Dark web cloud services make spoofing device identities easier, helping attackers infiltrate companies protected by zero-trust network access (ZTNA) policies. The report also finds risk assessment compromised by Amazon Sidewalk and other consumer applications.
TEL AVIV, Israel, August 17, 2021 — Cato Networks, the provider of the world’s first SASE platform, announced today the results of its quarterly analysis of global enterprise networks. The Cato Networks SASE Threat Research Report Q2, 2021 analyzed 263 billion enterprise network flows between April and June 2021. Cato researchers showed a novel use of Houdini malware to promote the spoofing of a device. The report also documents how Amazon Sidewalk and other consumer applications operate on many enterprise networks, undermining effective risk assessment.
“Cybersecurity risk assessment is based on visibility to threats as much as visibility to what is happening in the organization’s network,” says Etay Maor, senior director of security strategy at Cato Networks. “With lines blurring between the home office and the corporate network – more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment.”
Houdini Exploits Network Layer to Exfiltrate Device Configuration Information
For years, enterprises have relied on device identity to authenticate users. More recently, the development of ZTNA and SASE architectures called for using device ID (in addition to user identity and location) to decide user access rights to corporate resources. Spoofing device IDs has been a top priority for attackers, evolving from simple point solutions to cloud-based services. As such, device identification verification became crucial for strong user authentication.
Our research suggests that device identity spoofing threatens to become far more prevalent. Houdini is a well-known remote access trojan (RAT), but our research shows this particular use is novel. Houdini exfiltrated data within the user agent field, an approach often undetected by legacy security systems. Cato Research Labs only identified such threats by cross-correlating security and network information.
Spoofing-as-a-Service offerings, where cybercrime forums provide virtual or physical machines based on specified requirements for attackers to launch an attack. “With cybercriminals offering, a hard-to-come-by solution is now more widely available,” says Maor. “The bar for launching attacks against organizations is lower — enabling and motivating newcomers in the cybercrime field.” For additional information about Spoofing-as-a-Service and its implications, read this blog.
Amazon Sidewalk, Consumer Applications Undermine Enterprise Risk Assessment
In addition, the report found that the rapid move to work-from-home and adoption of bring-your-own-device have blurred the lines between professional and personal networks. Cato Research Labs found hundreds of thousands of Sidewalk flows, with some enterprises having hundreds of such devices. “How can you possibly assess company risk when there is no visibility to what devices and applications truly reside on the network?” asks Maor.
To read the report in full, visit https://go.catonetworks.com/Q221-SASE-Threat-Research-Report.html