Living on the Edge

Co-authored by Neil Jenkins and Natasha Cohen 

In May 2018, Cisco Talos shared threat indicators and analysis with other CTA members around a new threat: VPNFilter. VPNFilter is a sophisticated modular malware system that targeted networking equipment, ultimately infecting at least 500,000 devices at its peak. Its activity was ultimately severely degraded due to coordinated actions between cybersecurity companies and Federal law enforcement but the potential for significant effect on the cybersecurity ecosystem was clear.

In the wake of the VPNFilter activity, CTA members decided to take a closer look at the growing threat to the devices deployed at the boundaries, or edges, of interconnected networks, such as routers, switches, and firewalls. The scale of such a threat would be tremendous, as there are millions of devices that fall within these categories. CTA members came together to focus on the threat to these edge devices, highlighting specific problems, sharing threat information, and working together to provide a complete picture for the common good. Today, we release our CTA Joint Analysis on Securing Edge Devices to share our insights from this process with the public.

Over the last few years, edge devices have increasingly become the target of sophisticated malicious activity like VPNFilter. They have been used to develop infrastructure for future attacks, to monitor traffic, to establish persistent access to target networks or systems, to steal data, and to launch offensive cyber attacks on networks to deny, degrade, disrupt, or destroy information or infrastructure.

While attacks against edge devices have increased, basic protections for these devices have not kept up. This is often due to a lack of built-in security and a “set it and forget it” mentality by owners. This report describes the security challenges for edge devices and highlights five case studies to illustrate how attackers have taken advantage of weaknesses in the systems themselves and poor security practices common to the use of edge devices.

So, what can be done? We must work together as a community of manufacturers, users, and security practitioners to reduce vulnerabilities at every stage. Devices must be built secure by design and able to be patched easily. They must be installed with security in mind, using secure configurations and regularly monitored and upgraded. Networks and functions must be segmented appropriately, and communications flowing between networks or segments protected. Security practitioners must design risk-based security plans to make these devices more secure and resilient. And cybersecurity companies must be ever vigilant in their search for ways to protect these devices from outside threats.

This Joint Analysis is a call to action. Cyber Threat Alliance members are committed to doing our part to highlight the threats to and vulnerabilities of edge devices and working with device manufacturers and the owners and operators of these devices to ensure the security and resilience of their network traffic and connectivity. Any one party can do their part to mitigate the risk such attacks present, but only combined action can significantly reduce it.

This Joint Analysis on Securing Edge Devices is available on our Resources page, along with our first Joint Analysis on Illicit Cryptocurrency Mining, resources on Adversary Playbooks from our members, and information about the Alliance and how to join. Let’s work together for the greater good!

Links to CTA Member Blogs:

Fortinet: https://www.fortinet.com/blog/threat-research/research-report-securing-the-network-edge.html

NTT Security: https://technical.nttsecurity.com/post/102fjfb/the-forgotten-threat-cta-joint-analysis-report-on-perimeter-and-edge-devices

Sophos: https://nakedsecurity.sophos.com/securingedgedevices and https://news.sophos.com/en-us/2019/04/30/a-taste-of-the-onslaught-at-the-networks-edge/

Neil Jenkins

Author: Neil Jenkins

As Chief Analytic Officer, Neil leads CTA’s analytic efforts, focusing on the development of threat profiles, adversary playbooks, and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy, and operational planning for both the public and private sectors.