Cyber attackers have traditionally focused on compromising endpoints, such as servers, databases, workstations and laptops, to access sensitive data and systems for nefarious purposes. Recently, we’re seeing an increasingly new trend: bad actors targeting network infrastructure.
Switches, routers, firewalls, virtual private network (VPN) appliances, domain name servers (DNS) and other network infrastructure tools, once considered secure components, are now battlegrounds as an increasing number of vulnerabilities are discovered, disclosed and exploited.
In the last few months alone, CISA has issued warnings about addressing network vulnerabilities in myriad tools, including Juniper Networks' J-Web in Junos OS SRX Series and EX Series, Citrix's NetScaler ADC and NetScaler Gateway, Cisco’s Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) software, and Ivanti's Connect Secure and Policy Secure gateways.
And, just a few weeks ago, The Register reported that Chinese government group Volt Typhoon compromised an emergency network of a large U.S. city – in part, using some of these network vulnerabilities. Other recent high-profile network infrastructure attacks include those on the Barracuda Email Secure Gateway and Viasat modems.
Network infrastructure tools remain a largely unmonitored element in the network – and, when vulnerabilities go undetected, they open a backdoor that cybercriminals can easily walk through.
Common network infrastructure attack vectors
Cybercriminals are primarily targeting network infrastructure tools in two ways:
- Remote Code Execution: An RCE lets attackers execute arbitrary code on a device, granting them complete control that they can use to install malware and backdoors for sustained access, steal sensitive log data on the device, disrupt or disable network functionality, and use the compromised device as a launchpad for attacks on other systems in the network. For example, hackers can exploit vulnerabilities in web interfaces, command-line interfaces, and firmware for RCE.
- Denial of Service: A DoS overwhelms the device with traffic or resource-intensive tasks, rendering it unavailable to legitimate users. This can disrupt operations and result in financial losses. Examples of DoS attacks include flooding a device with network packets, exploiting resource-intensive functionalities, or triggering self-denial-of-service mechanisms through vulnerabilities.
Outside of these two common attack vectors, there are a few other techniques we see at play in network infrastructure attacks, including buffer overflows; privilege escalation, where attackers leverage credentials for lateral movement; and firmware tampering, which we often see in attacks targeting industrial control systems (ICS) and operational technology (OT).
Defending against all these threat vectors has become more important than ever because network tools have visibility into and access to critical areas of the network. If cybercriminals exploit these areas, they can see and capture network traffic and data needed to do reconnaissance, map out the network and infiltrate other locations until they find the “golden” assets they’re looking for within.
The perfect storm of risk
In addition to battling rising rates of network vulnerabilities and exploits, many organizations struggle to defend against network infrastructure attacks for two reasons. First, because network infrastructure elements have traditionally been thought of as secure, security teams are not always looking for these exploits – enabling them to go undetected for a very long time. Second, many organizations are not set up to detect exploits against vulnerabilities in network infrastructure because they rely too heavily on endpoint detection and response (EDR) systems.
On this latter point, traditional EDR products are a great strategy for defending against attacks on endpoints, but they are ineffective against the rising tide of network attacks. That’s because teams can’t always install endpoint security tools often on network infrastructure devices – leaving a glaring gap in security defenses.
The role of network detection and response
Just as the threat landscape has evolved to encompass network-based attacks, so must our security strategies. EDR has its place in the security stack, but to defend against all entry points and gain comprehensive visibility, organizations must also implement network detection and response (NDR) products.
At a high level, NDR tools capture data derived from network traffic, offering detailed visibility into network device communications, the very communications cybercriminals depend upon to execute a malware attack. They then combine machine learning (ML), behavioral analytics and signature-based detection techniques with prioritization and triage methods to identify critical threats in need of urgent response. This cuts down on alert fatigue, helping security teams detect serious threats and respond before widespread damage can take place.
It's important to note that while NDR can help companies stay secure against today’s threats, it’s not a silver bullet. Effective cyber defense requires a layered approach. Patching vulnerabilities promptly, implementing least privilege access controls, using EDR and log management tools, and standing up a proactive threat hunting practice are all essential elements of a robust defense posture.
Security teams face an unprecedented volume of network infrastructure attacks, and it’s no longer enough to deploy endpoint-only systems. Organizations that rely only on endpoint data are leaving a glaring gap in their visibility, preventing them from being able to defend against network infrastructure attacks.
NDR – with its unique capabilities for network-level detection, response and integration – fills this gap, exposing hidden threats on the network and strengthening defenses. By being aware of the shift to network attacks and embracing NDR as a tool to combat them, security teams can bolster their defenses and put their organization on the path to cyber resilience.
Phil Owens, vice president, customer solutions, Stamus Networks
