Are Backdoors Sitting in Your Environment?
Have you ever hidden a house key under a doormat or flowerpot on your porch for a trusted friend to use on occasion? Have you ever made a copy to give to one of your neighbors to use in emergency situations when you are out of town? Ever tape a key to your car underneath the back bumper? These are examples of backdoors that were created intentionally. A backdoor is a secretive access way that if ever compromised, allows for easy access by an intruder.
Conventional Backdoors in Your Network
Backdoors exist in computer networks too. Like the hidden house key, they are a secretive entry point that allows remote access into the network. These backdoors are sometimes created intentionally by a system administrator who creates one to access while on vacation or be used for testing purposes. It may be in the form of an open port, disabled local system firewall, or a hidden privilege account known only to the administrator. Unless negligence is involved, these entry points are still protected by some type of access control mechanism, but they remain a weak entryway that can be exploited by an authorized attacker.
These intentional entry points are commonly referred to as conventional backdoors. Some vendors embed such backdoors into their software or hardware for product support and maintenance purposes. An application may also include hidden services or commands that allow remote access to its software functions. Even the default administrative login credential is a form of backdoor that gives remote installers easy access in initial deployments.
Sometimes a backdoor can be created by accident. A firewall administrator may modify a firewall policy or routing table and inadvertently create an attack avenue. Accidental backdoors can sometimes be created by software bugs or system misconfigurations. These present a serious security risk as IT personnel are unaware of their existence, allowing them to exist for elongated periods.
Then there is the most dangerous backdoor of all. Imagine a criminal that was able to copy your house key without your knowledge. That is the equivalent of an unconventional backdoor into your network. They are created by threat actors with malicious intentions and are usually created once they have infiltrated your network and established some type of foothold. Examples of unconventional backdoors include the following:
- Malicious code that is injected into a system or application
- Rootkits or other malicious tools used to create a backdoor by creating hidden accounts, modifying authentication mechanisms, manipulating network traffic or disabling security software
- Covert communicative channels are created to transmit code and information to and from a compromised system
- Side-channel attacks can be used to exploit the weaknesses in a system’s physical or electrical characteristics to gain knowledge about the system in order to compromise it
A backdoor can be created just about anywhere. The most famous example was the 2014 Target data breach in which attackers accessed the company’s network through the HVAC system. A more recent example was the SolarWinds attack in which attackers gained access to SolarWinds software and inserted a backdoor into a software update. The update was then downloaded by many SolarWinds customers, thus giving the attackers access to those networks.
Unintentional backdoors can be very difficult to detect. In one ransomware incident, investigators estimated that the attack perpetrators had installed a backdoor five months before they began laterally moving through the network to study it.
Preventive Steps to Close Backdoors
While unconventional backdoors may be hard to detect, there are some basic steps you can take to help prevent them.
- Delete all default admin accounts from all newly purchased systems. If you cannot delete them then at the very least change the default password. Default logins for just about any device are readily available on the internet.
- Enforce a strict password policy. While many organizations still use an 8-character standard, many cybersecurity professionals recommend a 12-character password as advanced computer processors can easily crack one of only eight characters. The policy should also enforce password complexity and disallow the use of cities, sports teams and other words or phrases that can be easily guessed.
- While allow-list protection of your computer devices may not be convenient, they are highly effective at preventing the creation of backdoors. This granular level of protection prevents unauthorized executable code or software from being deposited or installed on the machines. Allow-list protection essentially makes a computer a read-only device.
- Use your firewall to block outbound DNS requests and point all connected devices towards an internal authorized DNS server that will forward requests externally from there. This will simplify logging and interfere with malware that attempts to bypass configured DNS settings.
- EDRs can help deter backdoors by detecting and responding to suspicious behavior that may indicate the presence of a backdoor using behavioral monitoring or signature-based behavior. They also provide enhanced visibility into those devices and leverage the latest threat intelligence.
How a SOC Can Help
When you consider the fact that some of the biggest corporations are victimized by backdoors, SMBs and organizations that face security personnel gaps may wonder how they even have a chance stopping them. Many businesses are turning to a third-party security operation center (SOC). SOCs have become so effective at securing business networks that they are becoming a top requirement of cyber insurance providers. SOCs have experienced personnel that are specifically trained in conducting threat hunting measures and forensic studies that can identify and stop backdoors before they can be fully put into place. A case in point was when a CYREBRO team identified an outbound traffic connection from a North American casino client. They also boast years of experience that make them adept in connecting all the dots that can point to backdoors of all types. SOCs can perform regular vulnerability assessments and prioritize the patching of vulnerabilities that are commonly exploited by hackers.
The concept of a backdoor into your network is simple to understand and like most situations in cybersecurity, it is not easy to identify or stop. That is why you need the right people with the right tools to subvert backdoor attempts before they have a chance to be operational and let the bad guys in.