7 types of attacks SDP protects against
Software-defined perimeters (SDP) use a combination of strong authentication, granular authorization and network segmentation to enable access from anywhere, creating a new kind of defense against a variety of cyberattacks. SDP is more secure than a firewall or a VPN and is more granular than a NAC. Compared to these alternative approaches, SDP offers improved security and operational simplicity for users and IT admins alike.
SDP employs multiple techniques in order to provide secure access. First, it leverages identity and access management (IAM) to authenticate every user that attempts to access a resource or application on the network. It then employs granular authorization to restrict the services that each user can access once logged in. Perhaps the most powerful aspect of the approach is its ability to provide "resource cloaking", ensuring that no DNS information or "visible" IP ports of protected resources are exposed to the Internet, which significantly reduces a network’s attack surface. This has the effect of creating a resilient defense against common attacks that hackers employ, such as the following:
Man in the Middle (MITM)
During a MITM attack, malicious actors position themselves between a user and an application outside of the network -- usually by impersonating a SaaS app. In the era of the VPN, this kind of attack was very successful because it can be challenging to connect to applications in the cloud via virtual private networks. Frequently users need to leave the protection of using a VPN encrypted tunnel to access their cloud applications, leaving their connections vulnerable to attacks. SDP is cloud-native technology that allows users to have always leverage secure encrypted connections to the resources they need, whether they are in the cloud or on-premises.
Port Scanning
If an attacker is able to scan your open ports, they can see what services you’re running. A more detailed scan can also reveal the version numbers of exposed resources. Some application versions may have unpatched vulnerabilities, which can be taken advantage of using pre-built exploits. Software-defined perimeters sever this kill chain at the source by masking your open ports from the Internet at large. Attackers can’t see your ports, so they can’t easily apply malware to target your most vulnerable applications.
Distributed Denial of Service Attacks (DDoS)
With a DDoS attack, hackers muster hundreds or thousands of fake Internet users from around the world and use them to direct traffic to a website until it crashes under the weight of so many login attempts. DDoS is one of the most common types of cyber attacks. The frequency of the most severe form of DDoS attack increased 967 percent in 2019, with some attackers even starting to operate "DDoS as a Service" for other cyber criminals to leverage.
SDP solutions can prevent DDoS attacks since it is designed to protect specific applications and resources rather than the end-user device. As mentioned earlier, in the SDP model, applications and the resources that host them are not exposed to the Internet. In fact, they are invisible to the Internet. If applications and associated resources cannot be seen, they cannot be targeted by a DDoS attack.
Cross-Site Scripting (XSS) and SQL Injection
Cross-Site Scripting and other attacks target web applications with unsecured inputs. Essentially, an attacker finds an input form -- such as a contact form in a website -- and tries to submit code that interacts with the underlying database. Other related attacks look for open ports and other services that are exposed to the public-facing Internet, placing them under the umbrella of "Public-Facing Application Exploits."
SDP can deflect these attacks by hiding open ports and other infrastructure from the public-facing Internet, protecting them from port scans and other techniques. Attackers can’t exploit what they can’t see. In addition, SDP can deploy micro-segmentation around application workloads, preventing them from communicating with malicious scripts deployed by attackers.
Lateral Movement Using Credential-Based Attacks
Once an attacker is connected to your network via a tool like a VPN they are largely unconstrained. They’re free to run scans to find your services, identify unpatched vulnerabilities, and then move laterally within your network to exploit them. When using SDP to access resources, the story is very different. SDP enables a granular 1:1 connection (1 user to 1 application). When the users task is complete, the connection is terminated. SDP grants no network-level access. The user cannot move laterally from the specific resource they were authorized to access.
DNS Hijacking
If hackers gain control of the routers your users connect to for web access, or find some other way to interrupt your user’s DNS connection, your users may be redirected to malicious sites. These sites may look just like the legitimate site your user was expecting, but have features designed to steal login credentials and/or drop malware. DNS resolution is normally performed by an external site or server -- both Google and Cloudflare offer DNS resolution -- but SDP services have DNS resolution bundled in. Even if an attacker takes over the router to which you’re connected, the built-in DNS resolution included with SDP keeps you away from malicious sites.
Legacy Application Attacks
Many organizations -- especially banks, insurance companies, and government agencies -- still run applications that were designed in the pre-cloud era. This means that when you hook them up to the Internet, they may not operate securely. For example, they may not integrate properly with your Identity and Access Management software and they may not offer access logging and monitoring capabilities.
It takes a lot of time and money to upgrade these legacy applications to full enterprise security readiness, but these applications are in constant use. SDP provides an effective solution for this scenario. Enterprises can enforce a policy that legacy applications can only be accessed via an SDP service. This approach isolates the legacy application from the rest of the network, and also hides the application from the Internet.
Conclusion
While the attacks listed above are some of the most common ones that involve the Internet, the list is far from exhaustive. The good news, however, is that hackers seek target-rich environments. If you’re using an SDP solution, then it is highly likely that an attacker who is looking for targets will take a look at your organization, find that there are no good toeholds for reconnaissance, and look somewhere else.
Photo credit: Tashatuvango/Shutterstock
Gerry Grealish
is Chief Marketing Officer at Ericom Software. He is a security industry veteran, bringing over 20 years of Marketing and product experience in cybersecurity and related technologies. Responsible for Marketing and Business Development, Gerry previously was at Symantec, where he was responsible for the Go-To-Market activities for the company’s Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed CASB innovator, Perspecsys, where he was CMO.