Observations on the Cisco Switch Attack
By Tony Cole
Nation-states continue to probe all kinds of systems for vulnerabilities, and unfortunately they’re often successful at finding a path into almost any enterprise they want to compromise. Cisco reported this week that their Smart Install protocol was being ‘misused’ as an avenue to compromise by replacing the normal Cisco iOS operating system with attackers’ compromised version of their software. This flaw could give hackers a window into 168,000 vulnerable systems worldwide, some of them tied to critical infrastructure.
Today, we see lots of examples of vulnerable software, misconfigured systems and hardware with no security built in. They are scattered across most enterprises around the world and are quickly compromised when attacked. It doesn’t have to be this way.
In this instance with Cisco, their own team released an advisory report detailing the flaw over a year ago, yet the adversaries still found vulnerable systems. Cisco even released an open-source tool to allow organizations to scan themselves to determine whether they were at risk. Cisco also provided a signature for Snort to try and identify any attackers attempting to breach these systems via their vulnerable software.
Although Cisco took several measures to try and rectify the vulnerabilities with this legacy tool, it clearly wasn’t enough. The compromises only go even further to show how a focused emphasis on prevention technology won’t stop a determined cyber adversary. Organizations should expect that a vulnerability will always be found, and this won’t change for the foreseeable future. What we need is to balance the scales and take a more active security posture – with technology focused on threat prevention and threat detection via deception. Without the latter, you have a bank vault with lots of locks and no alarms. If someone gets past the locks, and you don’t have an alarm tied to the money, you’re going to lose it. This is why banks build strong locks and then alarms inside the bank and vault so that when someone gets inside, they immediately know about it.
In this case, had these compromised organizations had deception technology inside their network and on their endpoints, the adversaries would have tripped the alarms and been quickly stopped. Without deception to enable your detection strategy, you may as well be building banks with no alarms. I wouldn’t put my money in one.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise