Cisco Software Hacked: 3 Lessons Companies Can Learn

The recent announcement of a security breach by networking giant Cisco has left many rolling their eyes, wondering, “why can’t these companies figure out security?” The reaction is understandable, especially given that Cisco is a major provider of security tools, software, and services.

While they are a leading software and consultancy service provider in the security space, the reality is that, regardless of the company, there is very little room for failure in security controls. Malicious actors do not need a welcome sign to gain access. As this high profile attack demonstrates, it only takes one control, process, or vulnerability to not be patched for an organization to be at risk.

What can security conscious companies learn from the Cisco breach? Rather than diagnose the incident from the outside or rehash technical details of how the breach happened, we might, more usefully, ask whether anything Cisco could have done differently might have prevented the breach from succeeding. With that view, let’s dig into some of the lessons we can learn from the information that has been disclosed about the Cisco ransomware attack.

People are Human

One of the first lessons that can be pulled from this attack is that people are, well, human. Most employees or contractors do not enter the day thinking that they are going to be the cause of a security breach, much less a direct target. They are focused instead on doing their job and doing it as well as they can. But in that effort, they may look for ways to make their life easier.

This was evident in the Cisco attack when it was revealed that passwords had been stored in a personal Google account. The individual was targeted with the hopes of attaining credentials or other information that could be utilized to conduct an attack. This is a prime example of how security should be looking at not only what controls need to be applied but also how controls can help employees or staff life. Providing a strong password vault that had a layer of MFA attached to it may have saved the credentials from being harvested.

Odd Behavior is Odd

By all reports, Cisco had the recommended controls in place to help protect them. They had MFA implemented on their VPN to ensure that credentials alone would not be enough to compromise their network. Unfortunately, MFA systems can be bypassed by a motivated individual, either through a man in the middle style attack or, in this case, by acting like a toddler at dinner.

The attackers essentially annoyed the employee into accepting a login, which allowed them to gain a foothold in the network. The odd behavior that should have been alerted on is the repeated login attempts without a successful MFA authentication. This behavior would be odd by a legitimate employee, and a simple phone call could have identified that the employee had a personal account taken over.

Additionally, what we can learn from this is that MFA alone is not enough to prevent an attack. In this case, utilizing a third layer of MFA that validated the system was authorized to connect may have assisted in preventing the attack. However, if the attacker was coming from the device itself, this control would not have helped. If the latter was the case, then a network monitoring device on the endpoint could have indicated that the device had an active SSH or RDP session in place or a reverse shell to an external IP address, which would have registered as unusual  behavior.

Layers for the Win

Another lesson we can learn from this is that a layered approach to security is required to protect an organization. Cisco was able to confirm that the attackers attempted to deploy ransomware, which was thwarted by security controls on their systems. When this was not successful, the attackers had to resort to other tactics, which allowed them to be detected.

By having robust logging and monitoring, Cisco was able to detect and stop the movement of the attackers in their network. As the attackers elevated permissions and attempted to move laterally, these actions were detected due to unusual behavior. Additional monitoring of privileged accounts actions within the environment also assisted in detecting unusual behavior. By focusing on controls that allowed for detections of actions taken inside the network, Cisco was able to determine that they had a compromise, which allowed them to stop it before it was fully mature, conduct a robust investigation, and remediate the issue.

While these are not all the lessons that we could learn from this event, they are certainly among the most important. It is not always entirely clear to outside observers how a breach happened, but it must be noted that in this case, Cisco was incredibly open about the attack, allowing those in the security industry to analyze the event and learn its lessons without having to go through it themselves.

This further proves that security is a moving target that requires constant assessment and adjustment to thwart, detect, or minimize attacks. It should remind us that even the largest companies with the highest security budgets are not impenetrable.