Remember the good ol’ days of playing hide-and-seek? It’s hard to forget the rush of finding the perfect hiding place. I remember crouching into a tiny ball behind the clothes hanging in my mother’s closet, or standing frozen like a statue behind the curtain of our living room window. While it was “just a game” when we were kids, in today’s internet-connected world, that game has morphed into a much darker, more serious activity with attackers hiding in unexpected and oftentimes forgotten places. Attackers may live in some technologies, machines and systems for years, remaining unseen by antivirus and other detection controls.

I spoke with X-Force Red’s Chief Technology Officer and veteran hacker Steve Ocepek to learn more about the most popular attacker hideouts.

Register for the webinar

Where Can Attackers Hide?

In order to root them out, the best defensive hackers think like attackers. They know the top spots in which attackers could hide. From there, they can assess any type of environment, spot where attackers could hide for an extended period of time and show how those attackers may use that position to achieve their objectives. Ocepek says there are several likely places an attacker may call home. To find them, first look at personal computers.

According to Ocepek, attackers most often hide out in home-based computers. From there, they can compromise users by sending emails with malicious links or attachments or redirecting users to a malicious page. Typically, attackers use home PCs to build a botnet and launch more attacks. From a user’s standpoint, it’s tough to know if a computer is part of a botnet. Some signs include the machine or internet running slowly, but that happens to all of us, right?

Next, look at at-risk printers. Printers are configured to be easy to access and use, which means security is often overlooked. They are not viewed as a technology that needs patching, and as such they fall behind with open vulnerabilities. That’s a goldmine for attackers. With physical or network access, attackers could plant malicious software on a printer. Then, they can hide on the device and attack the connected network.

Working From Home Adds Entry Points

Although most offices sit empty these days, the most common way to compromise printers would be to gain transient access by infecting a user’s laptop (often through phishing), and then pivoting onto the printer. However, many printers are internet-connected, sometimes accidentally. A team of researchers recently proved how hackable printers can be when they accessed nearly 28,000 printers around the world and forced the devices to print a five-step guide about how to secure a printer.

Cable modems are also a likely entry point for an unexpected attack. Similar to printers, cable modems are not devices people often think about in terms of security. Unfortunately, their operating systems and software are often outdated. Even when this is known, users are not expected to update these devices, since they are managed by their providers. Primarily, users create less secure configurations instead. For instance, they might open ports to play games on the home network. There’s also a sort of monoculture when it comes to cable modem hardware — if you hack into one, you can hack into millions. These devices sit openly on the internet. If attackers find known flaws, they can exploit them in large numbers.

The Low-Hanging Fruit of Attacks

When you’re searching for places where attackers can hide, don’t forget to check facility control systems. These systems are built and managed by third-party vendors, yet they sit on the same network as a company’s other devices. Attackers can jump from them to other systems such as network-connected door locks, HVAC and surveillance. Oftentimes, they are not locked down or patched because companies don’t want to risk disrupting technologies that are run by third-party vendors. They also tend to be ‘set and forget’ technologies, which means their operating systems are most likely outdated. Unfortunately, those factors combined can make these systems a low-hanging-fruit target for attackers.

Hiding an Attack in the Virtual Closet

Next, check forgotten virtual machines (VM). When companies manage an armada of cloud-based virtual machines, some of them are most likely insecure. These devices may be throw-away test boxes or machines that developers set up and forgot about. They are also often public-facing, accessible from the internet, meaning anyone can access them, and tend to be left out of the security program. To compromise these forgotten virtual machines, an attacker merely needs to find them via one of their frequent internet scans, or via an internet scanner, such as Shodan, and exploit an unpatched vulnerability or easily-guessable password. Once compromised, the attacker installs a back door in order to command and control these systems, which also might have special access to other organization VMs.

All of those hideouts can serve as a place to live for attackers. Once inside, they can monitor a company’s traffic, perform reconnaissance and/or become part of a botnet or create their own. They can send commands to the infected devices, execute distributed denial-of-service attacks and commit fraud and other nefarious activities. In some cases, attackers could use the hideout as a foothold to then move laterally or deeper into the network, accessing whichever kind of information they want, whenever they want.

Shutting the Door on an Attack

So, how can you protect these overlooked hideouts? The typical prevention measures apply. Run antivirus software, keep operating systems up-to-date and understand your inventory, especially your cloud assets. It’s also important to engage with your third-party vendors to make sure they are keeping their products up to date.

Deploying ongoing vulnerability management and penetration testing programs can also help. Vulnerability management programs can detect known vulnerabilities such as a lack of antivirus software and outdated operating systems. They can also find rogue or forgotten cloud assets so that you always know what you have and whether it’s vulnerable to an attack. Penetration testing can help uncover vulnerabilities exposing devices that scanning tools cannot find, and it can show how attackers would use those vulnerabilities to accomplish their mission.

Finally, be vigilant. Include these hideouts in your security programs. Attackers hide in them because they are blind spots. So, simply being aware of them can give you a leg up against the adversary.

To learn more about these hideouts and other topical security issues, such as commonly missed threats and vulnerabilities and risks that can arise in a hybrid and remote workforce, join X-Force Red, Tenable and your security colleagues on Jan. 28 in a virtual panel discussion about these and other issues. Register here.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today