DeepSec 2020 Talk: Caught in the Middle with You: Examining the Implications of Adversary Midpoint Collection – Joe Slowik
Information security typically focuses on endpoint exploitation and manipulation. Endpoints are where our tools reside (EDR, log sources, and similar artifacts), and where we are most comfortable operating as these are the systems we interact with on a daily basis. However, adversaries increasingly migrate attacks to cover “midpoint” techniques (DNS manipulation, router exploitation, and traffic shaping mechanisms) to circumvent both endpoint and network defenses. Such actions shift operations to either devices we are unfamiliar with – routers, VPN concentrators, and similar devices – or systems and services completely outside our control – ISP equipment and fundamental Internet functionality. Although media stories highlighting such attacks exist, most threat analysis provides little information on the implications of such attacks or defensive strategies to meet them.
By analyzing revelations emerging from various NSA-related leaks, followed by consideration of several campaigns exploiting vulnerabilities in enterprise network devices, we can begin to understand the scope and implications of “midpoint” attack scenarios. Proceeding to discussion of DNS traffic hijacking and BGP manipulation, we can gain even greater appreciation for how the fundamentally insecure nature of vital aspects of the Internet and network communication protocols enable and assist the execution of multi-stage, difficult to defend against attack scenarios. When reviewing such activity, examples include the alleged QUANTUM program associated with US government operations, network device attacks linked to Russian state interests targeting the energy sector, and several waves of DNS manipulation including the SeaTurtle and DNSpionage campaigns. Each illustrates one “layer” of midpoint attack possibility, with different implications in terms of both the threat and its possible mitigation.
The nature and scope of these attacks make defense and response significantly different from typical endpoint intrusion scenarios. Rather than defeating adversaries via tooling or network restrictions, defenders instead must understand the fundamental nature of inter-network communication pathways – and the opportunities for manipulation, redirection, or injection therein – to adequately scope the problem. Instead of buying more devices or software for monitoring, defenders and other stakeholders instead need to consider the very nature of communication pathways. The obvious answer is encryption and transportation security to deny an adversary the ability to inspect or modify traffic as it moves from originator to destination. Yet as clear as this advice is, political and related considerations make this increasing untenable as multiple polities – from EU governments through Chinese domestic security services – seek to undermine encryption and data security for “national security” reasons. As shown in examples going back to QUANTUM, we as information societies will feel the pain of a move toward security that undermines confidentiality, by opening up avenues for data inspection and manipulation currently denied by effective ciphers. Understanding the threat landscape, how adversaries desire to use the technologies, and the implications for network communication as a whole mean we all must understand and embrace an understanding of midpoint security, and the implications of deliberately weakening such items.
Joe Slowik hunts ICS-specific adversaries and campaigns as part of Dragos Inc. Joe has led investigations into various intrusions, including original research on the 2016 Ukraine power event, the 2017 Triton/Trisis incident, and the ransomware event at Norsk Hydro in 2019. Prior to these roles, Joe ran incident response operations at the US Department of Energy’s Los Alamos National Laboratory and served as a Cyber Warfare Officer in the US Navy.