Remember the good ol’ days of playing hide-and-seek? It’s hard to forget the rush of finding the perfect hiding place. I remember crouching into a tiny ball behind the clothes hanging in my mother’s closet, or standing frozen like a statue behind the curtain of our living room window. While it was “just a game” when we were kids, in today’s internet-connected world, that game has morphed into a much darker, more serious activity with attackers hiding in unexpected and oftentimes forgotten places. Attackers may live in some technologies, machines and systems for years, remaining unseen by antivirus and other detection controls.

I spoke with X-Force Red’s Chief Technology Officer and veteran hacker Steve Ocepek to learn more about the most popular attacker hideouts.

Register for the webinar

Where Can Attackers Hide?

In order to root them out, the best defensive hackers think like attackers. They know the top spots in which attackers could hide. From there, they can assess any type of environment, spot where attackers could hide for an extended period of time and show how those attackers may use that position to achieve their objectives. Ocepek says there are several likely places an attacker may call home. To find them, first look at personal computers.

According to Ocepek, attackers most often hide out in home-based computers. From there, they can compromise users by sending emails with malicious links or attachments or redirecting users to a malicious page. Typically, attackers use home PCs to build a botnet and launch more attacks. From a user’s standpoint, it’s tough to know if a computer is part of a botnet. Some signs include the machine or internet running slowly, but that happens to all of us, right?

Next, look at at-risk printers. Printers are configured to be easy to access and use, which means security is often overlooked. They are not viewed as a technology that needs patching, and as such they fall behind with open vulnerabilities. That’s a goldmine for attackers. With physical or network access, attackers could plant malicious software on a printer. Then, they can hide on the device and attack the connected network.

Working From Home Adds Entry Points

Although most offices sit empty these days, the most common way to compromise printers would be to gain transient access by infecting a user’s laptop (often through phishing), and then pivoting onto the printer. However, many printers are internet-connected, sometimes accidentally. A team of researchers recently proved how hackable printers can be when they accessed nearly 28,000 printers around the world and forced the devices to print a five-step guide about how to secure a printer.

Cable modems are also a likely entry point for an unexpected attack. Similar to printers, cable modems are not devices people often think about in terms of security. Unfortunately, their operating systems and software are often outdated. Even when this is known, users are not expected to update these devices, since they are managed by their providers. Primarily, users create less secure configurations instead. For instance, they might open ports to play games on the home network. There’s also a sort of monoculture when it comes to cable modem hardware — if you hack into one, you can hack into millions. These devices sit openly on the internet. If attackers find known flaws, they can exploit them in large numbers.

The Low-Hanging Fruit of Attacks

When you’re searching for places where attackers can hide, don’t forget to check facility control systems. These systems are built and managed by third-party vendors, yet they sit on the same network as a company’s other devices. Attackers can jump from them to other systems such as network-connected door locks, HVAC and surveillance. Oftentimes, they are not locked down or patched because companies don’t want to risk disrupting technologies that are run by third-party vendors. They also tend to be ‘set and forget’ technologies, which means their operating systems are most likely outdated. Unfortunately, those factors combined can make these systems a low-hanging-fruit target for attackers.

Hiding an Attack in the Virtual Closet

Next, check forgotten virtual machines (VM). When companies manage an armada of cloud-based virtual machines, some of them are most likely insecure. These devices may be throw-away test boxes or machines that developers set up and forgot about. They are also often public-facing, accessible from the internet, meaning anyone can access them, and tend to be left out of the security program. To compromise these forgotten virtual machines, an attacker merely needs to find them via one of their frequent internet scans, or via an internet scanner, such as Shodan, and exploit an unpatched vulnerability or easily-guessable password. Once compromised, the attacker installs a back door in order to command and control these systems, which also might have special access to other organization VMs.

All of those hideouts can serve as a place to live for attackers. Once inside, they can monitor a company’s traffic, perform reconnaissance and/or become part of a botnet or create their own. They can send commands to the infected devices, execute distributed denial-of-service attacks and commit fraud and other nefarious activities. In some cases, attackers could use the hideout as a foothold to then move laterally or deeper into the network, accessing whichever kind of information they want, whenever they want.

Shutting the Door on an Attack

So, how can you protect these overlooked hideouts? The typical prevention measures apply. Run antivirus software, keep operating systems up-to-date and understand your inventory, especially your cloud assets. It’s also important to engage with your third-party vendors to make sure they are keeping their products up to date.

Deploying ongoing vulnerability management and penetration testing programs can also help. Vulnerability management programs can detect known vulnerabilities such as a lack of antivirus software and outdated operating systems. They can also find rogue or forgotten cloud assets so that you always know what you have and whether it’s vulnerable to an attack. Penetration testing can help uncover vulnerabilities exposing devices that scanning tools cannot find, and it can show how attackers would use those vulnerabilities to accomplish their mission.

Finally, be vigilant. Include these hideouts in your security programs. Attackers hide in them because they are blind spots. So, simply being aware of them can give you a leg up against the adversary.

To learn more about these hideouts and other topical security issues, such as commonly missed threats and vulnerabilities and risks that can arise in a hybrid and remote workforce, join X-Force Red, Tenable and your security colleagues on Jan. 28 in a virtual panel discussion about these and other issues. Register here.

More from Data Protection

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…