Amid the Colonial Pipeline and JBS ransomware attacks that sparked shockwaves among media worldwide, news broke that attackers were able to compromise Colonial Pipeline through a legacy VPN account. The account lacked multifactor authentication (MFA) and wasn’t in active use within the business, a scenario unlikely to be unique to the fuel pipeline.
Leaked creds or the lack of MFA won’t be the only reason VPNs are a weakness for most security organizations. A laundry list of vulnerabilities in security appliances found in the last 12 months — including Palo Alto Networks, F5 and Citrix (or even the infamous 2020 SolarWinds attack) — provides further evidence. But as an attacker, when it comes to targeting VPNs and other security appliances, it’s not the relative abundance of vulnerabilities that make appliances a prime target, it’s because organizations put too much trust in security tools.
Security tools are often the weakest link for organizations, and can be an attacker’s best way into a network. Security solutions can make life harder for an attacker like me, but they also present the greatest opportunity.
Your Appliances Rank High in Attackability
Organizations purchase multi-purpose security solutions like VPNs, firewalls, monitoring solutions or network-segmentation devices for simplicity. A single security solution covers multiple security functions, and “checks the box” on many of the security controls you need. But the problem with purchasing one security solution for everything, is that you have a single point of failure. If the box is compromised, everything fails.
This is the desired outcome of most attack campaigns. As attackers perform their own calculus to determine the ROI of executing a campaign, the costs of targeting security solutions become insignificant. A compromised VPN can lead to deep network access and lateral movement through the network. As an attacker, I only have to pick a single lock. If I do this, not only have I gained access to the network, but to a highly trusted box that awards me a lot of privilege.
In Play
I was recently asked by a financial services institution to access their “crown jewels.” All it took for me to compromise their entire network was:
Figuring out what VPN they used (easy, I could figure that out by scanning the internet)
Finding a vulnerability in this VPN.
That’s exactly what I did — and that’s how countless attackers approach their targets on an ongoing basis. Because the vulnerability I discovered gave me complete control over the device itself, I completely pwned it and all its functionalities in one fell swoop. The VPN this organization was using wasn’t just a VPN — it served as a firewall and did logging and network segmentation as well. This security system was designed to protect them, but every part of its functionality could no longer be trusted. How can an organization trust the logs if a logger itself is compromised?
Endpoint security layers work the same way. Most organizations put one type of endpoint detection and response (EDR) solution or antivirus on every single one of their endpoints. If I can exploit that one solution (or just bypass it), I’m g2g on every single one of the computers in their network.
How to Avoid the Security-Appliance Risk
This isn’t to say that a business shouldn’t use VPNs — in fact, I recommend their use. In an ideal world, no IT environment would have a single point of failure, but defenders must take preventative measures before suffering an intrusion. Ideally, your system should be complex for an attacker, while being as easy as possible for you to navigate. It means being aware of the risk and baking in the possibility of losing control of these appliances into their security protocols.
Vendors aren’t perfect. That’s been proven time and again. If you’re dependent on one box, it needs to be perfect 100 percent of the time. But that rate of perfection is a logical impossibility. You need to have thousands of controls, layered on top of each other. “Defense in depth” cannot be achieved by one box that has all your controls. You need multiple layers, different controls for when something fails (which everything will at some point.)
Zero-trust principles should include your third-party security tools. Do not fall into the trap of thinking that just because it is an out-of-the-box appliance and it costs a lot of money to stand up, it is impenetrable. In security, nothing is impenetrable; not even security tools. Consider your security boxes to be just as hackable and more attractive to an attacker than other boxes. Have contingency plans in place for when your tool makes the headlines.
Just remember: You don’t have to be perfect. You just have to make my life as the attacker a little bit harder, consistently, over time. Even making my job just slightly more difficult can spell the difference between becoming a headline and keeping an attacker out of your system altogether
David “moose” Wolpoff is CTO at Randori.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.