It’s a war zone out there. In the seemingly endless game of cyber cat and mouse, accurate intelligence remains the best tool for beating attackers at their own game.
Here’s an analysis of today’s six top network threats and tips for how to identify and quash them.
Ransomware is easily the greatest network threat, since it gives attackers the biggest bang for the buck with a relatively low probability of getting caught. “There’s also a low bar in the skill category to break into this sort of thing,” says Andy Rogers, a senior assessor at cybersecurity and compliance firm Schellman. “There are plenty of Ransomware-as-a-Service (RaaS) businesses that will be more than willing to ensure you have the tools you need to unleash a ransomware campaign.”
These “service-providers” face minimal risk, since they themselves aren’t launching any attacks. “It’s a pretty sweet deal for them,” he says. Additionally, the payment comes in the form of cryptocurrency, so they are difficult to track.
Ransomware has become one of the world’s most profitable criminal industries due to its cloak of anonymity and potentially high payout. “Many of the recent high profile supply chain attacks, like Colonial Pipeline in 2021, have been ransomware attacks where hard disk drives (HDDs) and solid state drives (SDDs) were encrypted and the hackers used them to demand ransoms for upwards of $4.4 million in cryptocurrency,” Rogers notes.
Establishing solid security policies and procedures, including security awareness training, is the best way to avoid becoming a ransomware victim. Rogers recommends monthly system and applications patching, as well as segregating vulnerable systems that can’t be patched from critical systems and data. “Maintain regular backups of your data and do it in such a way that they can’t be written to by ransomware,” he adds.
2. Zombie botnets
Zombie botnets are created to execute specific malicious actions, such as distributed denial-of-service (DDoS) attacks, keylogging, and spamming. “Such threats are potentially devastating because they can be used to do things like steal your identity or cripple an entire network with a single attack,” says Eric McGee, senior network engineer at data center services provider TRG Datacenters.
Each computer in a botnet is described as a zombie due to the fact that the computer—and its owner—are unaware that the machine is dutifully and mindlessly performing malicious actions. Smart Internet of Things (IoT) devices are particularly tempting targets for zombie botnet attacks.
“It can be easy to overlook the security of your IoT devices … but such devices are often the easiest way that attackers gain access to your system,” McGee cautions. He suggests guarding against zombie botnets on IoT networks by restricting each device’s ability to open inbound connections and requiring strong passwords on all connected accounts.
3. Outdated processes and policies
Antiquated and siloed manual processes and policies pose a serious, albeit largely self-inflicted, threat to network security. “The number of emerging vulnerabilities and potential exploits is increasing exponentially,” says Robert Smallwood, technology vice president at General Dynamics (GDIT). “An organization’s processes and policies need to enable agility and speed so that the organization can pivot and respond rapidly and automatically to emerging threats.”
Organizations that have fallen behind or even completely neglected enterprise modernization and refresh processes risk being saddled with a technical debt that can expand a network’s attack surface.
Many enterprises continue to struggle under rigid and outdated policies while failing to take advantage of the automated hybrid complex environments that make up a modern network, Smallwood notes. “Additionally, many organizations provide policy exceptions for legacy protocols or equipment without sufficiently providing threat mitigation, circumventing security measures such as multifactor authentication,” he adds.
Critical processes should be regularly reviewed as a fundamental change management task. “As network-impacting changes are made, the related processes and policies need to be assessed,” Smallwood says. For some organizations, this may require an evaluation of all network-related processes. “In such cases, it’s best to start with your typical IT service management practices … as well as any processes that heavily rely on manual activities.”
4. Man-in-the-middle attacks
In a man-in-the-middle (MTM) attack, a third-party intercepts communication between two unsuspecting parties in order to eavesdrop on, or alter, exchanged data. It’s a task that can be accomplished in several ways, such as by spoofing IP addresses, using a malicious proxy server, or via Wi-Fi eavesdropping.
An MTM attack can be relatively simple, such as sniffing credentials in order to steal usernames and passwords. On a higher level, MTM can be employed to create a sophisticated subterfuge that redirects victims to a bogus, yet highly realistic website that’s designed to achieve a particular nefarious goal.
In any of its forms, an MTM attack can be devastating, since once inside a network an intruder can attack laterally, starting in one part of the network then discovering vulnerabilities that will allow them to migrate to other areas.
“Since attackers are logging in with ‘valid’ credentials, it’s often difficult to detect the intrusion, so they have time to work their way deeper into the network,” says Benny Czarny, CEO of OPSWAT, a firm that specializes in in protecting critical infrastructure networks.
MTM attacks are often overlooked and underestimated, says Keatron Evans, principal security researcher at security training firm Infosec Institute. “People think [the threat] can be fixed with encryption of data in transit, but this only addresses a small part of the problem,” he says.
Another misconception is that network-based threats will magically go away as soon as an organization migrates to a cloud service. “It’s simply not true,” Evans warns. “Stay diligent even when you’ve migrated to a cloud service.”
To ward off MTM attacks, Evans recommends adding port-based security with DHCP snooping and dynamic Address Resolution Protocol (DARP) inspection, as well as upgrading to IPv6 as soon as possible. He also suggests replacing ARP, one of the primary enablers of network-based man-in-the-middle attacks, with a newer protocol called Neighbor Discovery Protocol (NDP).
5. Business Email Compromise
Business email compromise (BEC) is a serious network threat faced by enterprises of all sizes in all industries. “As companies increasingly adopt conditional access policies, like single sign-on, BEC fraud grows in reach and financial impact,” says Jonathan Hencinski, director, threat detection and response at Expel, a managed detection and response cybersecurity company.
BEC attacks lead directly to credential compromise. The most difficult type of attack to detect is one where the attacker is entering through the front door with valid credentials. BEC attackers use VPNs and hosting providers to bypass conditional access policies.
“A common approach for these types of attacks is to use legacy protocols to bypass multi-factor authentication (MFA) in Office 365,” Hencinski says. “Once an attacker has compromised credentials and is in-network, they can gain access to critical controls and sensitive information across the organization.”
BEC attacks can strike any network at any time. “Since 2019, we’ve seen a 50% increase in the use of VPN services and hosting providers to access compromised accounts,” Hencinski says. “Using these services allows attackers to bypass conditional access policies that deny log-ins from certain countries by geo-IP records.”
Detecting BEC attempts is a straightforward three-step process. “The first step is e-mail inspection to prevent and detect phishing e-mails trying to steal employee credentials and to spot when a threat actor uses an employee’s account to send phishing e-mails,” Hencinski says. The second step is authentication monitoring to detect use of stolen credentials. “The third is account monitoring to detect hallmark signs of BEC account takeover,” he notes.
6. Tool sprawl
Tool sprawl, with IT and network leaders struggling to manage dozens of different network-protection technologies, can make the goal of becoming an attack-proof enterprise harder to achieve. The cyber-complexity caused by tool sprawl, and lack of easy cybersecurity management, can leave IT and security teams open to devastating cyberattacks, warns Amit Bareket, CEO and co-founder of network security service provider Perimeter81.
Bareket points to a study his organization recently conducted that found that 71% of CIOs and related executives believe that a high number of cyber tools makes it more difficult to detect active attacks or defend against data breaches.
Keith Mularski, managing director of cybersecurity at EY Consulting, says that adhering to basic security practices remains the best way to protect against all types of network threats. “Isolate mission-critical systems and networks from the Internet and tightly control who or what has access,” he advises.
Trust nothing and segment everything across your operational systems, Mularski recommends. “Make sure you avoid “implicit trust” — everything and everyone accessing your network should be authenticated, no matter where they are, when they access it, or who they are.”
To enhance preparedness, Mularski also suggests running scheduled simulations. “Like an athlete, you want your team to increase their muscle memory and execute on response procedures quickly and more intuitively in the event of a breach or incident.”