Super Bowl or Super Bot?

Updated October 14, 2021. 

Millions of dollars spent on perimeter security solutions—firewalls, IPS, VPNs, more. Countless days, weeks, months spent researching, meeting with vendors, attending all the right conferences, and worrying about all those cyber crooks and nation state hackers. That knowledge, those advanced malware detection and remediation engines, everything humming right along to keep the bad guys out of your network. You feel pretty secure, right?

Oh, but how quickly and easily things can change.

You decide to take that one meeting. You know, the one with the promising new team candidate. His credentials look so good; it makes sense to invite him for an in-person interview. Unfortunately, when he comes in, not only is the meeting just “meh,” but on his way out of the conference room, he manages to clip a wireless access point (AP) under the conference table directly into your internal network.

That fast. And your entire security posture’s just changed.

Akin to taking wired cables from your internal network and flinging them out the window for anyone to connect to, you’ve allowed an attacker direct access to your network. Now, he can easily install software on the compromised AP to scan network traffic for interesting user information and upload anything he finds, via the Internet, to his personal FTP site. Ruh-roh.

Interestingly, Super Bowl 50 organizers and fans alike may soon face similar exposure.

Game Time

Within state-of-the-art Levi’s Stadium, Super Bowl organizers have created a gigantic wireless network—with 13,000 Wi-Fi access points beneath stadium seats—to support Internet connectivity for more than a million fans. While cool for many reasons, the downside is that the likelihood of every fan connecting to a legitimate network is slim. Like wafer thin slim.

It’s time to take note. If fans connect to fraudulent networks, attackers will be ready and waiting to gain full access to their connections to launch a variety of attacks that could include:

Man-in-the-Middle: The attacker could start off by launching a man-in-the-middle attack. The trick is enticing Super Bowl watchers to connect to a rogue AP that could be set up as a soft AP on an attacker’s computer and masquerading as the real one. Once the victim has connected, the attacker could then connect to the real Super Bowl AP and get access to a steady flow of the victim’s traffic flowing through the transparent cracking computer to the real network. The attacker can sniff traffic for user names, passwords, credit card numbers, etc. With freeware such as LANjack and AirJack, this type of attack is becoming increasingly popular.

Denial-of-Service (DoS): A DoS attack occurs when an attacker continually bombards a valid AP or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. This disables legitimate users from connecting to the network and could cause network crashes in extreme cases. With legitimate users unable to get to the real wireless network, chances of connecting to a rogue AP become increasingly high.

BOTs: The first order of business for any self-respecting BOT is to connect to its command and control server (or bot master), which commands systems to do as desired. If users are connected to a rogue AP, the attacker (sitting in the middle between them and the actual AP) can direct them to certain websites and install malicious software, including BOTs, on their computers. This then gives him complete control of the computer, which is why bot-infected computers are also referred to as “zombies.” There are literally hundreds of thousands of such computers on the Internet, infected with some type of bot and unbeknownst to most users. You can enlist legions of such “zombie PCs” and activate them to execute DoS attacks against websites, host phishing attacks, or simply send out thousands of spam emails—all for a modest fee. Just ask your friendly neighborhood cracker-turned-entrepreneur. Sadly, if anyone were to trace the attack back to its source, all they’d find is an unwitting victim—and not the true attacker.

Game Over?

On Super Bowl Sunday, hundreds, if not thousands, of possibly infected endpoints may be connecting to the Internet and potentially their command and control server exfiltrating information, participating in DoS attacks, and initiating phishing attacks.

While getting infected at venues such as the Super Bowl is sometimes unavoidable, what matters most is how to react. Security today is less about preventing a breach and more about better detection, tighter containment, and faster remediation.

If you’re a stadium administrator, it’s extremely important to have visibility to network endpoints and their network behavior, such as connecting to malicious sites, in order to stop the damage before it’s too late. It’s equally important to understand that attacks won’t end when the Super Bowl does.

On Monday morning, all these football fans are going to head back to work, bringing and connecting their potentially infected devices to corporate networks. As with most sophisticated pieces of malware (also called Advanced Persistent Threats or APTs), after having gained the foothold and done the initial compromise, the next stages of the attacker lifecycle will start to unfold. Attackers may:

• Establish foothold where they plant remote administration software in victim’s network, create network backdoors allowing stealthy access to its infrastructure.
• Escalate privileges where you use popular exploits and password cracking to acquire administrator privileges over victim’s computer and try to expand it to Windows domain administrator accounts as well as other user accounts
• Conduct internal reconnaissance by collecting information on all hosts in network, network topologies, trust relationships, Windows domain structure etc
• Move laterally to expand control to other workstations, servers and infrastructure elements and then perform data harvesting on them.
• Maintain presence by ensuring continued control over access channels and credentials acquired in previous steps allowing them to return for future data thefts
• Complete mission. Exfiltration of stolen data from victim’s network through one or more systems connected to the internet doing everything to avoid detection

Game Plan

So now you’re aware. But what can be done?

Gigamon’s visibility solutions can play a key role in both pre- and post-game strategy. For a stadium network and security administrator, Gigamon’s Security Delivery Platform (SDP) could help reveal all malicious access to a stadium’s Internet traffic. By tapping critical portions of a network infrastructure, the Gigamon SDP provides visibility to traffic from both physical and virtual networks and feeds security devices with the precise traffic they need.

Gigamon specializes in:

• taking traffic from high-speed multi-gig network links
• performing much needed traffic manipulations
• summarizing flow records
• extracting flows of interest and useful security metadata
• decrypting SSL traffic
• and, finally, redistributing them to slower security devices without any loss of fidelity.

Without Gigamon, many security devices would be unable to withstand the avalanche of data thrown at them—even if they were actually capable of spotting threats. Security has always been about finding the proverbial needle in the haystack and Gigamon helps in providing more needle and less hay to the security appliances.

Moreover, if you happen to have a lot of infected devices popping into your network, Gigamon can provide complete visibility across the complete APT kill chain. Before you become a target of a data breach, infected endpoints will scan the network to perform internal reconnaissance and malware will try to laterally propagate to other systems. If peer-to-peer connections were to suddenly appear between your computer and your adjoining cube mate’s, many security systems would simply miss the incident since they’re not looking deep within the internal network.

It’s difference with Gigamon’s SDP, which can deliver traffic from your internal network to your entire security ecosystem to help detect and spot such attacks. If a flurry of attempts are made to access an organization’s Web servers or access malicious sites, security metadata provided by Gigamon SDP, containing DNS requests or Web URLs and error codes, could provide an early warning to system administrators looking for such anomalies.

It’s worth noting: no single security vendor can prevent advanced, targeted attacks and remediate a threat once breached. Strong security depends on an ecosystem of partners to break the kill chain at every link. We recognize this dependency and so, too, do our partners. Our efforts in creating GigaSECURE, the industry’s first Security Delivery Platform, have resulted in broad support from virtually every industry-leading security vendor. Together, we hope to win the fight.