Attivo Networks Blogs

Observations on the Cisco Switch Attack

Reading Time: 2 minutes  |  Published: April 6, 2018 in Blogs, Deception

By Tony Cole


Nation-states continue to probe all kinds of systems for vulnerabilities, and unfortunately they’re often successful at finding a path into almost any enterprise they want to compromise. Cisco reported this week that their Smart Install protocol was being ‘misused’ as an avenue to compromise by replacing the normal Cisco iOS operating system with attackers’ compromised version of their software. This flaw could give hackers a window into 168,000 vulnerable systems worldwide, some of them tied to critical infrastructure.


Today, we see lots of examples of vulnerable software, misconfigured systems and hardware with no security built in. They are scattered across most enterprises around the world and are quickly compromised when attacked. It doesn’t have to be this way.


In this instance with Cisco, their own team released an advisory report detailing the flaw over a year ago, yet the adversaries still found vulnerable systems. Cisco even released an open-source tool to allow organizations to scan themselves to determine whether they were at risk. Cisco also provided a signature for Snort to try and identify any attackers attempting to breach these systems via their vulnerable software.


Although Cisco took several measures to try and rectify the vulnerabilities with this legacy tool, it clearly wasn’t enough. The compromises only go even further to show how a focused emphasis on prevention technology won’t stop a determined cyber adversary. Organizations should expect that a vulnerability will always be found, and this won’t change for the foreseeable future. What we need is to balance the scales and take a more active security posture – with technology focused on threat prevention and threat detection via deception. Without the latter, you have a bank vault with lots of locks and no alarms. If someone gets past the locks, and you don’t have an alarm tied to the money, you’re going to lose it. This is why banks build strong locks and then alarms inside the bank and vault so that when someone gets inside, they immediately know about it.


In this case, had these compromised organizations had deception technology inside their network and on their endpoints, the adversaries would have tripped the alarms and been quickly stopped. Without deception to enable your detection strategy, you may as well be building banks with no alarms. I wouldn’t put my money in one.