Erkan Teskancan
Kurumsal
- Thread Author
- #1
## Ghosts in the Network: How Attackers Remain Invisible
Digital transformation has brought with it hyper-connectivity, automation, and the rise of smart machines. While these developments increase production efficiency, they have also led to devices being more open and vulnerable to cyberattacks.
OT and IoT devices are difficult to protect due to the absence of built-in security features and the requirement for 24/7 operation. Even when cybersecurity solutions are available, malicious actors can use various techniques to remain as invisible ghosts in the network.
In 2023, CISA issued a cybersecurity alert regarding a Chinese-sourced threat called Volt Typhoon. Volt Typhoon is notable for its ability to carry out attacks using built-in network management tools and evading detection. Such "living off the land" attack methods, which use tools already present in the system, are difficult to detect because they blend in with legitimate activities.
### The Needle in the TCP/IP Stack
There are many other ways for attackers to infiltrate or exploit network devices. OT and IoT devices, network infrastructures, and building automation systems can be exploited by targeting weak libraries and embedded technology stacks.
For example, Ripple20 and Project Memoria were significant research projects that uncovered numerous vulnerabilities in over 100 TCP/IP stacks. TCP/IP vulnerabilities are extremely dangerous because many organizations are unaware of their existence, and these vulnerabilities allow devices to be silently compromised.
### Example TCP/IP Vulnerabilities
- NUMBER:JACK: Can open TCP/IP connections to attackers.
- NAME:WRECK: Enables remote code execution.
- INFRA:HALT: Can lead to Denial of Service (DoS) attacks.
Ransomware targeting the TCP/IP stack of IoT devices (R4IoT) can also use such vulnerabilities as an initial attack step.
Project Memoria also demonstrates that vulnerabilities in software libraries can spread throughout the supply chain and amplify third-party risks. This project identified over 100 vulnerabilities affecting more than 250,000 devices.
### Visibility: A 3-Dimensional Approach
Comprehensive visibility is essential to prevent and detect advanced and stealthy cyberattacks. This process includes the discovery of all devices, their software, and security configurations in the network, assessing the security posture of devices, and monitoring network traffic for malicious or anomalous behavior.
Over the past five years, CISA has advanced the demand for Software Bill of Materials (SBOMs), which list software components. However, as of 2023, most manufacturers do not provide SBOMs for their products, and identifying all components used in software stacks still poses a challenge.
### Risk Mitigation and Precautions
- Network segmentation: The most effective method for risk reduction, especially for OT, IoT, and unmanaged devices. These devices often cannot be patched or must operate 24/7.
- Security teams must gain visibility and manage risks both on devices and in the network.
In conclusion, the existence of vulnerabilities and weaknesses is almost inevitable. Advanced threat actors are well aware of this and move stealthily within the network to gain access. The task of security teams is to make these threats visible and take appropriate security measures based on priorities.
