Ransomware and the network threat vector

Print Friendly, PDF & Email

For many people, the term “hacking” means that a criminal has broken through a firewall to get access to a network.  The firewall is one of the easiest security concepts for people to understand, and often is thought of as the guard at the gate who provides entry based on a list of authorized visitors or other criteria.  It helps that the term “firewall” originated outside of IT as a literal physical wall that was meant to prevent a fire from spreading, so the word itself was already in the public vernacular before the Internet was popular.  ‘Firewall' is also one of the oldest internet security terms, having been formally introduced by academia in the 1980's.  Because of the history and context of the term, it makes sense that people tend to think that the firewall is what gets “broken” in a hack.

Modern firewalls are much more than a gate that allows traffic in and out based on simple rules.  The latest firewalls provide several other functions, such as DHCP, secure VPNs, Link balancing, and more.  As business needs have evolved with the rise of branch offices, remote workers, and SaaS applications, the network firewall has evolved to keep pace and aggressively protect the network perimeter and provide the necessary services to enable the business it protects.  

These changes have led to what is known as the “intelligent network perimeter.” This intelligence means that the network services follow the users, applications, and data, wherever these are deployed.   Modern firewalls are working smarter and doing more work than their predecessors, and perimeter security is more complex than it has ever been before.

When an attacker wants to gain entry into a network, he could use any number of threat vectors to run his attack.  We've already discussed some common attack methods using email and the web, illustrating how an attacker can compromise an entire network without ever bumping into a network firewall.    Still, the network firewall is an attractive target, and is almost always considered in a purposeful attack.

How do criminals get through a firewall?

The first steps usually involve network reconnaissance and vulnerability scanning.  This can be as simple as using automated software to look for a firewall with open ports, insecure services, and unpatched software.  Attackers then attempt to log in using default credentials or launch something like a dictionary attack to crack the user name and password combination.  If the attacker gets these credentials, he can then log in to the device and learn more about the system.

What can be done with a compromised firewall?

Access to a firewall allows the criminal to learn more about the network and users on the other side.  What is being protected?  How many users are on the network?  Are there SQL servers or other types of resources that have potential vulnerabilities?  Are there wireless networks with insecure traffic that can be examined?

A compromised firewall can also allow a criminal to upload malicious files to the system, which means that he could launch a trojan backdoor, deploy ransomware, or otherwise infect the network.  If the firewall leads to other information about the network, a criminal might have unfettered access to the critical business systems in a short amount of time. 

What is the benefit to getting through a firewall rather than exploiting a user?

Social engineering continues to be the biggest threat to businesses, and the threat is growing all the time.  Because IT security technologies are advancing and becoming better at what they do, people are the more attractive targets.  It's just easier to trick a person than it is to get through a good security system.  However, information found in or behind a firewall can lead to higher quality social engineering.  What might have been a blanket phishing attempt against a company can turn into a much more convincing spear phishing attack on a department in that company.  The payoff can be much higher.

This type of access also criminals to launch attacks that do not require user participation.  No need to trick a user into opening an infected attachment if you can simply upload the file and launch it yourself.

If you are a small or medium size business hit by ransomware, odds are that you will have been attacked through email or web threat vectors.  The network firewall is still going to be helpful in these scenarios, because it can make sure that simultaneous attacks aren't coming through or sending sensitive data to someone outside of the network.  With the level of connectivity around the world today, there's simply no excuse to not deploy a firewall to protect your network.

Barracuda offers multiple layers of security engineered to provide the best possible threat protection.  You can learn more about these solutions at the following sites:

If you’d like to know more about defending yourself from ransomware and other threats, visit these resources:

Our next post in the series will examine the application threat vector. 

To view all posts in this series, click here.

Scroll to top