Information security typically focuses on endpoint exploitation and manipulation. However, adversaries increasingly migrate attacks to cover "midpoint" techniques (DNS manipulation, router exploitation, and traffic shaping mechanisms) to circumvent both endpoint and network defenses. Although receiving attention that such attacks take place, most threat analysis provides little information on the implications of such attacks or defensive strategies to meet them.
Starting with revelations emerging from various NSA-related leaks through several campaigns exploiting vulnerabilities in enterprise network devices and multiple examples of DNS traffic hijacking, this talk will examine how adversaries are migrating attack vectors to infrastructure or services beyond the perimeter of intended victims. Examples will include the alleged QUANTUM program associated with US government operations, network device attacks linked to Russian state interests targeting the energy sector, and several waves of DNS manipulation including the SeaTurtle and DNSpionage campaigns. Each illustrates one "layer" of midpoint attack possibility, with different implications in terms of both the threat and its possible mitigation.
The discussion will conclude with security recommendations, examination of risks, and how privacy-oriented discussions such as debates over encryption may influence these types of attacks moving forward. Specifically, organizations face a dilemma of attacks manifesting outside the network perimeter (both endpoint and company-owned network infrastructure), making defense difficult. Yet options exist, from communication security through persistent network traffic monitoring and analysis. Through this discussion, entities will be better prepared to defend against, detect, or even eliminate such risks from harming their operations.