The bad actors who are perpetrating advanced persistent threat (APT) attacks aren’t just looking to access your network. They want to sneak in and hang around to collect valuable data or lay plans for future attacks.
Post-compromise threats are growing, and they’re aimed largely at aging network infrastructure and edge devices that are long past end-of-life stage and may have critical unpatched vulnerabilities, according to Nick Biasini, head of outreach at Cisco’s Talos security research arm. “We do see these threats across the board. But the older legacy components have more avenues for access, especially if the devices are out of support and they haven’t been updated in three or four years,” Biasini said.
For a long time, enterprises have taken a hands-off approach to edge devices, sort of a “don’t touch it, let it do what it does, and let it keep running” approach, Biasini said. “It was like a badge of honor to have an edge device that was out there running for two or three years. Now, that is a very, very big liability, and it’s something organizations really need to take care of,” Biasini said.
“There’s going to be a lot of additional vulnerabilities and potential avenues for adversaries on those devices,” Biasini said, whereas with recently installed edge devices that have up-to-date firmware, the attack surface is going to be lower. “We do tend to see bad actors feasting on those older devices,” he said.
When older devices weren’t designed with security in mind, and when network infrastructure sits outside of security’s ecosystem, it makes it increasingly difficult to monitor network access attempts, according to Hazel Burton, a global cybersecurity product marketing manager at Cisco. “Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden, post-compromise activities once they have gained initial access to the network,” Burton wrote in an a blog outlining some of the attack scenarios. “The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals.”
Biasini said there are two main groups of bad actors that are targeting network infrastructure: state-sponsored attackers and criminal enterprises. “State-sponsored groups are interested in these devices primarily to gain a foothold for espionage purposes, with the goal to maintain access for the long term,” Biasini said.