By Gary Golomb, co-founder and chief scientist, Awake Security
The lay reader may think computer and network security is mostly about controlling for malware, rogue code, exploits, ransomware, nation-state attacks, and the like. In reality, computer and network security are mostly about controlling for trust – whether between software processes, or people in business processes.
Because adversaries are successful when you trust them, they often masquerade as – and even use – the services you trust most. This means you can no longer blindly trust many of the things you used to. For example, employees using personal devices for email, or storing sensitive data on cloud applications like Google Docs that everyone has access to, may have once seemed like convenient ways to get things done. But these negligent actions are serious threats that can negatively impact the business. These types of workers may not mean to put organizations at risk, but their lack of awareness or poor security judgment can still cause major harm.
Negligence aside, the reality is collusive and malicious threats are almost always waiting to strike within the enterprise. Attackers have evolved to primarily use existing tools and processes, in addition to stolen credentials, to compromise networks. In most cases, the majority of the usage appears business justified, allowing an attacker to “hide in plain sight” and “live off the land” without detection. These evolutions have been very difficult for traditional security technologies to identify and remediate.
The platforms these types of attackers use to deliver exploits, control their victims, and exfiltrate sensitive data are the very same platforms you probably use every day for business purposes: Gmail, Google Drive, AWS, Office 365, etc. It used to be the case that you could generally trust a link like “docs.google.com” and generally distrust a link like “byg7fewiuv347vscdahgf7vt832.com,” but this is no longer the case, as attackers are increasingly using Google Docs and Office 365 to launch attacks.
A great example of this is the 2016 election hacking wherein much of the compromise originated by stealing passwords via a fake Gmail page. This type of attack, referred to as cache poisoning or DNS (Domain Name System) hijacking, exploits vulnerabilities in the DNS to reroute traffic from legitimate servers, among other things. Research indicates there has been a strong emergence of similar DNS attacks in recent years, from rerouting and intercepting email to stealing cryptocurrencies, and so on.
Now imagine what an intern or volunteer with a legitimate inside account could do, such as setting up a fake website to reroute unsuspecting traffic. That would likely be far more difficult to discover or investigate than the Clinton incident was, but it’s a very real threat we must entertain.
This raises difficult questions about trust. Organizations need to really understand that their networks, whether self-managed or outsourced, are not only no-trust, they’re likely hostile. We need to be honest about these realities because doing so allows us to develop a plan for remediating potential risks and threats. Ideally, organizations will have safeguards in place to ensure people or computers can only access the information they truly have the appropriate trust level for; those trust levels are granularly defined; the controls are configured conservatively, and the controls work perfectly.
Of course, recognizing these hidden or seemingly trusted threats can be nearly impossible to achieve, even for mature organizations. As such, monitoring and auditing for every user, device and application – whether managed or unmanaged – is paramount. Being able to quickly detect and understand the intent of every threat allows teams to respond accordingly. If all resources in a high-risk network aren’t monitored for appropriate behavior and information access patterns, your next breach may come sooner than expected.
About the Author
Gary Golomb is co-founder and chief scientist of Awake Security. He previously served in the United States Marines 2nd Force Reconnaissance Company. Gary can be reached online on LinkedIn and at https://awakesecurity.com.