The Challenge

“Only the paranoid survive.” – Andy Grove, former CEO, Intel

The paradigm of traditional corporate firewalls and endpoint security is obsolete. The modern workforce has embraced more interconnected systems, such as remote access or third-party integrations, which continue to blur the lines between intranet, internet, IT, and IoT. Every organization now fights the battle against de-perimeterization – the process of removing the boundaries between an organization and the outside world while trying to keep their company secure. The zero trust security model is emerging as the architectural solution to address the challenges posed by de-perimeterization.

No more business as usual: What is zero trust security?

“Recent cyber incidents… demonstrate that “business as usual” approaches are no longer sufficient to defend the nation from cyber threats.” [1] – CISA

Traditional security models work by authenticating users at a network’s border. All actions and queries within the network are trusted to be safe and legitimate.

The zero trust model treats every transmission as though the network has been compromised. It responds to queries only if they can be verified – regardless of where the request originates or what resource it attempts to access.

Make bold changes with Great Wing

“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” [2] – White House Briefing on Zero Trust

In a radical departure from the traditional trust-by-default paradigm, Great Wing takes a trust-by-exception approach. We provide an integrated zero-trust system that automatically detects, responds, and reports threats, preventing undesired events across your organization.

Great Wing: Zero trust by design

“After gaining access to an organization’s network, one of the most common techniques malicious cyber actors use is lateral movement through the network, gaining access to more sensitive data and critical systems. The Zero Trust network and environment pillar curtails adversarial lateral movement by employing controls and capabilities to logically and physically segment, isolate, and control access (on-premises and off-premises) through granular policy restrictions.” [3] – NSA

At the core of Great Wing products is a revolutionary secure internet protocol called Wormhole, where all IP/TCP/UDP communications between parties are verified per packet. With this fine-grained approach, intruders don’t get an opportunity to exploit the network. They are immediately detected, blocked, and reported. To implement this system, our protocol uses large symmetric key encryption and message obfuscation techniques. They ensure only the proper recipient can reconstruct and decrypt packets. Combining these techniques render traditional network reconnaissance and exploits useless.

Great Wing satisfies CISA Zero Trust

What is the CISA Zero Trust Maturity Model?

How does the Great Wing architecture help your organization satisfy the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model?

The Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model outlines five pillars that organizations should focus on during a zero trust implementation:

1.  Identity

2.  Devices

3.  Networks

4.  Applications and workloads

5.  Data

Great Wing’s products are designed to fully satisfy CISA’s five pillars to the highest and most reliable and secure standards. Here is how:

Pillar 1: Identity

“Agencies should ensure and enforce user and entity access to the right resources at the right time for the right purpose without granting excessive access. Agencies should integrate identity, credential, and access management solutions where possible throughout their enterprise to enforce strong authentication, grant tailored context-based authorization, and assess identity risk for agency users and entities. Agencies should integrate their identity stores and management systems, where appropriate, to enhance awareness of enterprise identities and their associated responsibilities and authorities.” [1] – CISA

“Authenticating user identities and granting those users access only to approved enterprise resources is a fundamental capability of zero trust security.” [4] – IBM

Great Wing’s Wormhole protocol embeds an identity architecture based on a unique patented authentication and authorization scheme. Each account and device is assigned a unique identity-key that seeds a dynamic mixing protocol applied to all packets related to an ‘identity.’ How packets are sent, received, ordered, and mixed is uniquely identifiable to each account and device. Any deviation from this pattern is immediately detected and reported. Once detected, our policy engine is triggered to perform follow-up actions such as credential revocation, intrusion alerts, or other countermeasures.

Pillar 2: Devices

“Agencies should secure all agency devices, manage the risks of authorized devices that are not agency-controlled, and prevent unauthorized devices from accessing resources. Device management includes maintaining a dynamic inventory of all assets including their hardware, software, firmware, etc., along with their configurations and associated vulnerabilities as they become known.” [1] – CISA

“Every device that connects to a network resource should be fully compliant with the zero trust policies and security controls of the organization. This includes workstations, mobile phones, servers, laptops, IoT devices, printers and others. Zero trust organizations maintain complete and current inventories of all authorized endpoint devices. Unauthorized devices are denied network access.” [4] – IBM

Great Wing software is built to be universal and compatible with many types of devices: PCs, phones, laptops, tablets, and so on. Once devices are on a Great Wing network, they are assigned an identity-key and can “speak” only in the Wormhole protocol. Devices are immediately identified, registered, and traced. Since an identity key is generated per device, the Wormhole with an identity key generated for one device will not run on a different device.

Great Wing software’s device-authentication mode:

• Includes access controls for physical devices across the company’s network
• Uses hardware – in addition to software – for zero-trust authentication

Pillar 3: Networks

“ZTAs (Zero Trust Architectures) permit agencies to manage internal and external traffic flows, isolate hosts, enforce encryption, segment activity, and enhance enterprise-wide network visibility. ZTAs permit security controls to be implemented closer to the applications, data, and other resources and augment traditional network-based protections and improve defense-in-depth. Each application can be treated uniquely by the network for its demands on access, priority, reachability, connections to dependency services, and connection pathways.” [1] – CISA

“Organizations move from traditional network segmentation to microsegmentation in a zero trust environment. Resources and workloads are separated into smaller, more secure zones, which help organizations better contain breaches and prevent lateral movement. Threat actors cannot even see resources they are not authorized to use. Organizations might also deploy other network threat prevention methods, such as encrypting network traffic and monitoring user and entity behaviors.” [4] – IBM

Network segmentation and micro-segmentation are built into Great Wing’s Zero Trust Protocol. The protocol’s mixing capabilities ensure that packets from accounts and devices with appropriate permissions are correctly reassembled on receiving devices within the same segmented network. By default, all accounts and devices are given the minimum permissions necessary, which must be explicitly added by administrators.

Pillar 4: Applications and workloads

“Agencies should manage and secure their deployed applications and should ensure secure application delivery. Granular access controls and integrated threat protections can offer enhanced situational awareness and mitigate application-specific threats.” [1] – CISA

“The Zero Trust model helps organizations ensure that apps, and the data they contain, are protected by: applying controls and technologies to discover Shadow IT, ensuring appropriate in-app permissions, limiting access based on real-time analytics, monitoring for abnormal behavior, controlling user actions, and validating secure configuration options.” [5] – Microsoft

By design, Great Wing’s Zero Trust Protocol provides applications with features of dynamic and continuous authentication and validation, which is the most secure and reliable form of authentication. We apply key-rotation on a time basis (e.g., minute by minute, daily, etc.), as defined by the administrator.  And we verify identity on every packet with identity keys combined with our policy engine, IT departments have all the tools they need to ensure applications implement Zero Trust.

Pillar 5: Data

“Agency data should be protected on devices, in applications, and on networks in accordance with federal requirements. Agencies should inventory, categorize, and label data; protect data at rest and in transit; and deploy mechanisms to detect and stop data exfiltration.” [1] – CISA

“Under a zero trust model, organizations categorize their data so they can apply targeted access control and data security policies to safeguard information. Data in transit, in use and at rest is protected by encryption and dynamic authorization. Organizations continuously monitor data processing for unusual activity that might indicate data breaches or exfiltration of sensitive data.” [4] – IBM

In Great Wing’s Wormhole protocol, data in transit is always encrypted, authorization is always enforced, and network activity is always monitored. With these systems in place, servers speaking the protocol are protected from attacks such as eavesdropping, packet manipulation, data exfiltration, and more.

Great Wing’s Wormhole secure internet protocol satisfies all five pillars of zero trust. Installation is easy and requires no change to your infrastructure or network methodology. Learn more at greatwing.com.

References:

[1] Cybersecurity and Infrastructure Security Agency

https://www.cisa.gov/sites/default/files/2023-04/CISA_Zero_Trust_Maturity_Model_Version_2_508c.pdf

[2] The White House on implementing Zero Trust

https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity

[3] NSA on Zero Trust

https://media.defense.gov/2024/Mar/05/2003405462/-1/-1/0/CSI-ZERO-TRUST-NETWORK-ENVIRONMENT-PILLAR.PDF

[4] IBM on Zero Trust

https://www.ibm.com/think/topics/zero-trust

[5] Microsoft on Zero Trust in applications

https://learn.microsoft.com/en-us/security/zero-trust/deploy/applications

Thanks to our advanced NTAC (Network Traffic Analysis and Control) system, the attack was fully neutralized in under nine minutes. NTAC automatically identified and blocked all 235 malicious IP addresses involved — without any human intervention and with zero impact on server availability or network performance.

You are welcome to try to bring our site down with any DoS attack. If you’re considering testing our defenses, be advised: NTAC responds instantly. Any IP address used to launch a denial-of-service attack will be automatically and permanently blocked from accessing our site.

Was your IP blocked?

To verify that your IP has been blacklisted and that our site remains operational, simply try accessing this page from a different IP address. The attack report will list any IP addresses that were detected and blocked during the incident.

Requesting Removal

If your IP was mistakenly flagged or you’d like to request removal, please contact us directly with a list of the affected IP addresses.

At Great Wing, we understand the necessity to stay ahead of potential threats. Our cutting-edge DefenceDome Wormhole protocol, orchestrated by the Ghost agent, is uniquely positioned to protect against sophisticated threats like the XZ Utils backdoor.

How DefenceDome Wormhole Protocol Secures Networks Against Backdoors

The Wormhole protocol is engineered to safeguard data in transit across the network. Wormhole does this by deconstructing network traffic into numerous encrypted ‘puzzles’ disseminated across a vast array of channels and routes. This fragmentation and rerouting make it extraordinarily challenging for attackers to intercept or manipulate data comprehensively.

In the context of the XZ Utils vulnerability, where a backdoor within the SSH process could allow unauthorized command and control (C2), Wormhole offers several layers of protection:

• Intrusion detection: The Ghost agent actively monitors network patterns and flags anomalies. Any unexpected traffic to facilitate C2, typical of backdoor exploitation like that seen in CVE-2024-3094, triggers an immediate alert.
• Traffic anomaly detection: By continuously analyzing the baseline of network activity, Wormhole can detect and block unusual traffic patterns. This is crucial for identifying and mitigating traffic coming from enemy remote servers.
• Secure resolutions: Wormhole protocol includes many mechanisms to securely resolve attempts to compromise data sent through the network. It drops packets that fail to conform to its encrypted ‘puzzles’, blocks traffic to suspicious hosts, and swiftly deploys countermeasures against detected threats.
• Encryption and key management: With its advanced encryption techniques, which are resistant even to quantum computing attacks, Wormhole ensures that all data remains secure. Frequent key changes further complicate potential decryption efforts by attackers, adding an additional layer of security.

Beyond Detection: Proactive Prevention with DefenceDome

DefenceDome’s approach to network security goes beyond mere detection and mitigation. By integrating Wormhole into your existing infrastructure, your organization can preemptively neutralize threats before they manifest into breaches. This proactive stance is critical in dealing with backdoors that may lie dormant or undetected within networks for extended periods.

A New Era of Cybersecurity

The discovery of the XZ Utils backdoor underscores a critical need for advanced security measures in an age where traditional methods may fall short. With DefenceDome Wormhole protocol, organizations can assure that their networks are defended not just against known threats but are also equipped to handle new and emerging ones.

For a more detailed discussion on how DefenceDome Wormhole can protect your organization from sophisticated cyber threats or to see a demo of the technology in action, contact us at info@greatwing.com.

Protect your network with DefenceDome – where security meets innovation.

The researchers suggest mitigations to secure the VPN tunnel, but most are non-starters for many organizations−such as real-time packet inspection, changing operating systems, implementing a patch to the DHCP protocol on your infrastructure, or using VMs to contain the damage−because they are resource-intensive or very hard to implement. They also disclose that even if you include firewall mitigations, those mitigations can still introduce side-channel attacks that expose new vulnerabilities.

At Great Wing, we’ve developed advanced network defenses that prevent this vulnerability with our flagship DefenceDome Wormhole protocol orchestrated by the Ghost agent.

The Wormhole protocol contains packet-tampering detection capabilities so if attackers attempt to exploit TunnelVision and perform a man-in-the-middle, the Ghost agent will detect traffic inconsistencies, adjust to block the attacker, and reroute traffic to its appropriate destination.

Not only does Wormhole protocol prevent DHCP vulnerabilities, it also solves most of the problems inherent to TCP/IP by translating it to the Wormhole protocol and back again to TCP/IP. Wormhole turns network traffic into multiple puzzles and sends them via a very large number of messengers from many sources to many destinations.

For a bad actor to solve the puzzles, they must intercept all the pieces, arrange them in the right sequence, and know which pieces belong to which puzzle. And even if one were to reconstruct the puzzles – which is nearly impossible – it is encrypted using a very long symmetric key that changes periodically. This proprietary method for data transfer is also safe from quantum computers.

The Ghost translates TCP/IP into the Wormhole protocol and back again to TCP/IP. It doesn’t remain at a specific IP address or port, but jumps between IP addresses and isn’t accessible to anyone on any network. The DHCP parameters in the Ghost are automatically compiled each time the Ghost is running. Since no one can access the Ghost, no one can change the parameters.

If packets arrive from a different DHCP server on the internet, they will be blocked by the Ghost at each site on the network because of the zero-trust environment of the Wormhole, even though they are in the Wormhole protocol.

Other vulnerabilities inherent in VPNs

Two VPNs widely used today are FortiGate and Checkpoint. To protect a corporate network using these VPNs and others, you need authentication software or two-way authentication, often using your mobile phone. A bad actor who replicates remote users’ hard drives and hacks their mobile phones has full access to their corporate network, unbeknownst to them. In the hard drive, they can find the username, password, corporate IP addresses, public keys, and more.

With DefenceDome, users can continue using any VPN and the vulnerabilities mentioned above are solved once they add DefenceDome to their system. Even if a bad actor succeeds in replicating a user’s computer and hacking their phone and has access to text messages, emails, usernames, and passwords, the bad actor still cannot access the corporate network.

DefenceDome also provides:

To learn more about DefenceDome technology and how it can protect data in transit for any network without the need to change the network infrastructure, software, or tools contact info@greatwing.com.

Crashing the server is made possible by the “reflex” actions of the TCP/IP protocol, where the server replies to communications that access it. For example, if a server receives a synchronization request (SYN flag) to open a communication, it will reply with an acknowledgement (ACK or SYN ACK flag) and prepares to start a session. When it receives the ACK flag, the bad actor knows it hit its target. Then it proceeds to send numerous SYN flags to create new sessions to use up the server’s memory or CPU.

That’s an example of a SYN attack. There are also ACK attacks, RST attacks, FIN attacks, and combinations of the above and more, which can also crash the server.

Then there are flood attacks. Once the bad actor knows the IP address of the target, they can overwhelm the network with more traffic than it can buffer, eventually causing it to stop.

Then there’s the Distributed Denial of Service (DDoS) attack, a variation of DoS attack where the bad actor organizes multiple signals from different IP addresses and locations to stop the services or flood the network. There are many more types of DoS attacks, limited only by the malicious actor’s imagination.

Each one of those attacks requires a different solution when you have a server that is exposed to the internet.

What information does the bad actor need to conduct a DoS attack?

To carry out a DoS attack, the bad actor needs two things:

• The IP address of the target network
• The port numbers that are open for services

Once they have that information, they can start collecting details about the networks, such as routers, servers, services they are providing, software, operating systems, and so on.

So the first thing the bad actor will do is to look for the IP address using tools like ping and DNS lookup. If there’s no DNS associated with the network they’re trying to bring down, they can figure it out by searching the internet for IP addresses used by the company’s ISP.  They can use pinging and routing tools to see which ISP is associated with this company.

Once they have the IP address, the bad actors scans for open ports to know which ports to attack. They know they’re successful when they get a response, followed by slower and slower responses. They assume they succeeded in bringing down the service when they don’t get a response at all. (In our next post we will explain how we use this assumption for defense or offense.)

DoS protection today is imperfect

Vendors today offer various solutions to protect networks from DoS attacks, but they are not good enough. Bad actors succeed in denying services to and from networks despite DoS “protections.”

Great Wing has devised different solutions for protecting networks from DoS attacks.  Our solutions differentiate between two categories of network services:

• Public services like web servers and SMTP servers
• Private services like PLCs or remote desktop applications

Tailoring the DoS solution to the different types of services provides almost perfect DoS protection. In this article we will discuss protection for the second scenario where the network provides private services while allowing access from any IP address.

How to protect your network with private services from DoS attacks

For networks providing private services, the first step in protecting your server and devices is to not use DNS.

Great Wing products don’t require DNS. And we advise our customers not to list their IP addresses on the company name so there won’t be an easy way to find an association between the IP addresses and the organization.

Great Wing developed the Wormhole protocol that solves most of the problems inherent to TCP/IP protocol and their automatic reflex actions. The Great Wing Ghost software translates TCP/IP to the Wormhole protocol and back again to TCP/IP. The Ghost doesn’t remain at a specific IP address or port, but jumps from place to place.

If a bad actor tries to run a DoS attack on the Ghost, they will have to find the IP address where there’s no DNS and no IP address associated with the organization. That’s the first obstacle. Then they have to find an open port. The malicious actor won’t find open ports because there aren’t any open ports in the Wormhole.

Because the Ghost jumps from place to place and the bad actor needs to know where the Ghost is to attack it, it makes it practically impossible for the bad actor to attack.

With the Ghost software, the hacker:

• Doesn’t get a response (unless we want to send one to mislead them into thinking they succeeded)
• Doesn’t know if they succeeded
• Doesn’t know if they attacked the right IP address

With Great Wing, there’s no DNS, no assigned IP addresses, and no open ports.

If they try to attack a random IP address and the network is protected by Great Wing, they still won’t succeed because they cannot find an open port.

Great Wing also offers a solution that blocks DoS attacks from servers that you want to expose to the internet, such as mail servers and web servers. We will discuss that solution in a separate article.

Transmitting encrypted messages over the internet is not that different. Data transfer today is still between one source and one destination, only now defined by pairs of IP addresses and port numbers. Even the encryptions are often character substitutions.

If a bad actor intercepts the message on its way via eavesdropping, they can save it and work on decrypting it. They can also impersonate the messenger and send false messages. (In the near future, we will write an article about how we create a zero-trust environment with a new  protocol called the Wormhole to solve the issue of false messengers.)

Modern secure communications often utilize asymmetric key encryption, where the key that was used to encrypt a message is often readily available to the eavesdropper. The decryption would require one to solve a very difficult mathematical challenge that is expected to take a very long time – so long, that by the time it is solved by a computer, the message would have become irrelevant, and none of the parties involved would live to see the solution.

This principle underlying contemporary secure communications (that by the time a computer would crack the code, the information would be useless) has all changed with the looming introduction of quantum computers – known as “Q-day.”  And it’s not that far off. (Read the Forbes article, Quantum Computing Is Coming Faster Than You Think.)

Quantum computers are expected to be able to solve this mathematical computational challenge in a relatively small number of computation steps, thus allowing an eavesdropper to decipher the communication.  Even more concerning, any message can be stored, to be quickly deciphered promptly after Q-day – meaning even your communications today are at risk.

In anticipation of Q-day, Great Wing developed Wormhole, a new method for data transfer that is safe from quantum computers. Including very strong symmetric encryption, Wormhole turns the transmission into a puzzle and sends it via a very large number of messengers from multiple different sources to many different destinations. For a bad actor to reconstruct the puzzle, all the messengers must be intercepted and arranged in the right sequence. Also, one would have to know which messages belong to which puzzle. And even if one were to build the puzzle – which is nearly impossible – it is encrypted using a very long symmetric key that changes periodically.

The entirety of electronic banking, SSL, and a significant part of internet communications are based on public-key cryptographic systems, such as RSA, to protect personal information and to validate the veracity of transmitted data. There are several such systems, and the security of each of them hinges on the difficulty to solve a different mathematical problem. Each would require thousands of years to solve – or so we thought, until quantum computing came along.

By running Shor’s algorithm (or its alternatives) on a quantum computer, these codes could be solved in a very small number of steps, compromising the security of almost the entirety of internet communications.

Once Shor’s algorithm is implemented on a quantum computer, the internet as we know it will no longer be secure. This is called “Q-day.”

Harvest Now, Decrypt Later (HNDL)

Not only will communications be rendered unsecure after Q-day, the security of all current communications has already been undermined. That is, using the “Harvest Now, Decrypt Later” strategy, stored internet transmissions could be readily decrypted by quantum machines when they become available. We have already discussed how the harvesting is being done, and the efforts nation states are making toward this.

To mitigate the damage, the White House published a National Security Memorandum on Quantum-Vulnerable Computing Systems, stating:

“the United States must prioritize the timely and equitable transition of cryptographic systems to quantum-resistant cryptography.”

The rest of the memorandum warns:

“Research shows that at some point in the not-too-distant future, when quantum computers reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications on the Internet.

[Quantum computing poses] significant risks to the economic and national security of the United States,

[a quantum computer of sufficient size and sophistication] will be capable of breaking much of the public-key cryptography used on digital systems across the United States and around the world.

When it becomes available, [this] could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”

Great Wing provides seamless transition to quantum-resistant communications

In 2016, NIST announced a six-year post-quantum encryption competition to develop asymmetric quantum-resistant cryptography systems. The winners were announced in 2022, two months following the White House National Security Memorandum on Quantum-Vulnerable Computing Systems.

However, within the month of the announcement, one of the winning quantum-resistant algorithms (following extensive evaluation) was cracked. The NIST finalist “SIKE” (Supersingular Isogeny Key Exchange), was defeated on a single PC in a little over an hour. It suggests we need to rethink our attitude toward encryption in general and post-quantum encryption in particular.

The problem with asymmetric cryptography systems (such as SIKE) is that their security relies on the time required to solve a difficult mathematical problem – all the information required for the solution is available to all parties – and if the problem is cracked, all communications (even past communications) become immediately compromised.

Great Wing’s WormholeTM is a symmetric cryptography system, which makes it inherently quantum-resistant. In addition to being quantum-resistant by construction, its cryptographic system prevents eavesdropping by design.

It is designed to seamlessly encapsulate any existing remote communications system, converting it into an impenetrable wormhole. Its novel design makes it so any information passing through a public network can only be pieced together by the intended recipient.

This unique cryptographic system is designed to easily generate different communication topologies having the following properties: It is impossible for any party to know the number of communicating parties, or any packet payload.  Only once the topology is collapsed can the packet payloads be found. And the data can still be encrypted.

What can Wormhole do for your company?

By design, any existing communications system can be enhanced with the Wormhole, with no modifications required. For example, if you are currently using asymmetric encryption, Wormhole can seamlessly enhance your systems. Besides preventing bad actors from accessing any of your system’s public keys, it will also render your communications over the internet quantum-resistant.

Other Great Wing solutions

Besides the Wormhole, which provides quantum-resistant communications, Great Wing offers solutions for blocking DoS attacks and for providing zero-trust environments, all without compromising speed.

As we learned in my previous post, even when route hijack attacks are given attention such as by Mutually Agreed Norms for Routing Security (MANRS), there can exist an even more pernicious problem: packet duplication.

Packet dups are the unspoken nightmare for system administrators. With packet dups, enterprises may never know that their data is being archived en mass. As the malicious actor duplicates the packets, they can send the original packets directly to their intended destination over the fastest path, while at the same time diverting duplicate packets to their own server. As far as the network administrator knows, the data arrived securely and intact. Even route tracing wouldn’t detect that anything is awry. When the packet is duplicated and sent directly to the correct destination, the duplicate path cannot be detected and there is no way of knowing that fraud occurred.

Think about this: As this mountain of content grows, much of it may be encrypted and stacked up in the new ‘packet dup archives.’ The bad actor can, at their leisure or when technologies allow, read and gain benefit from the most important content. Granted, there may be a lot of trash and everyday data to be sorted, but as artificial intelligence, machine learning and eventually quantum computing mature, bad actors will be able to decrypt, machine-read and reconstitute entire intellectual property databases. There are signs that these packet dup farms are already up and running, waiting for advancements that will unravel the many treasures that await.

Packet dups is the gift that keeps on giving. Additional “benefits” for the cybercriminal include:

• By diverting packets from a node on the internet, the cybercriminal receives the information directly from the user, including login details, credit card information, and so on, without the need to develop a phishing site. The cybercriminal is completely invisible.
• The ability to bring down multiple sites with the same effort through denial of service (DoS) attacks.

An even more perfect crime…

Ironically, when routes are hijacked, two-step authentication can actually make it easier for the cybercriminal. It gives them more information about the user’s account and it follows a process that makes it easier for the bad actor to decrypt the data.

When the airline frequent flyer programs started, many road warriors would go out of their way to collect the largest number of flight segments, hitting several airline hubs in the process. Who would think that today, over the internet, our data would take the circuitous route, racking up more miles than we did intentionally?

One of the fundamental concepts of the internet is that packets travel to their destination using the fastest possible route, hopping through routing hubs of different networks. In theory, the path is dynamic, constantly changing according to network traffic. This method assumes that all of the routes are reliable. In reality, there is no way to ensure whether the routing information is correct, or even uses the most direct connection. The “most efficient route” assumption has proven to be a major vulnerability. These mis-directions are also called Border Gateway Protocol (BGP) attacks, or route hijack attacks.

Bad actors (and you know who you are) are using the routing tables to hijack data by announcing ownership of groups of IP addresses with the ‘promise’ of faster delivery of the data. Every year, the number of successful route hijack attacks grows exponentially, causing significant damage to individuals and corporations. For example, in April 2020 alone, Akamai, Amazon and Alibaba were victims of route hijack attacks.

Since the route is unpredictable by design, intentional rerouting by a malicious actor, or even country, usually goes undetected. Route tracing software would uncover any anomalies by showing the path the packets traveled, but it is typically employed only when the network experiences latency issues, or if a data breach is discovered.  As the National Institute of Standards and Technology (NIST) has noted, “If carefully exploited by malicious parties, BGP attacks are very difficult to detect, diagnose and mitigate, suggesting that many more exploits might be occurring that go unreported to the general community.”

Many think that nothing can be done to stop route hijacking. But solutions must include developing new protocols and new encryption algorithms that will render the phishing and data theft impossible. As necessary as these improvements will be, these still won’t solve the DoS problem where the bad actor diverts packets from many sources to attack a site they want to bring down. But there are other new solutions that can prevent DoS attacks that can be implemented in conjunction with the new protocols and encryption.

The recent, so called “HAFNIUM breach” of Microsoft Exchange servers could have been avoided if only Microsoft had been better attuned to how sovereign hackers think, act and attack. Every indication is that this hack resulted from China, but it was only a matter of time that one of the world’s dark corners would exploit these vulnerabilities. Compared to the financial and reputational damage to its clients and to Microsoft, these liabilities could have been reduced, maybe avoided altogether. Now Microsoft is scrambling (AGAIN) to contain the damage and explain how this will never happen again.  Compared to their potential liabilities (and financial damages) Microsoft and clients could have spent pennies on the dollar to remedy and protect. 

There were several red flags that a smart system could have detected to stop the data theft. First red flag, MS Exchange servers typically access only other mail servers and Microsoft servers for updates. But the hackers surmised that MEGA, a file-sharing site that is not a mail server, was also in the loop.  Sending mail to MEGA sites should not have been allowed from a Microsoft Exchange server.

Second red flag, mail server protocols, typically SMTP, are not used by the MEGA site and therefore, data should not have been allowed to be transferred from Exchange servers to MEGA. Such communication should be blocked by a simple firewall rule.

Third red flag, when sending mail data there is an expected distribution to different servers. For example, it would be unusual – and suspicious – if a large volume of data is sent to a single IP address, even over a number of days or longer periods of time. Inventive monitoring and control techniques would have detected, displayed and delayed massive data downloads.

Microsoft was most likely aware of the zero-day exploits, security issues in their system. Had they shared these vulnerabilities and avoided the ‘hope’ strategy, Microsoft could have protected their client information by:

• Blacklist of non-trustworthy IP addresses distributed among clients, such as the addresses of the virtual private servers (VPSs) used by the hackers;
• Rules that deny Exchange servers access to servers other than other mail servers or Microsoft servers for downloading software updates; and
• Checks for abnormalities in the volume of data exiting any Exchange server to a single IP address. Once the limit is reached, the system would report and stop the transmission of data, capping the damage.

Solid enterprise systems must include ‘zero trust’ barriers that depend on monitoring and analysis techniques that are not just a step ahead, but a completely new approach to how network security should function in the operation of data transmission and VPN sustainability.