There is more to it than installing some antivirus and buying a firewall. Ready to get into the weeds?
IT and network security is often focused on keeping intruders out in the first place; ideally, we stop them at the gates. Between new vulnerabilities that haven’t been disclosed or fixed and incorrect user actions, compromises do occur. What happens after the initial compromise is often ignored, which can make a bad problem worse.
For example, we recently received a call from a new customer managing their IT in-house with consumer-oriented gear in a manufacturing facility. They had recently come under attack by the EMOTET family of malware, and their entire network was compromised via various unpatched vulnerabilities. Every single workstation. They’d cleaned and reinstalled impacted workstations, and the infections returned rapidly on each station. Every computer was brought down, and reinstalled, and was re-infected immediately.
How? An old CNC Mill controller, network-connected, running Windows NT 4.0, had become a forward operating base for a criminal to launch attacks on the network. This infection almost certainly was introduced by a malicious email attachment. The attacker promptly scanned the network and ‘owned’ the network. This is an example of ‘lateral movement.’ Our attacker now has a forward operating base to monitor and launch further attacks aimed at ‘privilege escalation.’ What they’d really love is domain administrator access; I will detail some common threat vectors for you to consider so that you can make life difficult for your attacker who has gained a small foothold on your network. Implementation of these things will often cause your attacker to spend their time on lower hanging fruit elsewhere – there is plenty of that to go around and keep them busy.
Let’s consider various threat vectors and mitigation:
Lock the front door!
Default passwords on equipment abound. I rarely run into equipment that has this changed.
One out of one thousand, and I’m probably being generous. You may think of your network as ‘trusted,’ but once that user runs that bogus attachment, you can kiss that goodbye. Default passwords on a multitude of equipment are available publicly in an easy-to-access database, and it is common for them never to be changed. “Admin” “Password” “1234”. Your attacker will scan your network and have all your network-connected equipment cataloged in minutes. He might log into your core switch and mirror all traffic on the entire switch onto the switch port where his foothold is located – he can then capture traffic to gain further intel. He might start forging cookies and executing a man-in-the-middle attack as well with that access. Other network-connected devices such as printers, access points, postage meters – virtually anything that connects to a network is running some likely vulnerable operating system. They’re computers, and a skilled attacker can interact with them as a computer – just like our mill in the previous example.
Your administrator needs to have an understanding of every device and how a network attacker can interact with it. It could be a web interface or a command shell – whatever it is, there is probably a well-known password, and you MUST change it. It doesn’t have to be terribly complicated, but it should be unique.
Remember, if my network switch is compromised, I’m probably going to see that insecure password beamed around the network, and now I’m in your postal meter. Who knows what doors will open that up? Just because your postal meter vendor is inept doesn’t mean your wireless network controller needs to get compromised with it – we’d call that ‘privilege escalation.’
So now, you’ve locked the front door. Good start; however, I know you’re not updating that CNC Mill you had installed in 1996. You can’t.
And it is riddled with holes. So now what? Clearly, I need some means to prevent Bill’s rotten email attachment from accessing that device. So now what?
Let’s consider the mill specifically, but understand that much of this applies to every IoT type device, from thermostats to security cameras.
Secure the perimeter!
After you lock the front door, you’ll keep opportunities to slip around back to a minimum.
Consider our mill. What network access does this *actually* need? We need to segment and restrict network segments in a bad way. This is where it gets complicated and where your consumer-grade networking equipment fails to pass muster. It just doesn’t have the functionality you need.
We will deploy something called a “VLAN,” or Virtual Local Area Network. This allows your routers and switches to service different devices, grouped together, and provide different policies to each. For example, your CNC Mill, new or old, almost certainly does not require any access to the internet. So we are going to deny any internet access whatsoever to VLAN1, where we place the network-connected manufacturing equipment and only that equipment. We will then examine what internal network access this device actually needs. Generally, we are going to either place files on the controller or pull from some other external host to the controller. So, we allow FTP or SMB access only to the workstation or server it needs access to. You cannot access the web interface from your workstation – only place files where you need them. The accounting department doesn’t need access, either. This mitigates auxiliary services which are doing nothing for your end-use except broadening the attack surface of the device. So even if the SMB or FTP service happens to be vulnerable – it can only be exploited from this particular workstation that has been configured to access it. And if that happens, they won’t be poking around the HR department snatching print jobs off the wire.
We’re going to do the same for printers; we’re going to put the access points and their management in a particular restricted ‘management VLAN.’ We’re going to carve out the specific access as needed. The workstation VLAN2 can access the devices on the printer VLAN3 only on port TCP/9100 to send print jobs. However, the management VLAN10 can access TCP/443 to configure the devices.
Perhaps the server VLAN20 allows SNMP and print jobs. Even further, perhaps you lock down all direct workstation access and require that print jobs be sent through authenticated servers with particular settings that the business desires? Your phones have specific internet access to specific hosts, and certainly, they don’t need to access server shares or your internal workstations. I’m sure you are catching my drift here. We, ideally, like to go ahead and block all traffic everywhere and then carve out needs versus restricting access we think an attacker will use. That which is not specifically allowed is denied.
This approach benefits us two-fold. Not only are you limiting the access, but it greatly obscures it. There is an old adage in the industry that states’ security through obscurity is no security’. OK – that is fair enough, it’s not. BUT, it certainly makes their job much more difficult when you’ve got speed bumps and roadblocks everywhere. They’ll gain a foothold on your workstation, scan the network, find a few patched-up workstations and probably move on. Perhaps they analyze your printer configuration and find out there is another network that they should scan as well, and now perhaps they can send print data to the printers. Maybe they have some whiz-bang shellcode print data to exploit the TCP/9100 LPR service (been done before) and spawn a reverse command shell to connect to their internet command and control. Wow, very slick, man. The problem is, my printers can’t access the internet. Perhaps they’d like to keep playing, but my bet is they’ve also gained access to 33 other networks that they have to evaluate. Maybe seven of them are locked down like ours. NEXT!
At the end of the day, an approach like this will harden your network and make it much more resistant to attack. It is vital to set up your network with the idea that it very well might be compromised at some point and set up the roadblocks ahead of time. Pay attention to the following, in particular:
· Access Points
· IoT (Internet of Things)
· Access control / Premises security
Feel free to combine, say, switches and access points in a single VLAN – the rule of thumb is that you don’t provide any unnecessary pinholes to the access points by virtue of the switching.
Privilege escalation and lateral movements on your network need to be restricted and monitored. Give us a call or fill out the form and we’ll find out where you’re at and build a roadmap to bring you up to speed, knowing where your risks are so you can stop them from shutting down your business or damaging it’s reputation.