Why Hackers Always Use the Same Attack Surface
Back in January, the University of Virginia joined the long and growing list of US organizations known to have fallen victim to a large-scale cyberattack. Hackers had gained access to its HR systems, UVA said in a notification, and seized the W-2s of some 1,400 employees. In addition, the attackers made off with 40 individuals’ direct deposit banking details.
It’s an all-too-familiar story, and all the more so when you learn how it happened. The hackers reportedly sent around a phishing email in which they asked users of the network to “click on a link and provide usernames and passwords”, and then used this information to access all kinds of sensitive information stored within its environment.
You’d be forgiven for getting a sense of deja vu at this point, because a lot of recent cyberattacks have followed much the same pattern. Target, Sony and the Office of Personnel Management are just a few examples in which hackers gained access to the victims’ network using stolen credentials, and then moved around laterally and escalated their privileges until they struck gold.
To put it another way, they used the network – rather than web applications, say, or a person on the inside – as their attack surface. And it worked every time.
The Advantage of Getting Inside the Network
Hackers do this for one simple reason: it’s the path of least resistance. However well defended their perimeters might be, traditional VPN-based networks tend to be soft on the inside. Having a valid username and password pair therefore gives a hacker an excellent starting point to launch an attack, and to do it without being noticed.
The key issue here is visibility. Once the attacker has logged in, they can quickly determine what other devices and resources are connected to the network, and start scanning for vulnerabilities. These weaknesses aren’t normally hard to find – in many environments, they number in the thousands.
Next, the hacker uses these vulnerabilities as stepping stones to move laterally around the network and escalate their privileges, gaining wider access and greater power as they go. Inevitably, they eventually find the information they want – be it HR records, credit card numbers or IP – and work out a way to steal it efficiently and without raising any alarms. The reconnaissance part of the process can take months, but the damage is done in seconds.
And the best part? Most of the time, the organization has no idea this is happening until long after the fact. In the case of UVA, it was almost a year before the university learned of the intrusion.
Reducing the Attack Surface
Of course, there’s a way organizations can significantly reduce the risk of this kind of attack: reducing the attack surface itself.
Key to this is swapping the traditional VPN-based network security model for a software-defined perimeter, which dramatically cuts down on users’ visibility of the underlying infrastructure by creating a ‘segment of one’ for each person.
This way, rather than allowing a user to see and send packets to every device on the network, you can grant them access to the applications and services they actually need to do their job. You can even limit or remove this access on the fly if the context of their connection is suspicious or high risk.
Then, if a hacker gets inside your network, there’s not much they can do to damage your organization. They can’t move laterally or escalate their privileges. There’s nowhere to go and nothing to see.