5 mins read
Below are three case studies of real-world network device exploitation, as well as prevention and detection strategies.
Using the above case studies, it is possible to provide advice on the best ways to prevent the infection of enterprise network devices. The leak of the Equation Group toolkits indicates an exploit called “EXTRA BACON” is used for the initial infection, which gives attackers remote control of the target router, provided they have some valid network monitoring credentials. CherryBlossom and SYNful Knock require that an attacker gains initial access through some other means. As such, it is important to assume that any single network device or user can at any time be compromised, either through advanced exploitation techniques or simple attacks such as guessing weak credentials. It can also be seen that, even against a nation state adversary with access to zero-day vulnerabilities, typical security advice is still highly relevant. In particular, the following points will help prevent the exploitation of network devices:
However, even the most extensive preventative measures might not always be enough to keep you safe. Given the increasing popularity of network device exploitation, as well as the sophistication and funding available to some attackers, it is prudent to assume that a compromise of network devices is likely. A robust security model that implements a defense-in-depth approach should include detection methods and incident response. Detection is possible by monitoring traffic to and from network devices and raising alerts on unusual behavior; the boundary between network sections is of particular note as deviations from normal traffic should be simpler to detect.
In the case studies presented, the Equation Group and Cherry Blossom attacks both communicated outward to command and control services. Such communications from routers are atypical and should be regarded with suspicion. Access to administrative services on the network device from unusual sources is another example of suspicious behavior. It is important to test the detection capability through attack simulation; detection successes and failures can be used to tune the capability. A robust incident response plan will assist the victim in understanding attacks once they have been detected and taking appropriate remedial action.
Network device exploitation, while once a theoretical attack, is beginning to present a realistic threat. While evidence suggests it is currently the domain of APTs and nation states, it is likely to become more widely used, as has historically been seen with most offensive techniques. Prevention techniques can be used to reduce the risk of exploitation, but a robust detection and response capability is also recommended.