By Moshe Ben-Simon , Co-Founder & VP Services and Trapx Labs
All companies of a particular size have remote locations around the world. Most companies of a similar size even have remote locations in their headquartered country. Historically, such places have received less attention from security personnel, with comments like; “We only have endpoints there, the servers and the critical information is in the data center”, as a justification for this low priority.
Increasingly these days, there is much more heavy-grade infrastructure at remote locations, with many of them becoming like a ‘lite data center. Users at remote locations have local internet breakouts as well as access to the core business applications. This has still not forced a re-prioritisation from security staff about the strategic importance of these places in an attack.
You may ask yourself why a Deception vendor has a strong position on remote locations as threats to corporate security? Surely this is the business of firewall and Intrusion Detection systems? There are many reasons why this is not the case.
Circa 5 – 7 years ago, if an attacker compromised an endpoint in a remote location, he would immediately hit the firewalls and IDS/IPS and the attack would be highlighted. These days, sophisticated attackers move laterally within the remote site to perform reconnaissance and gather valuable intelligence before moving to the data center. With attackers increasingly using this local reconnaissance information to inform attacks driven by standard IT tools like PSEXEC and PowerShell, he will fly right under the radar, and the breach detection clock won’t even have started ticking.
Make no mistake, playing in your backyard is a favoured location for attackers, and they will capitalise on your lack of visibility to collect everything they need to avoid being detected by your classical tools.
When I run deception tools in manufacturing plants, remote hospitals and remote data centres I see the same story over and over again. We discover malware, problematic topology configurations, new sub-contractors that no-one is aware of and even rogue wireless routers that people bring from home which bridge the network outside.
WannaCry was a breaking point in the security game where remote locations were finally exposed as the new danger in cyber security. Using ‘old school’ methods to spread, but with a zero day in the payload that caused huge damage to the reputations and budgets of the targets. Deception technology sees right through threats like WannaCry, because even with a zero day, we rely on a simple premise; “nothing should be touching something fake!”
Protecting the datacentre and ignoring the remote locations is like protecting your assets with three doors that all use the same key! By placing deception technology in these locations you get an immediate RoI through low installation and maintenance effort. I’ve given up counting the number of threats we discover at remote locations, including ones that had already been on the network for months!
At TrapX we see up-close-and-personal how important remote visibility is to your security program. Time to breach detection is absolutely key, and stopping the attacker early will protect against real damage to your business.