Photo by Greta Farnedi on Unsplash

Trusting Your Security Appliance Is Your Weakest Link

David Wolpoff (moose)


Security tools are kind of like credit cards. Not enough and you won’t function; too many and they all become useless.

Running a security program involves a great deal of trust. You have to trust your team to effectively carry out their roles; you have to trust that hackers do not know everything about your system; and you have to trust that your security vendors’ products are secure. But we know that you can’t trust anything, including third-party security vendors. There’s an entire marketing movement around it: “zero trust.”

One needs to look no further than the bevy of vulnerabilities in security appliances found in the last 12 months, including Palo Alto Networks, F5 and Citrix (or even the infamous 2020 Solarwinds attack) for proof. Boards and CISOs are starting to question their entire suite of third-party vendors, and with good reason.

But for some reason, organizations continue to put too much trust in security tools, and they lack contingency plans for what to do when their security appliances get pwned.The reality is security tools are often the weakest link, and often an attacker’s best way in.

Security tools can make life harder for an attacker like me, but they also present the greatest opportunity. I can target them just as easily as any other technology. In fact, I prefer to go after them because they typically get me more access.

One security solution = Single point of failure

For simplicity’s sake, organizations often purchase a single security solution that covers multiple security functions. It’s logical — one solution “checks the box” on many security controls you need. But the problem with purchasing one security solution for everything, is that you have a single point of failure. If the box is compromised, everything fails.

As an attacker, I only have to pick a single lock. If I do this, not only have I gained access to the network, but to a highly trusted box that awards me a lot of privilege. This doesn’t mean companies shouldn’t use these appliances. But it does mean they need to be aware of the risk and bake the possibility of losing control of these appliances into their security protocols.

Popping A VPN, that was also a firewall, and logging

Let’s take a recent experience of mine, and play it through. I was recently asked by a financial services institution to access their “crown jewels.” All it took for me to compromise their entire network was:

1. figuring out what VPN they used (easy, I could figure that out by scanning the internet)

2. find a vulnerability in the VPN, and then build an exploit.

That’s exactly what I did — and what a number of attackers did during the past year’s many attacks (including some of the more recent ransomware attacks). The vulnerability I discovered gave me complete control over the device itself, so I could completely pwn the device and all its functionalities in one fell swoop. You see, the VPN this organization was using wasn’t just a VPN — it served as a firewall and did logging and network segmentation, too. This security system was designed to protect them, but every part of its functionality could no longer be trusted. For that matter, how could this organization trust the logs if their logger itself was compromised?

Endpoint security layers work the same way. Most organizations put one type of EDR solution or antivirus on every single one of their endpoints. If I can exploit that one solution (or just bypass it), I’m g2g on every single one of the computers in their network.

Okay, aren you supposed to then?

The annoying, but real answer: a lot of blocking and tackling. If you decide to buy the Palo Alto device, you need to play the tape out: if this device fails, then what?

Vendors aren’t perfect. That’s been proven time and time again. If you’re only dependent on one box, they need to be perfect 100% of the time, which is a logical impossibility! You need to have lots of controls, layered on top of each other. “Defense in depth” cannot be achieved by one box that has all your controls. You need multiple layers, different controls for when something fails (which everything will at some point.)

Zero Trust includes your third-party security tools. Do not fall into the trap of thinking that just because it is an out-of-the-box appliance and it costs a lot of money to stand up, it is impenetrable. In security, nothing is impenetrable— not even security tools. Consider your security boxes to be just as hackable and more attractive to an attacker than other boxes. Have contingency plans in place for when your chosen security solution makes the headlines.

You don’t have to be perfect. You just have to make my life as the attacker a little bit harder, consistently, over time. Even making my job a little more difficult can spell the difference between becoming a headline and keeping an attacker out of your system altogether.



David Wolpoff (moose)

temporarily unemployed. previously co-founder @randori. once upon a time a red-teamer.