3 Steps to Close the Proxy Loophole on Malicious Nation-State Attackers
April 3, 2023
3 Steps to Close the Proxy Loophole on Malicious Nation-State Attackers
Heightened geopolitical tensions led to a recent warning from CISA on strengthening cyber defenses in anticipation of increased nation-state cyber-attacks.
While we know the specific nation-states, we are most concerned with, targeting defenses against them is tricky. Attackers have abundant resources to wage dynamic, persistent attacks. Unfortunately, common cyber defense solutions are typically either static or single context-based, or both.
Systematically, threats move through their stack of proxies in different countries. From each, they run reconnaissance scans that inform their attack strategy. While a firewall geo-filter or blacklist may drop the connection, the threat persists, having taken what they’ve learned and moved on. When enough has been learned, the threat will proxy to their highest value assets which are US-based IP addresses. These will most likely bypass geo-filtering and may not be on any known threat intelligence lists. They are now very capable of penetrating your network.
Attackers rely on this sequence because it works so well. With each recon scan, they gain knowledge, and with each movement, they increase their probability of success. But what if you flip the script? What if you could easily make this whole process work against them?
Just imagine that instead of them getting a little smarter with each scan, what if they got weaker? Instead of increasing the probability of success with each proxy move, what if they lessened the chance of a successful attack? The use of decoys and deceptive tactics at your network edge can, in-fact, readily accomplish these objectives.
The key to turning the tables on the attacker and closing the proxy loophole requires the following:
While we know the specific nation-states, we are most concerned with, targeting defenses against them is tricky. Attackers have abundant resources to wage dynamic, persistent attacks. Unfortunately, common cyber defense solutions are typically either static or single context-based, or both.
Attackers Love the Proxy Loophole – and your NextGen Firewall is one reason why
The ‘Proxy Loophole’ is an extremely popular way for attackers to evade detection. This is the time-tested practice of moving between hijacked systems (or a botnet) around the world as proxies to launch attacks.Systematically, threats move through their stack of proxies in different countries. From each, they run reconnaissance scans that inform their attack strategy. While a firewall geo-filter or blacklist may drop the connection, the threat persists, having taken what they’ve learned and moved on. When enough has been learned, the threat will proxy to their highest value assets which are US-based IP addresses. These will most likely bypass geo-filtering and may not be on any known threat intelligence lists. They are now very capable of penetrating your network.
Turning the Tables
Attackers rely on this sequence because it works so well. With each recon scan, they gain knowledge, and with each movement, they increase their probability of success. But what if you flip the script? What if you could easily make this whole process work against them? Just imagine that instead of them getting a little smarter with each scan, what if they got weaker? Instead of increasing the probability of success with each proxy move, what if they lessened the chance of a successful attack? The use of decoys and deceptive tactics at your network edge can, in-fact, readily accomplish these objectives.
3 Steps to Close the Proxy Loophole on Malicious Nation-State Attackers
Deploying the principles of a moving-target defense (MTD) based on deception at your network edge can effectively foil attackers. Deception based MTD makes it nearly impossible to sufficiently size up your network and formulate an effective attack plan. Instead, each recon scan provides bogus information to weaken the attack strategy, and each proxy move eliminates one more proxy or bot from the botnet via an enterprise-wide wire-speed blacklist specific to you.The key to turning the tables on the attacker and closing the proxy loophole requires the following:
- Set Your Traps: Deploy exterior facing decoys at your network edge Saturate your perimeter with lightweight, software-based decoys to present the appearance of vulnerabilities and/or available services. Adding these results in no additional systems or infrastructure and no additional attack vectors that can be breached while providing the attacker a false set of targets to chase.
- Sow Confusion: Rotate the decoys to create the appearance of a moving target Schedule your perimeter decoys to vary based on a variety of factors including country, company, rate and time among others. Each time a threat scans and moves they will see something different.
- Automate Blocking: Harvest and apply threat intelligence from real-time perimeter activity to blocking rules The system automatically harvests intelligence gathered in real-time at your network edge and writes a blocking rule that prevents the threat from coming back. This is unlike firewall drops that do not prevent the threat from returning over and over again.
