DecryptedTech DecryptedTech DecryptedTech DecryptedTech
Thursday, 20 July 2023 17:53

Cybersecurity needs to Stop Fighting the “Last War” as Attackers Pivot easily Between Vectors

Written by
Cybersecurity needs to Stop Fighting the “Last War” as Attackers Pivot easily Between Vectors

Reading time is around minutes.

When I was in the military, one of the things that I noticed was a massive reluctance to create new and unusual scenarios for war games. Instead, we always seemed to train for the last major combat theater. When going to the National Training Center the OpFor (opposing force) team would just run circles around the visiting units. This is because they were always looking at new strategies, tactics, and logistical methods to support them. The visitors would come in with ideas that things would be the same as last time and just get their asses handed to them. There were rare occasions when the visiting units won, but they were the exception and not the rule.

I see this same concept at work in cybersecurity. A major event happens, and everyone moves to spend money on that new and shiny thing. Entire business verticals will pop up around something if the event is significant enough at the time of discovery. Just look at how long it took to have dedicated security services for UEFI firmware and OT vulnerabilities. This in turn causes a shift to that new thing which, in some cases, means ignoring older attack vectors. When the industry and thinking has shifted enough, the attackers are back at that old, now ignored, vector. A perfect example of this is Macro Pivots. The first macro viruses were back in the mid-90s. traditional anti-malware moved to block them, and attackers easily moved to another pivot, years later they were back at them in a more sophisticated way. Microsoft and everyone else knew Macros and VB Script in Office was dangerous, yet it was left open to attack because we had moved on from that war to fight and train for a newer one. This allowed people to forget about the past.

Here is another example, BMCs (Baseboard Management Controllers); call them iDRACs, ILO, what have you. These are the components that allow for the remote management and control of the motherboard in a server or workstation. These have been a known weak point in network security for a long time, but we still hear about critical vulnerabilities in them that allow an attacker to take complete control of the system. Recently Eclypsium identified several high and critical flaws in AMI’s implementation of their BMC. According to Scott Scheferman and Vlad Babkin, “These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions,”

Leaving these critical components on a motherboard is incredibly shortsighted. Much like the Intel Management Interface issues in the past these interfaces, if accessed with the right permissions level, can allow an attacker to insert UEFI malware which will bypass all of the safeguards in the OS. This is a whole new ownage level and if you consider the recent leak of BlackLotus source code, the threat level is even higher.

What makes incidents like this even more concerning is that edge, network, and other infrastructure systems have always been targets, we just seem to have forgotten as the industry moved to fight the work from home war during the pandemic. As we still are fighting the war of the endpoint, attackers are pivoting to firmware code, edge device attacks and other “low level” code vulnerabilities to maintain the pressure. Attack groups can do this because they are much more agile than most organizations and, sadly, they understand how the market and industry works better than most, even those deeply embedded in the market.

So, this means that organizations need to be prepared to not only fight the last war, but also all remember the lessons of the wars before those and prepare for attacks on new fronts. I know, this sounds like an impossible task, but it is not. I have talked about how to build realistic and achievable strategic goals and back them up with tactical and logistical reality. You can follow the same example to extend your security program so that you are not playing a game of whack-a-mole with attack vectors. It is not easy and, it is not something that gets done overnight, but in the end as you take away attack vectors and keep them closed you will remove a statistically significant number of commodity threats. Remember that your data (client and internal) as well as systems operation (ransomware) has value to attackers, investing in the right team and building the right strategies which cover all of the layers of your business will yield real world financial returns. For now, I advise any organization to start assessing their vulnerability to attack in terms of networking vectors (firewalls, switches, BMCs, Wireless Access Points etc.) these are areas that attackers are pivoting to. However, don’t forget to keep an eye on your endpoints as attackers can pivot back to them much faster than most would like to admit.
Stay safe out there

Read 669 times
Published in Security Talk
Tagged under
Sean Kalinich

Latest from Sean Kalinich

Related items

More in this category: « How to Start Building or Improving Your Cybersecurity Program Browser and App Pivots are part of the Problem, Seraphic looks to Address this with one Agent to Rule them All »

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Follow Us

  • Follow Us

    Follow DecryptedTech on Social Media

    facebook twitter linkedin