3 Lessons We've Learned from Successful Cyberattacks
When I woke up this morning, it was all over the news: “Big corporation gets breached in cyberattack.” Unfortunately, every few months I see a similar headline. What lessons can we learn from these recurring attacks that can help us do a better job in creating defenses — and make it a lot harder for the bad guys to succeed?
Defending corporations against data breaches requires a strategic shift away from traditional security measures. I‘ve been advising Akamai’s global clients for the past 10 years on cybersecurity strategies, defensive architectures, and how to stay ahead of the threat actors’ evolving tactics.
3 key lessons
In this blog post, I’ll present three key lessons I’ve learned from observing successful attack tactics. These learnings can help defend corporations against modern data breaches and malware infections.
1. Traditional VPNs belong in history books, not in corporate environments
Traditional virtual private networks (VPNs) have long been the go-to solution for remote access to corporate networks. This legacy technology was initially created in 1996 when Microsoft developed the Point-to-Point Tunneling Protocol (PPTP), which was designed to connect a remote user to a network via a secure pathway (a “tunnel”) to make it difficult for attackers to intercept or “observe” your data in transit. (This was eventually updated to a new standard using encryption by implementing IPsec: along with Layer 2 Tunneling Protocol [L2TP].)
The security loopholes of a VPN
Unfortunately, while providing data security in transit, VPNs fall short in terms of security controls for modern threats by allowing everything to pass through that tunnel because it’s assumed that all traffic across this path should be trusted. This is what allows malware or a threat actor on your home network to spread to corporate systems while you are connected to this VPN.
The two networks (home and corporate) share network space, are effectively connected, and trust each other via the VPN tunnel.
ZTNA to the rescue
The solution comes in the form of Zero Trust Network Access (ZTNA), which takes a fundamentally different approach by not connecting the remote user's network to the corporate network. Instead, it leverages a reverse proxy technology to grant remote users access to only the specific applications that are necessary to carry out their roles, without needing to connect the home and corporate networks (which will likely have different levels of security).
This approach effectively isolates the user's environment from the corporate network, reducing the risk that malware will traverse this connection.
By implementing ZTNA, corporations can ensure that remote access is highly secure, as it permits access only to authorized applications and minimizes unnecessary network overhead while simultaneously enhancing overall data protection.
2. Traditional MFA is broken. Just search “bypassing MFA” and see for yourself.
Multi-factor authentication (MFA) has become a standard practice to enhance login security. However, traditional MFA technologies have vulnerabilities, particularly when it comes to the potential for man-in-the-middle (MITM) attacks, phishing campaigns, and social engineering to bypass their controls.
This happens because there is a gap in the relationship between the systems that perform traditional MFA. When an attacker uses phishing or social engineering to get a targeted user's credentials (or simply finds those credentials as part of a previous data breach), they can enter the pilfered credentials into the authentication service to start the authentication process.
Although the MFA validation response goes to the corporate device registered for that user, MFA bombing/spamming can lead to a social engineering phone call/chat in which the attacker poses as a help desk technician who can “make the problem go away” if the user accepts the prompt.
The real problem, however, occurs when the corporate user is tricked into pressing “accept” on their MFA device. The authentication token for that session is now shipped off to the machine owned by the attacker (the one who initially requested authentication), thus allowing them a connection into the system or application they were trying to access. This final stage should never be allowed to occur, because the attacker's machine is not part of this trusted ecosystem.
Implement standards to secure authentication processes
To mitigate these risks, corporations should consider adopting FIDO2 and WebAuthn standards. These standards establish a strong cryptographic relationship between the corporate device/laptop, the MFA device (e.g., a mobile phone), and the authentication service itself at the time of the user registration process.
Each request must pass through this secure ecosystem, ensuring that authentication tokens reach only the intended recipient and cannot be intercepted or redirected to another user.
By implementing the FIDO2 and WebAuthn standards, corporations can fortify their authentication processes, making it extremely challenging for attackers to intercept or manipulate these authentication requests.
3. Your network is a complex series of devices that “expect” to be able to talk to one another
It’s clear that even with robust external and internal security controls, a determined attacker can breach a corporate network. To minimize the impact of eventual breaches, corporations should leverage a more advanced segmentation technology that can establish not only which devices on their network talk to one another, but also how these devices talk to one another.
After identifying the devices and learning how they communicate (on both a user level and a process level), corporations can determine what normal traffic looks like. Then, if malware or ransomware infiltrates the network, segmentation technology can automatically identify and restrict the threat actors’ movement.
Segmentation minimizes damage
The granular control of segmentation can control the spread of malware and limit lateral movement within the network, effectively isolating the threat and minimizing the blast radius of potential damage.
Conclusion
To more effectively defend against data breaches across disparate and increasingly complex corporate landscapes, consider these three key strategic architectural approaches:
Transition from traditional VPNs to ZTNA
Adopt more secure authentication standards for MFA
Implement a software-defined, granular microsegmentation solution