Trusting Locations Bites Us Yet Again
Recently, Microsoft announced the discovery of yet another attack being launched by the now infamous Nobelium group, which has been responsible for numerous successful attacks, including the widespread SolarWinds breach in 2020. Thankfully, this latest attempt was not as impactful as those in the past. It was discovered early on and largely mitigated through several protections.
However, as I read through the security briefing, two things stand out. First, Nobelium is certainly a very advanced adversary. The group employs numerous techniques to infect, move laterally, and evade detection, all while continually evolving its approach to overcome new security obstacles.
Second, core to some of its evasion techniques is the continued misplaced trust associated with location. As an example, throughout the evolving attack campaign, Nobelium often made use of public services such as Google Firebase, Dropbox, Constant Contact, and others to host malware, gather telemetry, and perform services necessary to its operations.
Why go through all of that trouble? The answer is simple: to reduce the chance of discovery by hiding in locations that enterprises already trust. Nobelium, like many adversaries in this space, knows it is growing more difficult to launch attacks from risky domain names, as enterprises are increasingly making use of critical services such as DNS firewalls, which are designed to "black hole" domains suspected of being malicious.
Instead of attempting to thread that needle, it is far easier to blend in with trusted elements at SaaS and IaaS providers. After all, enterprises can't simply block access to the legitimate services they use daily, such as Dropbox. By hiding malicious content within trusted locations, Nobelium and groups like them effectively launder their malware and actions through legitimate providers.
In some extreme cases, adversaries will even set up DNS records for their own command and control infrastructure that mimics the hostnames used by the very companies they are attacking. If an enterprise can't simply block access to SaaS domains, they surely can't block access to their own!
This raises the question: What can we do to better protect ourselves from this technique? The answer lies in the very same Zero Trust principle being espoused for internal application access: don't trust things based on their location.
In the case of Zero Trust Network Access (ZTNA), the "things" in question are us: the employees. And that is why we endeavor to perform strong authentication and safety checks utilizing ZTNA for every transaction and connection.
In the case of SaaS and external sites, the "things" are the data that we download and interact with. The protections take the form of strong content inspection. Companies increasingly must make use of secure web gateways (SWG) and cloud access security brokers (CASB) to perform virus scanning, sandboxing, and data loss prevention (DLP), in addition to domain name-based protections provided by DNS firewalls. By inspecting the content itself and accepting that all locations can be dangerous, we create an additional hurdle that makes it that much more difficult for adversaries to gain access.
Once we let go of the outdated notion that location confers trust, whether mapped onto end users accessing internal applications or mapped onto external sites and SaaS providers being accessed by those end users, we can begin to focus on meaningful and up-to-date protections that can keep us all safer.
That's a story we can all get behind.