Is Your Network Infested with Zombies?
Introduction
An organisation's external attack surface often contains a visible 'imprint' of internal operational security processes. Patch management processes, firewall policies, technology choices and secure configuration processes all leave clearly observable traces. During an Attack Surface Review we tend to form an initial picture of the internal processes and overall resilience of an organisation relatively quickly, we can then focus on finding any gaps or anomalies that may lead to the discovery of an exploitable vulnerability.
These anomalies are often quite subtle, a single server where a specific patch has been missed or maybe one site or IP range where the normal policies are not being consistently applied. In a surprising number of cases though, those anomalies turn out to be much more significant. When browsing the attack surface of an organisation that generally goes a good job of maintaining their infrastructure, it is not uncommon to turn a corner and come face to face with a 'Zombie' a host that is so far outside the normal envelope of technology and patch status that something has clearly gone very wrong.
Know Your Enemy
Zombies come in many forms, some take the shape of 90's era web servers, some come in the form of firewall or VPN endpoints that are so old they could be steam powered. These long forgotten, although still very much alive, relics of a past age can lurk around for years, or even decades, in the dark corners of an organisation's attack surface. Just waiting for an opportunity to spill their secrets to a passing attacker.
Zombies are surprising common, we have seen this this type of host in around 20% of our recent network security evaluations. Recent examples include a vintage 2013 VPN end point and an Exchange 2010 server that was missing several years worth of critical security patches.
Both these examples were from large organisations that had generally well maintained infrastructure and well established security processes. In both cases the vulnerable hosts were obsolete servers that had simply never been decommissioned, several years then went by during which the zombie hosts were not detected by any internal security processes or bug bounty programs.
Lurking in Dark Corners
To understand the natural habitat of a typical Zombie, let's look at the way we map an organisation's attack surface.
Our EdgeScope product collates and evaluates a set of current and historic data points covering every live host on the Internet, these are cross-referenced against the set of known resources owned by a specific organisation and used to derive a probabilistic assessment of which network layers of that host were controlled by that organisation during any time range. This means we can find hosts that are entirely owned by an organisation, those that are shared through a CDN or other cloud service and those that are time-shared such as AWS elastic IPs.
This approach also enables us to to locate hosts even if they only have a very tenuous or historic connection to an organisation. For example, we would be able to identify:
A host with a long expired TLS cert with a CN in an obscure domain that somebody (probably from marketing) once registered without telling the operations team.
A hosted server with a DNS reverse lookup that points to a now decommissioned corporate DNS server.
It is in these shadowy edges of an organisation's attack surface where we tend to find most of the Zombies.
The Origin of Zombies
During the rollout of a new service there will inevitably be a lot of focus on onboarding users, monitoring for any stability or usability issues and generally ensuring that there are no outages or other issues that prevent people from getting their jobs done. It is not too surprising that relatively little thought or focus is put into decommissioning the old version of that service.
Things also get complicated when that one C-level executive (probably also from marketing) decides that they would prefer to keep using the old version 'for now' because the old UI is a nicer colour. The net result is that decommissioning old infrastructure, especially VPNs or other user-facing services, is often deferred and can easily end up being missed altogether. Over time, these hosts tend to fall off the operations team's radar and, ultimately, they can be completely forgotten about.
Another common source of Zombies is from abandoned projects or pilot deployments. In this case the hosts may never even be known or seen by internal operations staff so they are likely to remain active while never being patched or monitored.
Zombie hosts that live in core parts of an organisation's network or data center will tend to be spotted and removed reasonably quickly. The real problems seem to happen when Zombies appear in third party hosting or cloud infrastructure. It then tends to be much less likely that these will ever be spotted and they can go on existing almost indefinitely. Even if they are externally hosted, the Zombies can still contain sensitive residual data or could even have an active connection into other parts of an organisation's infrastructure.
Zombie Management Strategy
Standing in your data center with the lights off, while listening for ominous shuffling noises, is probably not going to be very effective (and could lead to some awkward questions from HR). Fortunately, there are some approaches that are more likely to yield good results:
Secure Decommissioning: As mentioned above, Zombies often seem to be a result of incomplete or ineffective decommissioning processes. By making sure that every project that adds, or replaces, any infrastructure has a clearly defined decommissioning process and timeline you can go a long way towards keeping your network Zombie free. A dangerous edge case here is around abandoned projects, a decommissioning process for a failed project is just as important as for something that made it into production. So make sure that even early stage pilots or technology evaluations go through a defined decommissioning processes.
Full Attack Surface Reviews: While it is generally good practice to ensure that any security engagements or projects have a well defined focus and scope, it is all too easy to end up over-constraining things. This can lead to gaps as you are not getting effective security coverage of your full attack surface. We recommend that at least some of your security analysis engagements are given a free range to ensure you get some coverage of your full attack surface.
Remember that Zombies will always tend to hide in the shadowy areas that aren't covered by your security processes. Having a multi-layer process that covers both of the above points will give you an optimal level of Zombie protection.
Conclusion
Zombie hosts can present a clear and present threat to the security of a network. They are an obvious target, often have unpatched exploitable vulnerabilities and can be 'out of sight' of any internal security detection and response infrastructure. Overall, these hosts present an attacker with an ideal way to get a persistent foothold in your network.
While some relatively minor process updates can go a long way towards mitigating the risk of Zombie hosts existing on your network, our observations suggest that many organisations are not managing to effectively keep on top of this threat.
If you think you might have Zombies lurking in your network then get in touch. Our Managed Vulnerability Monitoring service provides continual protection against Zombies, even if they are hiding in dark corners.