“All I needed was a foothold. Once I got that, it was just a matter of time.” -Every Hacker Ever
Apparently, Iranian hackers have been busy exploiting various VPN vulnerabilities to gain footholds on corporate networks, then installing APTs, backdoors and such to expand their influence. First of all – have there been that many VPN vulnerabilities? Yikes. Perhaps this is neither here nor there but we’ve had a few new customers of late cite their desire to reduce their dependency on VPN with their move to Wickr. Actually, it’s been a pretty consistent tone from our enterprise customers all along – VPNs are flaky, annoying, and they make everything you do on them suck.
“I love my corporate VPN.” -No Employee Ever
“I use our corporate VPN once a month AT THE MOST and only when necessary. My life requires reliance on security at the endpoint.” -Wickr CEO
My CEO will get a kick out of that last one as it is not rhetorical. So it seems that the VPN/classic perimeter security model is taking face punches lately, both due to usability (not new) and, now, security – which is new. We can do better.
Aside from that, the story is mainly newsworthy because of who is doing the hacking, but as a security guy I found the hacker M.O. it depicted interesting. And by interesting I mean entirely uninteresting. How long has “land and expand” been a blueprint for successful hacking engagements? Targets, goals and vulnerabilities change, but land and expand has been how it’s been done since the first corporate network fell in 199x (notice: not a historical piece:) and it’s not looking like it’s going to change any time soon. What’s funny, though, is that even with our decades of hindsight…MAN are we bad at securing networks!
Too many CISOs put too much trust in the infrastructure they manage. The idea that management = control is a fallacy. Most networks are one hack away from losing control. Once a hacker gets a foothold, it’s not a question of if they will expand their influence, it’s a question of how fast. That’s not a knock on CISOs or defenders in general. Some of the best security minds in the world play defense. It’s just that defense is HARD. It has to be right 100% of the time, and perfection is a tough standard to meet.
That’s why we’ve been lauding the merits of Zero Trust for some time. I mean Zero Trust in the higher sense, as a product characteristic or design principle, which is what it meant to us before it was printed on every booth banner at RSA. What if the products we use didn’t require us to trust the service infrastructure, or service provider, for that matter, to keep our data safe? What if the applications we use were built on an assumption that someone will eventually compromise the underlying infrastructure? Zero Trust solutions are built with these aspirational questions in mind.
This is what decades of hindsight should have taught us. Someway, somehow, hackers are going to gain a foothold. The question is if we can’t stop it, what else can we do about it? Enter (real) Zero Trust solutions. What if after exploiting the VPN vulnerabilities, the hackers in the above story encountered nothing but Zero Trust products running on those corporate networks – products like Wickr, with end-to-end encryption and minimal metadata exposed to the back-end service. How would their mood change? I would compare it to Superman opening a box and finding kryptonite. Disappointment, to say the least.
“I got in, I just couldn’t do anything.” -Every Hacker From Now On