Threats from Cyber Adversaries Follow You Home

Threats from Cyber Adversaries Follow You Home

“Your risk of being attack isn’t a 9 to 5 thing,” says Threat Researcher Nick Biasini.

Cybersecurity attacks are becoming more and more sophisticated as attackers find new ways to penetrate networks, and one of the most concerning methods is by infiltrating a device when it’s connected to a home network, with less protections than the office.

“The things we’re seeing are the tactics and the ways that sophisticated adversaries are attacking is continuing to evolve,” said Nick Biasini, threat researcher at Talos Security Intelligence and Research Group, in an interview with GovernmentCIO Media.

And this makes sense, because most organizations are getting better at implementing things like the defense-in-depth concept, and having technologies in place to deal with threats, Biasini said. “What we’re starting to see is [adversaries] starting to change the way they’re going about attacking, and focusing more on new attack pathways.”

Prominent, Sophisticated Attack Vectors

According to Biasini, one of the biggest are software supply chain-based attacks. “They’re increasingly going after software companies,” he said, “adding a little something extra into their code repositories to hopefully compromise networks of interest.”

But Biasini also warns of VPNFilters, a malware designed to infect routers and certain network-attached storage devices, like the common internet router used at homes. This is particular concerning, because this malware targets users at their home, extending the threat from the office.

“You now have this risk of having to be vigilant even when you’re away from the office, sitting at your house, having to be concerned about a sophisticated adversary targeting maybe your home router as a way to get a foothold into a network of interest,” Biasini said.

When an adversary compromises devices through a VPNFilter, they put a modular framework around it allowing them to analyze the traffic traversing through that connected device on the network.

The simplest solution? Upgrade home routers to ensure the firmware is up-to-date on those devices. Earlier this year, the FBI warned the public of cyber criminals compromising router devices in homes and small offices worldwide with a VPNFilter, and advised citizens to reboot their devices to disrupt the malware and upgrade them to the latest firmware, Business Insider reported.

Attacking from the Bottom, Up

This method of targeting users at home can ultimately help adversaires infiltrate larger systems and networks.

“Adversaries are going to take the path of least resistance,” Biasini said. Most organizations and agencies provide employees with a laptop to work from and take home — or, take anywhere. So if a user takes the laptop from the office to the house and connects it to a home wireless router, the security team and security products and tools aren’t there to protect the device. “You’re a much, much more susceptible target then you would be when you’re sitting in your enterprise, where you have all those protections in place,” Biasini said.  

If adversaries get access to a router, they can inject an exploit into the network traffic and compromise the device connected to it, placing a foothold in the system. And once that laptop is brought back into the office, the adversary could have already installed capabilities onto the device that can then be used to attack or gain access into the enterprise network the device connects to.

Mitigating this particular risk starts with user education. The majority of people don’t have the constant knowledge of the types of threats that can appear at any given time; they’re not as versed in the attack methods, vectors and system vulnerabilities.

“There’s a lot of work that has to go on on the user side, to help them become more educated in a general sense; not in an enterprise level, but just generally. Users need to be more cognisant of the threats and practice proper information security hygiene when they’re surfing the internet,” Biasini said.

Lingering Challenges

There are a number of challenges associated with securing devices and networks. For starters, adversaries are advancing and moving faster than some organizations and agencies can keep up with.

But the threats Biasini mentioned are the most sophisticated threats out there, “it is by no means the common threat that you’re going to be facing,” he said.

Rather, one of the most common challenges is mitigating threats to more commodity-based malware. If those are already causing issues, trying to deal with much more sophisticated adversaries is an even bigger burden — “they’re going to be doing things that average groups wouldn’t consider,” Biasini said. 

But the most common threat Biasini and his team of threat hunters are seeing on the internet right now, is malicious cryptimining. “It’s a very easy way for adversaries to monetize their hacking, without having to maintain a lot of the access that you do with a lot of the other threats we’ve seen, like ransomware,” he said.

This is where a defense-in-depth concept helps. Protections need to be placed at the network level, at the border and at the end user level. Network-based protections can also help users identify spikes in the network that could indicate a cryptomining attack.

More Specifically, What Protections are Agencies Missing?

“Everybody is kind of dealing with the same challenges. As they move to these sophisticated attack vectors, it’s just going to become all the more important to remain ever vigilant that you’re making sure you’re looking at everything,” Biasini said.

When it comes to supply chain threats, for example, that’ll require a bit more knowledge on the patches and software being introduced into a network. “Do additional testing to make sure there's no supply chain risk there,” Biasini added.

Ask other organizations and vendors that are part of the supply chain how they deal with attacks at every level, from manufacturing and shipping down to the network, and what kinds of protections they have in place.

But ultimately, it comes down to user education and security monitoring.

“I think that adversaries are going to continually and increasingly target things like users at home because it’s just an easier target for them,” Biasini said. “Why go through the effort of attacking an organization that you know has $150 million security budget when you can attack a user when they go to their house and they’re running $150 router?” he asked.

But organizations still need the security solutions inside the organization, because even though a user can bring in a device that has already been compromised into the environment, a proper network security solution could detect odd behavior and prevent an attack.

“That’s why you need those individuals with eyes on glass that are watching the stuff thats going on, to help identify that, and hopefully mitigate it before it becomes a much larger incident,” Biasini said.

And, of course, update home routers to fight off VPNFilters.

Because ultimately,through his threat hunting, Biasini determined adversaries will not be deterred, so they’re going to use the level of sophistication that's necessary, starting as unsophisticated as possible and moving up. “It really is just a matter of, they’re going to keep trying until they figure out a way to get in,” he said.

Because when a sophisticated adversary is going after a target, it’s for a reason.