Share Via
One of the most common ways that attackers infiltrate enterprise networks is through lateral movement. The adversary will compromise a low value, easy to exploit target and then use that as a launching point to perform reconnaissance, steal data, or perform a more complex attack against a better protected asset. The problem stems from lateral movement being particularly dangerous as most organizations have little to no visibility or control over the network traffic between devices in the same context of security.
To combat this, enterprises are being sold on new ways to implement better segmentation to prevent lateral movement on their networks. One method is to force all clients to connect using a Zero Trust Network Access (ZTNA) solution or virtual private network (VPN) in order to access sensitive assets or data. The idea is to treat internal users exactly the same as external users, and segment them as if they were in an environment as untrusted as the internet. In other words, a lot of enterprises are conceding that the campus network is compromised.
In early May of 2024, researchers at Leviathan Security uncovered a serious vulnerability that could upend this entire idea. A technical demonstration of how the attack works is provided for your viewing pleasure: https://www.youtube.com/watch?v=ajsLmZia6UU
To summarize, the method in play utilizes a little known option in DHCP that forces the client to send network data to a machine controlled by the attacker. At a minimum, this means that the malicious actor can see all of the data sent over a connection that the client thinks is secure, but isn’t. That result is bad enough. However, it is easy to imagine how this man in the middle attack could be used to manipulate data and even to infiltrate into more secure areas of the network undetected.
This attack shows how an attempt to make networks more secure has actually opened another, potentially more serious, threat vector.
The quick reaction that I’ve heard from some people is that, as long as your DHCP server is secure, your organization is not vulnerable. The second half of the video shows that this is not true. Leviathan demonstrated a way to reliably force a client to use a DHCP server owned by the attacker rather than the corporate DHCP server. This is called a rogue DHCP server and is a common cause of network outages and threats that legacy networks are not typically designed to mitigate.
There is a bright side to all of this, at least for Nile customers. Nile is a completely new type of network designed with security built-in by default. Let’s look at a few of the ways that Nile neutralizes the TunnelVision attack.
Nile automatically prevents rogue DHCP servers as only the DHCP server that the customer specifies will ever be used for DHCP requests. A rogue DHCP server on the local network will never even see the request, much less have a chance to hijack it. Nile customers can concentrate on making sure their DHCP servers are secure without worrying about attackers bringing other DHCP servers onto the network.
Direct communication between devices on a Nile Network is prohibited by default. Even if the attacker was able to force a client to try to send unencrypted traffic to an insecure location, all of that traffic would be visible and controlled by the corporate firewall; even if the attacker’s machine was on the same network as the user.
Because of the built-in segmentation and isolation of devices that Nile provides, no software VPN or ZTNA client is required. Not only does this mean that user clients connected to a Nile Network are not vulnerable to software based attacks like TunnelVision, it also means that every device is segmented, regardless of whether a client can be installed on it. That’s important because the most vulnerable things on the network are often user or IoT devices that are not compatible with software clients.
There are many more ways that Nile protects users and devices from attacks, but the point should be clear. Nile eliminates lateral movement and provides a way to inspect and control your traffic like no other. Legacy networks designed to meet 1990’s requirements will never be able to effectively combat the threats being introduced today. Every new attack vector causes IT teams to react with more configuration, more point products, and more complexity.
To truly secure your organization you need a new type of network and infrastructure that was designed to be secure by default. You don’t need VLANs, ACLs and complex segmentation projects that are hard to scale. You need Nile.
