Rats in the walls (and in your network)



Ever had an inspector tell you that you have rats in your walls?

Given, it’s not likely to be something you’ll want to widely admit, but it happens–no matter how clean, how affluent, or how prestigious you might be. All it takes is the confluence of the right factors. Just add kids, left over food (the two kind of go hand in hand), changes in the environment around your home, or a general lack of cleanliness, and you’ve got an environment for with factors inviting rats in. With kids you know a certain amount of chaos, activity and clutter is going to happen.

Employees are the same.

They leave files all over the place. They do personal things during work time and on work machines; activities that don’t match the intent and purpose of the machine. Those activities invite the rats in, just like clutter and more attract them in real life. Really, it can be even easier than that. All it takes is for your house (walls) to have what those rats want — the food they are looking for or a pathway to get to it. Walls are like highways to go quickly from one place to another. Usually a location with chow or other vittles. Networks aren’t any different. Rats are using your network to roam around looking for the information (food) they are after. If  it’s rich in source and accessible without much danger, they’ll keep coming back until that changes. Which brings us to security.

Rats, as used here, can literally be Remote Access Trojans (RATs), but here are synonymous with the adversary trying to access your information.  Rats get in your walls because you have something they want, and because the danger doing so is slight. If it’s not, if getting in provides a hazard to them, or if the barrier to breaking into you is higher than the barrier of that of your neighbor — then they don’t.

That’s not usually the case though, is it?

Security is purposeful. It doesn’t happen by accident. Either you thought of the security, or someone did it on your behalf. When you buy something out of the box (your computer or cell phone) it comes with default security. Someone conceptualized and implemented the security for you in that situation. Their baseline of adequate security, however, might be much lower than yours. Maybe they are okay with sharing your location with any app on your phone, while that bothers you. Perhaps that default installation of Windows isn’t quite at the level of security you would consider good enough. Maybe it is.

I’ve sat in a lot of security meetings. In a recent one, we framed a common scenario that arises when discussing security. It was about the pain of implementing something. Everyone has a breakpoint. A point where the cost (time, resources, money, etc.) exceeds the pain (what it takes to make it work). For some, that breakpoint is pretty low. If it costs a bit too much or they can’t get it free — well, it just isn’t worth it. They take the risk. They take the risk that ransomware won’t get into their enterprise and wipe them out as a company, because setting up a redundant backup system is too expensive. They neglect applying a proper scheme of identity and permissions – after all, what could go wrong by maintaining an across the board access schema?

It comes down to risk management. What do you consider risky? Intangibles are hard to measure, but are among the most impacting factors you can evaluate. Are you measuring these and the more tangible factors that can help define where you sit on the scale of taking the risk of letting something negative happen — or your ability to stop it in its tracks, no matter how arduous that change might be?

Where do you sit? Is your risk management process defined? Do you follow it? It’s one thing to outline a process because you are forced by regulation and another to implement and follow it. The two don’t always come hand-in-hand. Does your appetite for risk reflect in your priority intelligence requirements (PIRs) that you defined with your threat team?

Are there rats in your walls?



Author Monty St. John is an experienced professional in threat security, and offers threat hunting and intelligence courses with the accredited CyberDefenses Academy.  Learn what he does to keep rats out of his walls (and keep them out of yours) with his cybersecurity training courses.

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.