This is the second part in a two-part series. Find the first part here.
IoT is far from the only emerging attack surface being targeted and exploited by cybercriminals. As new networks and services that are designed to make life easier for organizations and their employees become more widespread, cunning attackers will find new ways to use them as a foothold to gain access to the broader network.
In this second part of a two-part series, three additional emerging attack surfaces will be explored with recommendations to secure each.
Large organizations often have remote offices or branch locations as part of their network. Whether it is a regional office, a bank branch, a retail store, a clinic, a subsidiary network or another type of site, the remote network location is another factor for security teams to consider. Because most remote workplaces have access to the corporate headquarters network, there are risks associated with remote office security for the organization to consider.
Remote sites are often tenants in a building, reliant on existing physical security controls which may not be as stringent as corporate policy requires. They usually do not have local technical support, let alone network security staff. The network security infrastructure at the remote site may not be as sophisticated or capable as that of headquarters, and security may lack visibility to suspicious remote network activity. These limitations make them attractive for attackers to leverage for access back to the corporate network. To compensate for these security gaps, organizations are implementing emerging network monitoring solutions for better detection at remote sites. Others are deploying deception technology to gain remote visibility and detection capabilities without additional infrastructure or security personnel at each location.
Applications and services
According to a recent McAfee survey, over 80% of employees admit to shadow IT usage, installing apps on their work devices without the consent of IT. The rise of the cloud has made the proliferation of both innocuous and malicious apps extremely easy, and many organizations don’t realize the extent of the problem: a recent Cisco survey indicated that CIOs estimated that their organizations used 51 cloud service apps, while the reality was over 700.
Although many of these apps and services are harmless, others are not. By installing unapproved apps, employees are installing software that has not been vetted or approved by the security team, and many have compliance or security risks. Some groups have even gone as far as setting up cloud environments using unapproved apps, which can expose data to attacks. Educating employees about the dangers of shadow IT usage can go a long way, and security teams can benefit from in-network visibility tools to help them identify when shadow IT apps are in use and who is using/installing them.
Active Directory Deception Objects
By design, Active Directory (AD) will readily exchange information with any member system it manages, but attackers can leverage this to extract information on the entire domain quickly. Security teams may not even realize that such activity is occurring since AD provides information to a member system as part of normal operations. Attackers can extract user accounts, system accounts, and trusted domain information from any compromised member system on the AD domain as part of their data gathering. They can use this information to find privileged accounts, overlapping security rights that provide elevated rights, or critical systems to target as part of their attacks such as trusted domain controllers or essential database servers. They can utilize tools, such as Mimikatz and Bloodhound, to compromise accounts on AD or identify user or service accounts with inherited administrative rights to obtain highly privileged access to the entire network.
Typically, organizations will manually defend against such activities, but emerging solutions can automate this process. To conduct counter-reconnaissance, organizations can create AD containers to seed fake user and system accounts, create deceptive AD trusted or member domains, or set up entirely artificial AD infrastructures that are part of the production AD infrastructure. By feeding false results on reconnaissance queries, the organization can proactively mislead and misinform attackers.
Keeping Security Front of Mind
The emergence of new attack surfaces is inevitable. They will continue to arise as a result of innovation, as developers discover novel, better and more efficient ways of operating. As long as humans seek to improve their lives through high-tech devices, cutting edge conveniences, and new ways to stay connected, there will always be new opportunities for cybercriminals to exploit.
Securing every device across every surface has become increasingly difficult — and perhaps impossible. By assessing one’s security controls and their efficacy in each environment, and by taking an assumed-breach posture, organizations will put themselves in the best possible position to understand their vulnerabilities and risk. Ultimately, prevent what one can, detect what one can’t stop early, and be prepared to respond quickly regardless of attack surface or methods used.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.