Remember the good ol’ days of playing hide-and-seek? It’s hard to forget the rush of finding the perfect hiding place. I remember crouching into a tiny ball behind the clothes hanging in my mother’s closet, or standing frozen like a statue behind the curtain of our living room window. While it was “just a game” when we were kids, in today’s internet-connected world, that game has morphed into a much darker, more serious activity with attackers hiding in unexpected and oftentimes forgotten places. Attackers may live in some technologies, machines and systems for years, remaining unseen by antivirus and other detection controls.

I spoke with X-Force Red’s Chief Technology Officer and veteran hacker Steve Ocepek to learn more about the most popular attacker hideouts.

Register for the webinar

Where Can Attackers Hide?

In order to root them out, the best defensive hackers think like attackers. They know the top spots in which attackers could hide. From there, they can assess any type of environment, spot where attackers could hide for an extended period of time and show how those attackers may use that position to achieve their objectives. Ocepek says there are several likely places an attacker may call home. To find them, first look at personal computers.

According to Ocepek, attackers most often hide out in home-based computers. From there, they can compromise users by sending emails with malicious links or attachments or redirecting users to a malicious page. Typically, attackers use home PCs to build a botnet and launch more attacks. From a user’s standpoint, it’s tough to know if a computer is part of a botnet. Some signs include the machine or internet running slowly, but that happens to all of us, right?

Next, look at at-risk printers. Printers are configured to be easy to access and use, which means security is often overlooked. They are not viewed as a technology that needs patching, and as such they fall behind with open vulnerabilities. That’s a goldmine for attackers. With physical or network access, attackers could plant malicious software on a printer. Then, they can hide on the device and attack the connected network.

Working From Home Adds Entry Points

Although most offices sit empty these days, the most common way to compromise printers would be to gain transient access by infecting a user’s laptop (often through phishing), and then pivoting onto the printer. However, many printers are internet-connected, sometimes accidentally. A team of researchers recently proved how hackable printers can be when they accessed nearly 28,000 printers around the world and forced the devices to print a five-step guide about how to secure a printer.

Cable modems are also a likely entry point for an unexpected attack. Similar to printers, cable modems are not devices people often think about in terms of security. Unfortunately, their operating systems and software are often outdated. Even when this is known, users are not expected to update these devices, since they are managed by their providers. Primarily, users create less secure configurations instead. For instance, they might open ports to play games on the home network. There’s also a sort of monoculture when it comes to cable modem hardware — if you hack into one, you can hack into millions. These devices sit openly on the internet. If attackers find known flaws, they can exploit them in large numbers.

The Low-Hanging Fruit of Attacks

When you’re searching for places where attackers can hide, don’t forget to check facility control systems. These systems are built and managed by third-party vendors, yet they sit on the same network as a company’s other devices. Attackers can jump from them to other systems such as network-connected door locks, HVAC and surveillance. Oftentimes, they are not locked down or patched because companies don’t want to risk disrupting technologies that are run by third-party vendors. They also tend to be ‘set and forget’ technologies, which means their operating systems are most likely outdated. Unfortunately, those factors combined can make these systems a low-hanging-fruit target for attackers.

Hiding an Attack in the Virtual Closet

Next, check forgotten virtual machines (VM). When companies manage an armada of cloud-based virtual machines, some of them are most likely insecure. These devices may be throw-away test boxes or machines that developers set up and forgot about. They are also often public-facing, accessible from the internet, meaning anyone can access them, and tend to be left out of the security program. To compromise these forgotten virtual machines, an attacker merely needs to find them via one of their frequent internet scans, or via an internet scanner, such as Shodan, and exploit an unpatched vulnerability or easily-guessable password. Once compromised, the attacker installs a back door in order to command and control these systems, which also might have special access to other organization VMs.

All of those hideouts can serve as a place to live for attackers. Once inside, they can monitor a company’s traffic, perform reconnaissance and/or become part of a botnet or create their own. They can send commands to the infected devices, execute distributed denial-of-service attacks and commit fraud and other nefarious activities. In some cases, attackers could use the hideout as a foothold to then move laterally or deeper into the network, accessing whichever kind of information they want, whenever they want.

Shutting the Door on an Attack

So, how can you protect these overlooked hideouts? The typical prevention measures apply. Run antivirus software, keep operating systems up-to-date and understand your inventory, especially your cloud assets. It’s also important to engage with your third-party vendors to make sure they are keeping their products up to date.

Deploying ongoing vulnerability management and penetration testing programs can also help. Vulnerability management programs can detect known vulnerabilities such as a lack of antivirus software and outdated operating systems. They can also find rogue or forgotten cloud assets so that you always know what you have and whether it’s vulnerable to an attack. Penetration testing can help uncover vulnerabilities exposing devices that scanning tools cannot find, and it can show how attackers would use those vulnerabilities to accomplish their mission.

Finally, be vigilant. Include these hideouts in your security programs. Attackers hide in them because they are blind spots. So, simply being aware of them can give you a leg up against the adversary.

To learn more about these hideouts and other topical security issues, such as commonly missed threats and vulnerabilities and risks that can arise in a hybrid and remote workforce, join X-Force Red, Tenable and your security colleagues on Jan. 28 in a virtual panel discussion about these and other issues. Register here.

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today