The recent TeamViewer news is yet another example of the changing dynamics and increasingly sophisticated threats we are seeing in cybersecurity today. Fortinet’s Aamir Lakhani offers some perspective.
The TeamViewer attack appears to be an organized and sophisticated attack. We have seen criminal organizations spend a great deal of money and efforts increasing their skills in order for them to conduct cybercrime. Ransomware is a good example or why criminal organizations do this. It is both extremely valuable and profitable. Likewise, a remote access and management tool like TeamViewer is potentially an inviting target because it could provide entry to tens of thousands of remote devices.
How are attackers being creative in cybersecurity today?
TeamViewer’s initial response of claiming they were not breached may be true, but it more likely shows how difficult it is to really understand if attackers are in networks. Attackers breach and stay in networks for significant amounts of time without being noticed. Irregularities in systems often are attributed to systems not working correctly, instead of attackers compromising them.
As magicians use "sleight of hand" to direct your attention where they want, attackers use this same technique of misdirecting organizations on where to investigate potential network and security problems. This a very common technique in physical street crime (just ask anyone who ever has a wallet or purse stolen on a crowded street). Likewise, it appears that attackers directed a massive attack against TeamViewer’s DNS systems, perhaps using it as a “sleight of hand" method to compromise their systems, or perhaps using it as a means to distract them as more sophisticated attacks were initiated.
Visibility and segmentation is a key factor in network protection. Many organizations rely on archaic security methods in their networks, such as VLANs and access lists, instead of looking for vulnerabilities and malicious payloads within the applications. VLANs are layer-2 segmentation, and access-lists have generally been used as primary security control points. It is easy to understand why organizations believe they have protected their internal networks and designed sufficient segmentation policies when they use these techniques. In reality, however, these methods are only protecting against attacks that haven’t been used by attackers for over a decade.
Most common attacks take advantage of applications that are used every day, such as web, mobile, and database applications. Having visibility into attacks, and separating networks by functions, business operations, and security enclaves radically increases an organizations’ ability to detect, stop, and mitigate these risks. IT and networks are no longer built on networking technologies, but designed around applications and functions, yet we see organizations continuing to build, design, and base their cybersecurity methodologies around networking attack vectors, instead of borderless applications, web, and cloud.
Organizations rarely make the same efforts, or invest the same resources, to monitor, protect, and block applications on the internal networks as they do hardening their perimeter or edge. This is mostly due to the belief – which is many times incorrect – that the complexity, performance impact, and other costs associated with implementing protections on internal segments is prohibitive. So far too often, they do little to nothing to actively monitor and protect their internal networks. And it is this lack of protection that has given rise to many of the most devastating attacks we have seen, especially insider attacks. If systems that can be accessed remotely by a TeamViewer that has been compromised, there should be little doubt that attackers are using these systems as jumping-off points to gain access to internal network segments, to scan for and exploit other types of vulnerabilities, and gain long-term footholds into the network. While the TeamViewer breach may be significant, the true consequences, however, may be titanic in nature.