Threat Landscape Perspectives: TeamViewer Attack – Spy vs. Spy Misdirection?

The recent TeamViewer news is yet another example of the changing dynamics and increasingly sophisticated threats we are seeing in cybersecurity today. Fortinet’s Aamir Lakhani offers some perspective.

Why is the TeamViewer news important to consider?

The TeamViewer attack appears to be an organized and sophisticated attack. We have seen criminal organizations spend a great deal of money and efforts increasing their skills in order for them to conduct cybercrime. Ransomware is a good example or why criminal organizations do this. It is both extremely valuable and profitable. Likewise, a remote access and management tool like TeamViewer is potentially an inviting target because it could provide entry to tens of thousands of remote devices.

How are attackers being creative in cybersecurity today?

TeamViewer’s initial response of claiming they were not breached may be true, but it more likely shows how difficult it is to really understand if attackers are in networks. Attackers breach and stay in networks for significant amounts of time without being noticed. Irregularities in systems often are attributed to systems not working correctly, instead of attackers compromising them.

As magicians use "sleight of hand" to direct your attention where they want, attackers use this same technique of misdirecting organizations on where to investigate potential network and security problems. This a very common technique in physical street crime (just ask anyone who ever has a wallet or purse stolen on a crowded street). Likewise, it appears that attackers directed a massive attack against TeamViewer’s DNS systems, perhaps using it as a “sleight of hand" method to compromise their systems, or perhaps using it as a means to distract them as more sophisticated attacks were initiated.

What can IT professionals do to potentially thwart this type of attack?

Visibility and segmentation is a key factor in network protection. Many organizations rely on archaic security methods in their networks, such as VLANs and access lists, instead of looking for vulnerabilities and malicious payloads within the applications. VLANs are layer-2 segmentation, and access-lists have generally been used as primary security control points. It is easy to understand why organizations believe they have protected their internal networks and designed sufficient segmentation policies when they use these techniques. In reality, however, these methods are only protecting against attacks that haven’t been used by attackers for over a decade.

What is some food for thought given this recent event?

Most common attacks take advantage of applications that are used every day, such as web, mobile, and database applications. Having visibility into attacks, and separating networks by functions, business operations, and security enclaves radically increases an organizations’ ability to detect, stop, and mitigate these risks. IT and networks are no longer built on networking technologies, but designed around applications and functions, yet we see organizations continuing to build, design, and base their cybersecurity methodologies around networking attack vectors, instead of borderless applications, web, and cloud. 

What is next?

Organizations rarely make the same efforts, or invest the same resources, to monitor, protect, and block applications on the internal networks as they do hardening their perimeter or edge. This is mostly due to the belief – which is many times incorrect – that the complexity, performance impact, and other costs associated with implementing protections on internal segments is prohibitive. So far too often, they do little to nothing to actively monitor and protect their internal networks. And it is this lack of protection that has given rise to many of the most devastating attacks we have seen, especially insider attacks. If systems that can be accessed remotely by a TeamViewer that has been compromised, there should be little doubt that attackers are using these systems as jumping-off points to gain access to internal network segments, to scan for and exploit other types of vulnerabilities, and gain long-term footholds into the network. While the TeamViewer breach may be significant, the true consequences, however, may be titanic in nature. 

What can we do?

1. Adopt security solutions that can see across your entire distributed network. Ideally, these tools should be able to integrate and collaborate, sharing and correlating threat intelligence from multiple locations to see advanced threats and adapting accordingly. The new Fortinet Security Fabric is the first security strategy designed to do this very thing.
   
2. Intelligently segment and monitor traffic and inside the network perimeter. This allows you to more quickly identify anomalous or unexpected behavior, and isolate threats to a single network zone. Take a look at the Fortinet ISFW (Internal Segmentation Firewall) that can establish security-based network segmentation, and inspect and secure traffic at network speeds.
   
3. Implement an advanced threat detection solution. Fortinet’s ATP (Advanced Threat Protection) solution is designed to detect and thwart the most advanced and sophisticated threats and attacks, and in the recent ICSA testing, was rated the top solution both in terms of highest percentage of advanced threats detected and lowest incidence of false positives.