Perimeter-Based Attacks Are Making a Comeback: Here’s How to Stay Safe
Table Of Contents:
We’re used to hearing how the traditional network perimeter is dead. That the advent of cloud apps, home working and ubiquitous mobile devices has created a more fluid, distributed corporate IT environment. That may be true up to a point. But even if employees are accessing corporate SaaS apps, there will usually still exist a corporate network of sorts. And applications or devices that sit at its edge.
The challenge for IT security teams is that these products are increasingly coming under attack from threat actors. The situation is so bad that the National Cyber Security Centre (NCSC) recently issued guidance on how to mitigate these risks. Network defenders should take note.
From Then to Now
As the NCSC explains, the current targeting of perimeter products is something of a throwback to the early days of the internet, when threat actors took advantage of poor perimeter security to exploit vulnerabilities and hijack accounts. This gave them a foothold into networks that had limited monitoring – enabling attackers to dwell for extended periods unseen.
However, eventually network defenders caught up and made these services harder to compromise. Threat actors subsequently turned their attention to insecure client software and browsers, and phishing emails.
Now the pendulum is swinging back again. Client software is increasingly designed with security in mind (think: sandboxes, entire rewrites and memory safe languages) and Office macros are blocked by default. According to the NCSC, this is forcing threat actors to turn their attention back to perimeter products.
Why Perimeter Attacks Are Making a Comeback
“Knowing that they are less likely to be able to rely on poor passwords or misconfigurations, they are increasingly looking at products on the network perimeter (such as file transfer applications, firewalls and VPNs), finding new zero-day vulnerabilities in these products, and waltzing right in,” the NCSC warns. “Once a vulnerability is known, other attackers join resulting in mass exploitation.”
Finding these zero-days is not as difficult as it may appear – because code in such products is typically less likely to be secure by design than client software, the agency says. These perimeter-based offerings also suffer from a lack of effective logging, unlike client devices which increasingly today run “high-end” detection and response tools. All of which makes them the perfect target for threat actors looking to gain a foothold into corporate networks for data theft, extortion and more.
A Cautionary Tale: Ivanti
The NCSC’s warnings come amidst a flurry of attacks against perimeter products. Among the most notable were a string of zero-day exploits targeting Ivanti’s Connect Secure VPN product and its Policy Secure network access control (NAC) solution. CVE-2023-46805 and CVE-2024-21887 were revealed by the vendor in January, although it’s believed a Chinese threat actor had been exploiting them for over a month to place webshells on victim organizations’ internal and external-facing web servers.
Weeks later, it emerged that hackers were exploiting another zero-day (CVE-2024-21893) in order to bypass an initial mitigation Ivanti released to deal with original two zero-day bugs. The potential threat to organisations is so acute that the Five Eyes intelligence agencies released a lengthy security advisory at the end of February.
“The vulnerabilities impact all supported versions (9.x and 22.x) and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges,” it notes.
Shoring Up Perimeter Defences
The question for CISOs is how to mitigate such threats. In the long term, the NCSC advocates pushing vendors to build more secure products, and avoid those that can’t evidence secure-by-design software. Yet that will not prevent today’s threats. Its other suggestions may be more actionable:
1) Consider cloud-hosted rather than on-premises versions of these perimeter products. Although these may still not be secure by design, they’ll get patched quicker and should be regularly monitored by the vendor. Plus, if the worst happens and they are compromised, at least it will not give attackers a foothold into the corporate network. In a best case, the threat actors may even leave your corporate data alone.
2) If migration to a cloud version isn’t possible, switch off or block at the firewall level any unused “interfaces, portals or services of internet-facing software”. The zero-days in those Ivanti products affected this kind of additional service (in that case, their “web components”)
3) Ensure any in-house perimeter products are developed with security front and centre – with cloud hosting and serverless options worth considering in order to limit any potential fallout if they are attacked
Richard Werner, cybersecurity advisor at Trend Micro, argues that choosing cloud-hosted (SaaS) apps by default isn’t a panacea.
“SaaS approaches become attractive targets for criminals aiming to impact multiple targets with one attack, exemplified by the 2021 Kaseya incident,” he tells ISMS.online. “While SaaS can mitigate known cyber-risks efficiently, it shouldn’t be viewed as the ultimate solution to the core problem.”
He adds that preventing vulnerability exploitation will likely remain extremely challenging – and demands a multi-layered defensive approach.
“Adhering to security best practices is crucial, but even in ideal scenarios, complete risk avoidance is unattainable,” Werner argues. “Hence, companies must supplement their security measures with technologies like extended detection and response (XDR), mandated by modern laws like NIS 2.”
Ultimately, if the perimeter does in time become harder for threat actors to target, they will move on to another part of the attack surface that’s less well defended.
“It’s crucial to understand the cyclical nature of security discussions, where attackers exploit vulnerabilities, and defenders strive to thwart them. These defence mechanisms prompt attackers to seek new entry points or intensify their efforts,” Werner concludes.
“Effectiveness in defence is measured by making it too expensive for attackers to find a successful path. However, gauging success remains challenging for defenders due to varying attacker goals.”
As these goals continue to change, network defenders and the vendor community must adapt. The challenge is that, up until now, agility on the attacking side has far outpaced the speed of response.