Zero-day vulnerabilities in edge infrastructure
In a decentralized world data increasingly exists at the "edge" of the network. There are more remote workers and cloud applications outside of the traditional network perimeter, and new operational technologies on the edge connecting to critical business infrastructure. These assets are increasingly targeted by threat actors, and organizations need updated security strategies to mitigate these new risks.
Edge infrastructure includes commonly used services such as remote access software, firewalls and cloud applications. However, it can also include increasingly common operational technologies such as security cameras, laboratory devices and other IoT enabled systems. Once inside the network, threat actors can deploy malware, gain access to sensitive data and command the devices. An attack on an edge device can lead to severe ramifications in any company, but it is especially impactful in critical infrastructure, industrial facilities and transport services - factories, railways, traffic lights, oil platforms.
There are around 50 billion edge devices in the market - IBM predicts that by 2025 there will be 150 billion. This is in part due to the expansion of Internet of Things (IoT) devices and applications since they are unable to do much data processing locally. As organizations add more edge devices their attack surface is expanding and threat actors are increasingly seeking to capitalize. While our research shows that focusing too much on zero-day vulnerabilities might not be the best strategy for patch management, it should not be overlooked that in 2022 10 out of 55 zero-day exploits involved internet-facing edge devices.
But is expansion the primary reason for the uptake in interest by threat actors?
What makes attacking on the edge attractive
Exploiting edge vulnerabilities is known to be done in using various methods: force attacks, weak passwords or through “human hacking” - phishing and other forms of social engineering. The latter remains time consuming and since edge devices are joined to the internet they can be easily attacked.
Known network and perimeter assets are generally well monitored and protected. To ensure the security of the "traditional" architecture, organizations use firewalls, IPS and remote access tools for networks and agents to safeguard their endpoint devices and servers.
"There is the perception that organizations focus their security efforts around their traditional “known” environments. This creates an incentive for threat actors as they are more likely to find an exposed asset on the internet that they can exploit."
Olivier Beg - Head of Hacking
Hackers target edge infrastructure because it is vast in nature. Edge infrastructure typically consists of a large number of remote and distributed systems that are spread across different on premise locations and cloud environments. This complexity can pose challenges for organizations to maintain consistent security controls and oversight, making edge infrastructure an attractive target for hackers.
How to prevent attacks on the edge
As the edge expands, businesses must have a strategy that is representative of the entirety of their attack surface. For CISOs, the varied platforms of edge computing make it difficult to consolidate and manage them with a traditional security stack. And since they are located on the network's periphery not within the familiar boundaries of your data center or cloud, finding an effective mitigation strategy can be complex.
Newer technologies such as Secure Access Service Edge (SASE) could provide a solution for organizations - but deploying these tools is a multi-year initiative and if done incorrectly can lead to fragmented capabilities. Navigating the what and how is a lengthy process that is slow to provide tangible insights since SASE presents a significant architectural shift.
To combat zero-day attacks on edge infrastructure organizations should focus on increasing their visibility of external facing risks. At Hadrian we are continuously adding new detection methods to the platform, including the latest zero-day discoveries. The hackers at Hadrian are constantly researching the latest vulnerabilities, augmenting their own skillset, and improving Hadrian’s tools. This allows the platform to detect new critical vulnerabilities and exploitation paths within 24 hours of their discovery.