Attivo Networks Blogs

Observations on the Cisco Switch Attack

Tony Cole -Chief Technology Officer

By Tony Cole


Nation-states continue to probe all kinds of systems for vulnerabilities, and unfortunately they’re often successful at finding a path into almost any enterprise they want to compromise. Cisco reported this week that their Smart Install protocol was being ‘misused’ as an avenue to compromise by replacing the normal Cisco iOS operating system with attackers’ compromised version of their software. This flaw could give hackers a window into 168,000 vulnerable systems worldwide, some of them tied to critical infrastructure.


Today, we see lots of examples of vulnerable software, misconfigured systems and hardware with no security built in. They are scattered across most enterprises around the world and are quickly compromised when attacked. It doesn’t have to be this way.


In this instance with Cisco, their own team released an advisory report detailing the flaw over a year ago, yet the adversaries still found vulnerable systems. Cisco even released an open-source tool to allow organizations to scan themselves to determine whether they were at risk. Cisco also provided a signature for Snort to try and identify any attackers attempting to breach these systems via their vulnerable software.


Although Cisco took several measures to try and rectify the vulnerabilities with this legacy tool, it clearly wasn’t enough. The compromises only go even further to show how a focused emphasis on prevention technology won’t stop a determined cyber adversary. Organizations should expect that a vulnerability will always be found, and this won’t change for the foreseeable future. What we need is to balance the scales and take a more active security posture – with technology focused on threat prevention and threat detection via deception. Without the latter, you have a bank vault with lots of locks and no alarms. If someone gets past the locks, and you don’t have an alarm tied to the money, you’re going to lose it. This is why banks build strong locks and then alarms inside the bank and vault so that when someone gets inside, they immediately know about it.


In this case, had these compromised organizations had deception technology inside their network and on their endpoints, the adversaries would have tripped the alarms and been quickly stopped. Without deception to enable your detection strategy, you may as well be building banks with no alarms. I wouldn’t put my money in one.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Ready to find out what’s lurking in your network?

Scroll to Top