Threat Research

Securing the Network Edge

By Aamir Lakhani | April 30, 2019

A New Joint Analysis from the Cyber Threat Alliance Outlines the Growing Threat to the Devices Deployed at the Boundaries, or Edges, of Interconnected Networks    

Digital transformation continues to generate new networking environments, from multi-cloud networks to SD-Branches to the emerging 5G-enabled remote edge, comprised of a growing number of physical and virtual devices. At the same time, each of these networked ecosystems is generating and processing an exponentially growing volume of data, applications, and workflows. To accommodate all of this this, organizations have had to increase the number of devices deployed at the edges of these networks in order to manage access, orchestrate resources, and interconnect the various devices and networking environments together.

One result of all of this change has been the steady increase in the volume and variety of malware, attacks, and successful security breaches and cyber events that organizations need to manage. To address this challenge, IT security teams have focused significant resources on securing endpoint devices such as smartphones, IoT devices, and hosts. However, this has only addressed part of the problem. 

Edge: A Growing Target

But according to a recent report from the Cyber Threat Alliance (CTA), Securing Edge Devices, many of the most damaging and successful attacks experienced by organizations and governments over the past couple of years have been focused on edge networking devices. These include the leveraging of network resources to develop a surreptitious and criminal infrastructure from which to launch future attacks. Cybercriminals have been focused on compromising a broad array of network edge devices. They do this to hijack their combined resources to power their botnets, obfuscate their operations, and make attribution more difficult.

One of the other uses for such infrastructure attacks is to hijack distributed processing to illicitly mine for cryptocurrencies. Criminals, especially organized crime, have shifted their resources from ransomware to quietly turning stolen computing power and resources into digital currency that can be used to fund other malicious activities and development.

At the same time, adversaries can use these devices to establish persistent access to target networks. Using advanced obfuscation tools and even open source rootkits allow attackers to burrow deep into a device, making it more difficult for them to be removed. From there they can conduct network architecture reconnaissance, perform credential theft, redirect traffic to criminal-controlled servers, or install malware onto the router.

It can also be used to monitor traffic passing through the device. In the past, a compromised edge device was used almost exclusively as a gateway into the internal data center and storage network. But because edge devices are increasingly used to control and direct the flow of information through or between the various interconnected networks and devices in place, criminals can target data in motion, enabling them to monitor and intercept information unbeknownst to network administrators or security personnel.

However, not all cybercriminals are financially motivated. Groups like cyberterrorists can also use these edge devices to actively deny, degrade, disrupt, or destroy information—or even an entire infrastructure—to meet their goals. Such attacks can range from slowing down traffic to, as we saw with VPNFilter, completely “bricking” devices thereby rendering them useless.

Securing Network Edge Devices

Because of the complex nature of this threat, addressing it requires an integrated approach from manufacturers, security vendors, service providers, and end user organizations. 

1. Organizations need to establish and adopt true open standards. Different security tools deployed in different places not only need to be able to interoperate with each other, but also be deeply integrated into edge networking devices. This allows for single, centralized management and orchestration, and the ability to see and respond to threats in a controlled and collaborative manner.

2. Devices need to be automatically hardened. For example: Any new device needs to require the creation of a new administrative password. Devices need an auto-harden function that performs such things as shutting down unused features and functions and closing unused ports. Booting a system should include an automated security check to ensure that nothing in the boot sector or boot-up process has been compromised. Patching and updating needs to be simple and automated, and to help with this, configurations should be standardized and checked for errors or manipulation. And management should use out-of-band communication protocols by default.

3. Segmentation is essential. Networking, IoT, and end user devices, along with workflows, applications, transactions, and data, should be segmented based on role and functionality to reduce the impact of an intruder successfully penetrating one section of the network. Whether physical or virtual, these segments need to be able to span across and between different networked ecosystems. And as much as possible, organizations should also consider going a step further and adopting a zero trust networking model, especially for highly vulnerable OT environments.

4. Automate secure connectivity. Advanced VPN solutions can support even the most complex, on-demand, and highly meshed environments. However, a few things need to be considered. 

  • All devices, especially network devices, need to be configured to automatically establish secure connections as part of their connectivity protocols.
  • Inspecting encrypted traffic is very CPU-intensive, so security tools need to be able to provide full inspection of VPN traffic at network speeds.
  • Cryptographic sophistication needs to match the threats the organization is likely to encounter. This may include truly random cryptographic key creation, and an Integrated Trusted Platform Module (TPM) for the secure storage of secrets (keys, certificates, device passwords, entropy, etc.)
  • Multi-factor authentication (MFA) needs to be implemented wherever possible.

5. Behavioral analysis is critical. At a minimum, implementing an external NetFlow collector or similar technology to monitor the behavior of edge devices helps correlate and detect command-and-control (C2) activity that may be emanating from compromised devices. This can be tied to advanced behavioral analytics to detect anomalous behaviors to not only automatically detect and quarantine compromised or rogue devices, but to see and correlate such behaviors across the network in order to detect larger, coordinated attacks.


According to the CTA report on Securing Edge Devices, CTA members expect to see attacks on edge devices continue to rise over time. As with many cyberattacks, automation along with the commoditization of tools not only enables the proliferation of attacks beyond the intents of the attackers that originally develop them, but as with the case of the infamous Mirai attack, also enables them to be repurposed for further nefarious goals. Taking proper measures to secure essential and expanding edge network devices is essential if organizations hope to take back control of their environments in order to realize the potential of today’s new digital economy.

Read and learn more about the Cyber Threat Alliance (CTA). Access the full Securing Edge Devices report.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.