By Philip Griffiths and Clint Dovholuk
Being crushed by scan and exploit
We are getting crushed in the cybersecurity war. Attackers are disrupting our businesses by attacking any and all exposed connections. According to the 2021 IBM Security Threat Intelligence Index, the #1 attack vector was scan and exploit; this was before the ‘worst security exploits of all time’ – known as Log4Shell. The question is, how can we stop these types of attacks – that is external network breaches including DDoS, CVE or zero day exploit, brute force, port scans etc – without stopping your business, innovation and inconveniencing your users?
We don’t need to explain Log4Shell here – if you do want to know more about how bad it is, see the link above. Let’s point out a few important things:
- After the 5th CVE to be discovered in Log4j in a month, it is clear…It’s easy to see missing features, it’s not nearly so easy to see security vulnerabilities
- Developers are constantly instructed to focus on features rather than security. This is not our fault, it’s our system. Security is often an after-thought; we try our best but deep down we worry
- Internet facing systems with exposed ports allow these vulnerabilities to be attacked remotely. Recent Palo Alto research found 96% of honeypot systems exposed to the internet are compromised within a single 90-second period![1]
- Nation-state actors could be weaponizing zero-day vulnerabilities via stricter vulnerability disclosure regulation[2]
Zero trust principles are required to stop being crushed in the cybersecurity war – but many ‘zero trust’ solutions could not have stopped the largest attacks of 2021 (incl. Log4shell) as those solutions focus on remote access. We need close all inbound network connections for all applications and systems to disrupt the Reconnaissance and Initial Access Tactics (as defined by MITRE ATT&CK) as well as restricting lateral movement. Closing these connections will suffocate ransomware – mitigating the biggest risks of Log4Shell – but it would suffocate your entire business! That’s unacceptable, so what’s the solution?
We need private, zero trust connectivity which can be embedded into applications and systems so that it is transparent to users. We need these principles applied across any use case, enabling businesses to hide all apps, APIs, servers, database calls, etc. behind a zero-trust overlay network. How can we possibly close all network connections without closing the business?
Stop getting crushed with Ziggy
OpenZiti can help you close all inbound network connections without closing the business. OpenZiti is the next generation of secure, open-source networking and has a mascot called Ziggy – If you want to say ‘hi’ to Ziggy, you can learn more about his secrets here. OpenZiti provides everything you need for a truly private, zero trust overlay network. As a developer, you can (*and should*) embed ziti directly into your applications using our SDKs. With zero trust principles in your application, even if another app is compromised on your OS. Your ‘zititified’ app is immune to network-based side-channel attacks since it will have no listening ports and can only be accessed using OpenZiti. OpenZiti in your app is totally transparent to users and will enforce authorization applications before connecting to the network. Applications are also micro-segmented, communication is E2E encrypted, metadata obfuscated, continual authorization is possible using posture checks, and more.
External network-level attacks (CVE exploit, DDoS, brute force etc) become all but impossible; lateral movement is hugely restricted. OpenZiti reduces the potential attack vectors from billions of malicious actors to only those you trust; this is probably an order of magnitude reduction of potential attackers – zero-day exploits become virtually impossible! Your improved security posture does not stop the business. Developers can now incorporate secure-by-design as a feature, simply by adopting OpenZiti. Together we are reinventing the network.
NetFoundry’s Head of DevOps, Mike Guthrie, says he sleeps better now he has locked down all his tools – read his blog here. This includes implementing ‘Bastion Dark Mode.’
Sounds great right? How do you get it? OpenZiti is open source! Run it locally, use docker, host it yourself! If you don’t want that hassle or if you don’t want to support it, let NetFoundry do if for you.
So really… if your application or server is ‘dark’ – do you care about Log4Shell?
[1] https://www-zdnet-com.cdn.ampproject.org/c/s/www.zdnet.com/google-amp/article/these-researchers-wanted-to-test-cloud-security-they-were-shocked-by-what-they-found/
[2] https://www.theregister.com/2021/12/23/alibaba_cloud_in_trouble_with/
