Point of Persistence
Several recent cyber attacks have served as great reminders that we need to continue to re-assess how we are protecting our networks and ensure that we make no assumptions of any device being secure in the network.
One example of this is “SYNFul Knock,” a type of persistent malware that allows an attacker to gain control of an affected Cisco device and compromise its integrity with a modified Cisco IOS software image. The attack did not leverage any product vulnerabilities, and was shown to require valid administrative credentials or physical access to the victim’s device. Cisco customers can find more information and resources about SYNful Knock in the SYNful Knock Event Response Page. One can easily say, “Hey, they would need console access and valid credentials in order to successfully upload new firmware.” In the old days we had a saying, “He who owns the console, owns the system.” That used to be true when the consoles were not connected to terminal servers, essentially giving anyone physical access over the network. One thing that can be certain is that for someone to upload firmware into a router, they definitely had a reliable “Point of Persistence.”
Another recent high profile attack, although there have not been any confirmed detailed reports on how the attack occurred, included indications that the attackers may have achieved firm “Point of Persistence” in the network by compromising a printer. When I say persistence in this case, I mean by order of magnitude in duration as indicated by the plethora of information that was leaked. I am intentionally leaving out links and references here and I encourage interested readers to do their research to confirm the “loosely regarded” information. What we do know is that as an industry is that we have known about the risk of printers being compromised in our networks. I just don’t think anybody viewed the risk of printers being used as a pivot point for cyber attackers at the time.
In both cases the cyber attackers were able to create a “Point of Presence” that evades most defensive capabilities giving the attacker the freedom to take all the time they want to complete their objectives. The question comes to mind, how does one go about protecting against these attacks especially when the devices do not have on-board cyber defense capabilities? This is the perfect time to remember that in order for any device to be an active participant in a breach, it must establish a communication flow to some other device.
Cisco’s Cyber Threat Defense Solution integrates both FirePOWER NGIPS and Lancope SteathWatch to provide extensive capabilities in analyzing communication flows in the network. The solution provides the ability to quickly detect and remediate improper communication flows, host locking policy violations, malware being transferred across the network, command and control traffic and a long list of other relevant malicious activities. Both FirePOWER Management and Lancope’s Stealthwatch Management Console integrates with the Cisco Identity Services Engine to provide dynamic remediation for the quickest time to mitigation possible. Cisco Live Cancun attendees will be able to see a live demonstration of Cyber Threat Defense at the event on November 3-5, 2015.
Unfortunately, as customers deploy more advanced cyber defense technologies we will continue to see non-traditional end point devices being compromised at the firmware level and so the need to be able to have analytics on the communication flows will become even more critical. Take a look at your networks, identify all potential “Points of Persistence” and ensure you have the ability to analyze their communication flows.