Products on your perimeter considered harmful (until proven otherwise)

In the earlier days of the internet, a small number of cyber attackers compromised targets through very simple perimeter attacks (such as poor passwords on login services), and relatively simple vulnerabilities in services. This gained them entry to networks that – back then – had poor telemetry and forensics capabilities.

As more organisations went online, defenders got better at locking down their perimeters, conducting vulnerability scans, and patching systems. Attackers also realised that targeting user devices directly meant getting immediate access to the files and resources that a user had access to.

Consequently, many attackers stopped bothering with the perimeter, and instead moved to the rich oceans of client software and phishing emails. Browsers were insecure, as was effectively all of the other software on an endpoint. Office Macros (probably not https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office” target=”_self”>locked down) could be assumed to be present in most targets.

This all resulted in huge numbers of compromises.

However, developments in recent years have made it much harder to compromise an endpoint through phishing. Common client programs (particularly those opening files from the internet) have had a decade of being put through the fire, and so vendors of client software have had to move to defence-in-depth / secure by design approaches such as removing dangerous features, sandboxes, entire rewrites, memory safe languages etc. (no defender mourns the loss of ActiveX). Recently Microsoft’s changes around Macro defaults have largely closed that route, and so as attackers attempt to find obscure file formats that allow code execution, they’re facing diminishing returns. The more obscure a format, the easier it is for defenders to spot.

Attackers have therefore been forced to ‘change up’. In some cases, by phishing for access to credentials / cloud data, or by targeting the perimeter again. Knowing that they are less likely to be able to rely on poor passwords or misconfigurations, they are increasingly looking at products on the network perimeter (such as file transfer applications, firewalls and VPNs), finding new zero-day vulnerabilities in these products, and waltzing right in. Once a vulnerability is known, other attackers join resulting in mass exploitation.

Finding zero-day / new vulnerabilities might sound highly advanced, but many of these are well-understood classes of web vulnerability and are trivial to find and exploit. At his OffensiveCon 23 keynote, Dave Aitel remarked “It’s only hard to find vulnerabilities if you look for hard vulnerabilities. You should look for easy ones.”

Attackers have realised that the majority of perimeter-exposed products aren’t ‘secure by design’, and so vulnerabilities can be found far more easily than in popular client software. Furthermore, these products typically don’t have decent logging (or can be easily forensically investigated), making perfect footholds in a network where every client device is likely to be running high-end detective capabilities.

The UK government and partners are pushing hard to ensure products are ‘secure by design’, but this will take time. Meanwhile attackers will continue getting into networks through internet-reachable products.

Original Source: ncsc[.]gov[.]uk