Most people—mistakenly—believe that they are perfectly safe behind a firewall, network address translation (NAT) device or proxy. The fact is quite the opposite: if you can get out of your network, someone else can get in. Attackers often seek to compromise the weakest link in a network and then use that access to attack the network from the inside, commonly known as a “pivot-and-attack.”

Two Common Ways Attackers Use “Pivot-and-Attack”

Phishing is a common avenue for attackers to gain an inside pivot point. Attackers often use two phishing techniques to enter a network in order to pivot and attack:

• An attacker may send an email to an individual distribution list with the goal of luring users to follow a URL or execute a program/attachment that loads a specific type of malware via their web browser. Once the malware is loaded, it can be used as a gateway into your internal network. Not all computers that are infected by malware are the target of an attack; some are just stepping stones to gain access to the internal network where pivot-and-attack will begin.

OR

• An attacker may use vulnerable plug-ins that may be targeted by using a phishing technique where the attacker could be waiting to scan your browser for vulnerable plug-ins. Once a vulnerable plug-in has been located, the attacker can enter your system and migrate from the browser to another process.

A favorite next step for attackers is to migrate to an anti-virus process, because most anti-virus programs do not self scan, thereby making it even easier to avoid detection. Migrating to another process enables the hacker to maintain the connection to the user’s computer, even after the browser is closed. The hacker will then either attempt to elevate privileges and load a root kit or simply use that system to pivot and attack.

Where are the Vulnerabilities?

The most common cause behind the presence of vulnerable applications: failing to stay on top of security updates, either because of lack of time; an administrative policy failing to allow for frequent updates; or updates breaking custom programs/applications.

Why Should You Worry About Traffic Coming From Inside Your Network?

It is common for companies to think that no one inside the company would initiate an attack on the internal network. With a large amount of companies configuring their firewall rules to protect their internal assets only from external sources, attackers “on the inside” have an excellent vector from which to pivot and attack.

Keeping up to date on patches and security updates is a good start toward protecting your network. Installing an intrusion detection system (IDS) or intrusion prevention system (IPS) is a good way to catch some of the internal intrusions, but any security control needs to be re-assessed periodically to make sure it is catching everything. It is important, for example, to know that your IDS/IPS rules are capturing known exploit command executions and even common machine-level shell code that is being executed from within the exploit.

Network security is a balancing act between security and accessibility. There is no hard and fast way to achieve and/or maintain perfect security on any network. The goal of any security controls and countermeasures should be to defend your network while maintaining ease of use and accessibility. The most important idea to take away from this article is that you must maintain security from the inside just as you do from the outside.