Photo 268871212 © imaginariumphoto | Dreamstime.com
Dreamstime Xxl 268871212 64e75961aa05d

Ghosts in the network: How attackers remain unseen

Aug. 24, 2023
Forescout’s cybersecurity guru discusses how criminals are hiding their work and what manufacturers can do about it.

Digital transformation has led to the rise of hyper-connectivity, automation and smart machines, bringing cost reduction and increased production efficiency. However, the connected nature of these devices also leaves them more exposed and vulnerable to cyberattacks.

OT and IoT devices can be challenging to secure because of their lack of built-in security features and their 24/7 availability requirements. Even when cybersecurity solutions are present, there are a variety of techniques malicious actors can employ to remain unseen ghosts in the network.

In 2023, CISA published a cybersecurity advisory about Volt Typhon, a Chinese state-sponsored threat actor that has targeted critical infrastructure sectors. Volt Typhon is notable because of its ability to live off the land without detection by using built-in network admin tools to conduct their attacks. Living off the land is difficult to detect because the techniques appear similar to the benign activity associated with false positives, making them less likely to be investigated.

A needle in the TCP/IP stack

There are many other ways for attackers to gain initial access or exploit network devices without being detected. OT and IoT devices, network infrastructure and building automation systems can be exploited by targeting vulnerable libraries and embedded tech stacks.

For example, Ripple20 and Project Memoria were two security research projects that discovered more than 100 vulnerabilities affecting more than a dozen TCP/IP stacks.

TCP/IP vulnerabilities are extremely dangerous because targeted organizations are often unaware of their existence, due to the lack of software bills of material (SBOM) for most unmanaged devices, and they could be used to exploit a device without a way for the defenders to detect it. As of today, 3 years after Ripple20, CVE-2020-11899 affecting the Treck TCP/IP stack is still one of the most known exploited vulnerabilities according to the data collected by Forescout Vedere Labs.

Examples of TCP/IP vulnerabilities include NUMBER:JACK, which could expose TCP/IP connections to attackers, NAME:WRECK, which could enable remote code execution, and INFRA:HALT, which could enable denial of service attacks. Security researchers have also demonstrated how ransomware for IoT (R4IoT) could target the TCP/IP stack of IoT devices as the first step in a ransomware attack.

Project Memoria also illustrates how vulnerabilities in software libraries can proliferate through the supply chain, magnifying third-party risk; 100 vulnerabilities affected more than 250,000 devices. The reality of “shared responsibility” is that security teams are ultimately accountable for protecting their organization because security researchers have demonstrated that even so-called “secure by design” devices are susceptible to vulnerabilities.

Visibility: In 3-D

There are numerous steps an organization can take to prevent and detect advanced and stealthy cyberattacks, and it all begins with deep visibility. Visibility is required across multiple dimensions: first to discover all devices connected to the enterprise network, their software and security configuration, then to assess the state of the device (e.g., is it vulnerable, how exposed is it) and finally to monitor network traffic for malicious or anomalous activity.

During the past five years, CISA has been advancing the call for an SBOM, which would list the components of software, similar to an ingredients list on food packaging. However, while mandates and customer procurement processes are increasingly demanding vendors to include an SBOM of their products, as of 2023 the vast majority of device manufacturers are still not including an SBOM in the products they ship, and many are still struggling to figure out how to determine the comprehensive list of libraries and components included in their software stack.

Furthermore, even if the industry reaches a point that vendors do provide an SBOM, the onus is still on security teams to ensure that their devices are not vulnerable.

Network segmentation is possibly the most effective approach to mitigating the risk of vulnerable devices, even more so for OT, IoT and more generally unmanaged devices. In most cases, it is impossible to patch these devices, or at least not right away; perhaps because they rely on legacy operating systems or because they need to operate 24/7 for the next few months to achieve production objectives. Network segmentation limits the exposure of vulnerable and insecure devices and limits the ability for lateral movement in case of successful attacks.

Vulnerabilities and exposure, whether due to insecurity-by-design or to organizations failing to configure devices securely, are practically an inevitability. Advanced threat actors are well aware of this fact, making it far too easy for them to stealthily gain access and move laterally in a network. Ultimately, security teams must take on the responsibility to gain visibility into the risks and threats that exist on their network and implement security mitigations that respect organizational priorities (i.e. no downtime) and device limitations.

About the Author

Daniel Trivellato

As Vice President  of OT & IoMT Solutions, Daniel is responsible for the expansion of Forescout’s business in healthcare and OT organizations. Prior to this, he covered the role VP of Product & Engineering, leading Forescout’s OT/IoT/IoMT device visibility and threat detection roadmap and teams. Daniel joined Forescout in 2018 via the acquisition of the cyber security startup SecurityMatters, where he led the Product Management organization. Daniel holds a PhD in computer security from the Eindhoven University of Technology.