Part 2: Getting Inside the Mind of a Hacker: Remote Work VulnerabilitiesThinking like a threat actor– Bonus video included By: Eric Escobar - Secureworks Adversary Group
- Defenders have to fortify every angle of their security. Threat actors just need to find a single way in.
- Threat actors move quickly and aren’t bogged down by bureaucracy.
- Even MFA has weaknesses that should be considered with every deployment.
- Not all second factor authentication platforms provide the same security.
In “Notes from the Dark Side, Part 1” I emphasized the importance of thinking like the enemy. The “know thy enemy” principle, I wrote, is especially true for cybersecurity—because you can’t fully protect yourself by only taking a defensive posture from the inside. You must also look at your environment from the outside and imagine how attackers might try to work their way in, around, and across.
The infamous Maginot Line, a set of fortifications France built in the 1930’s to protect itself from any future German invasion, offers a classic metaphor for the shortcomings of exclusively defensive thinking. The Line was a masterpiece of engineering that fully met all of its technical specifications. For a variety of reasons, however, it was not extended all the way to the English Channel. So when it came time to invade France, the Germans merely went around the Line by invading Belgium first.
IT environments all have their own Maginot Lines. That’s why the work that we do in the Secureworks® Adversary Group (SwAG) is so vital. Your own cyber Maginot Line, like France’s, may indeed be impervious to attack. But SwAG is really, really intent on seeing the Eiffel Tower—and we’re really, really good at what we do—so we’ll find a way around it.
Is Starbucks the New Belgium?
In Part 1, I focused on password-related compromises as a favored tactic of the enemy. Here in Part 2, I’d like to address a different—and very timely—vulnerability: remote work.
We all know, of course, that the COVID-19 pandemic has dramatically increased the amount of work people are doing from home. And most of us are pretty aware of the security issues associated with home-based access to enterprise resources, whether they’re in the cloud or on-prem.
But now all remote workers are working from the comfort of their homes all the time. In many cases, otherwise home-bound workers are happy to get out of the house (and maybe away from kids, pets, significant others, noisy renovations, etc., too) by taking refuge in a Starbucks, public library, or other site where it’s a little quieter and—equally important—where there’s free wi-fi.
Free wi-fi in a public space opens its own gigantic can of worms. Any malicious person can easily pick up communications in the clear and use it for their own nefarious purposes. That’s why best practices for remote access include VPN and MFA.
A VPN is essential because it encrypts wifi transmissions from the moment they leave a remote user’s laptop. Without this encryption, hackers can sniff out all the network traffic running in and out of a public wi-fi hotspot. They can use that traffic to hijack selected packets—which they can then use to gain access to the enterprise network.
MFA (multi-factor authentication) is an important complement to a VPN, because it verifies that the person currently using the laptop is actually the authorized user. The “second factor” can be an actual hardware key that fits into the laptop’s USB port or the user’s mobile phone. In the case of the phone, MFA can be accomplished in several ways. The most typical one is texting a one-time passcode to the user, who then types it into the authorization screen on the laptop or computer.
But there are also apps specifically designed for it, such as Microsoft Authenticator, which asks you to enter/select the number that shows up on the app’s screen on the computer window before granting access. Then, there’s Google’s second-factor authentication, which, when enabled, asks you to confirm if you are in fact the person trying to log in (via your phone) and displays the location, device type, and other pertinent information of the computer requesting authorization.
All of these angles complicate how you defend your systems—and add an additional layer to the way you must think about your defensive tactics.
In other words, to thoroughly abuse my earlier metaphor, Starbucks can become the Belgium of your Maginot Line. Yes, you may have built up seemingly impenetrable defenses around the architectural perimeter of your computing environment. But that defense alone won’t protect you from an attack through a territory your perimeter defenses don’t reach.
What you know, what you have, and what you understand
Not everyone understands how easily malicious actors can take advantage of unsecured—or insufficiently secured—wi-fi. Perhaps even more problematically, most of your users probably don’t understand how the hijack of their wireless comms can directly lead to a serious breach of your organization’s digital infrastructure. They may, in fact, be oblivious to the fact that they are putting much more at risk than just the Word doc or emails they’re working on in public.
I raise this point because October was National Cyber Security Awareness Month. And without adequate security awareness, it’s almost impossible to fully protect your exposed “Belgian flank.”
In fact, I’m going to go as far as to say that the mantra we’ve historically used to describe password-and-token MFA—“something you know plus something you have”—is missing a key element. What we cybersecurity professionals should probably be chanting is instead “something you know plus something you have plus something you believe.” Because if users don’t understand the vital importance of using VPNs, MFA, and other essential security measures, it may not really matter how well we do our jobs. Our organizations will remain at risk.
So as your friendly SwAG zealot, I’ve done a little something special for you in honor of National Cyber Security Awareness Month. I’ve made a ten-minute end-user-friendly video that you can share with everyone in your organization to explain to them what I do and why I do it—as well as why what they do is also vitally important. I hope you find this video useful as part of your overall strategy for cybersecurity. After all, you have two important partners in this battle: Secureworks and your users.
And stay tuned to this space for more insights from the SWaG team. Or sign up here to get notified automatically when the next post goes up. We must defend Paris at all costs!