Ever have a security vendor ask what top 16,000 assets you want to protect? A vendor that, when challenged as to why they ask, calmly informs you it’s because that’s all they can cover for you?
We all have enough long lists of “things” to produce and keep current already to want to add to that. Even if this is something they want to take on, most organizations can’t even tell you what is in their environment. They might not think they have that Windows 2000 server plugged into the network in the lab closet, but they do. Attackers will find these systems and leverage anything on your network to get what they want.
Asset management is one of the toughest challenges IT organizations can face. Although a couple of years old, this blog about terrifying ghost assets provides an excellent overview of the complexities and security challenges involved, many of which we can all relate to. In many cases during incident response activities, compromised assets are identified that are listed in asset management inventories as having been decommissioned years prior. Nobody took the server offline. It was still on, connected, not maintained and leveraged successfully by the attacker.
Even if you do have a perfect inventory of all your systems, the likelihood that you’ll know precisely which of these 16,000 assets are critical to your business is unlikely. If organizations struggle to understand what systems are on their network, how can they possibly be expected to flag which of these are explicitly critical?
On that topic, what exactly is meant by critical? Is it something that has data important to your business? That definition would include just about every system across your environment. As a point in case, consider all of the leaks of personal data resulting from lost laptops alone over the years. Were these systems tagged as critical? Or were they “just another laptop” that someone took home to finish up after the end of a long week? What happens when a dev system is stood up to validate data processing, is loaded with sensitive data, and then left on the network and forgotten?
If you’re like a lot of people and think of your core networking infrastructure as supporting a lion’s share of critical devices, this March 2020 report from FireEye about APT41 is required reading. The report shows that APT41 actively exploiting an organization’s Cisco routing infrastructure. If you can control traffic routing, you’re able to gain access to any data that traverses a device without having to compromise the critical endpoint.
For Internet of things (IoT) and non-critical assets that are leveraged by advanced persistent threats, the best example is still APT28—also known as Fancy Bear or Strontium—which is detailed in this ZDNet article about a report published by Microsoft. One important thing to focus on is the breadth of IoT devices that APT28 leverages—which includes voice over internet protocol (VoIP) phones, printers and video decoders—to carry out the attack. This exposes the cybercriminal’s desire to use IoT devices more broadly in an organized attack and demonstrates that attackers care little about what is “critical” according to your definition, instead focusing on leveraging anything that enables them to achieve their objectives.
My final point is this: As a defender, you shouldn’t be forced to make arbitrary decisions based on imperfect information about what assets you will and will not defend with the security capabilities you bring to a fight.
Your security solutions should empower you as a security team to detect threats early without arbitrary constraints and with high confidence regardless of where attackers choose to operate. You deserve to monitor and protect your entire environment, not just a select few endpoints.
Nathan Einwechter leads the Security Research team at Vectra. He has two decades of cybersecurity experience focusing on advanced threat incident response, reverse engineering, and offensive security.