DeepSec 2020 Talk: Caught in the Middle with You: Examining the Implications of Adversary Midpoint Collection — Joe Slowik

Information security typically focuses on endpoint exploitation and manipulation. Endpoints are where our tools reside ( EDR, log sources, and similar artifacts), and where we are most comfortable operating as these are the systems we interact with on a daily basis. However, adversaries increasingly migrate attacks to cover “midpoint” techniques (DNS manipulation, router exploitation, and traffic shaping mechanisms) to circumvent both endpoint and network defenses. Such actions shift operations to either devices we are unfamiliar with — routers, VPN concentrators, and similar devices — or systems and services completely outside our control — ISP equipment and fundamental Internet functionality. Although media stories highlighting such attacks exist, most threat analysis provides little information on the implications of such attacks or defensive strategies to meet them.

By analyzing revelations emerging from various NSA-related leaks, followed by consideration of several campaigns exploiting vulnerabilities in enterprise network devices, we can begin to understand the scope and implications of “midpoint” attack scenarios. Proceeding to discussion of DNS traffic hijacking and BGP manipulation, we can gain even greater appreciation for how the fundamentally insecure nature of vital aspects of the Internet and network communication protocols enable and assist the execution of multi-stage, difficult to defend…