is well documented and available under any circumstances.

Wrapping Up

You'll know you're doing a good job if all the attackers are doing is yelling meaningless phrases at you while throwing futile attacks. While Home Alone was long thought to be a simple movie about a kid stuck at home, it was actually a great metaphor for information security. It is nothing short of amazing to see how well the writers predicted how cyber-security would come to life, over 20 years later.

Also: What does Santa call his sysadmin little helper who ate too many kernels? FatELF.