Uninvited Guests: Sophisticated Cyber Criminals Require Smarter Safeguards
It looks like a routine hotel booking. In reality, it’s a cyberattack in disguise. And by the time you realize the threat, it’s too late—the bad actors have already seized the data they came for.
That’s the scenario many unfortunate hospitality businesses have found themselves in due to a sophisticated attack that’s been targeting hotels, booking sites, and travel agents. A malicious actor makes a booking request, choosing the “pay at hotel” option, then sends the hotel booking agent a series of urgent and seemingly heartfelt emails with links to “photos” or documents that are really an executable infostealer. Now the attacker has direct, trusted access to the booking system, enabling them to send hotel guests phishing messages. Here’s the insidious part: since the messages come from within the booking site’s message platform, the recipients assume they are legitimate. They willingly hand over their credit card or other personal information, as requested.
This is just one example of the level of sophistication of attacks targeting the hospitality industry, using social engineering to slip through security protections and assume the cloak of authenticity. It’s a dramatic illustration of why traditional protections like multi-factor authentication (MFA) are no longer adequate. After all, trust was achieved at every step of the process.
Blind Spots
The businesses involved likely have safeguards throughout their environment—executable prevention, anti-malware protection, URL filtering, email gateways filtering attachments, and more. Yet breaches continue to occur. The fact is, security teams often have blind spots when it comes to knowing what is actually occurring in their environment.
A key threat vector is the communication across internal systems needed to do business. This creates pathways that attackers use to reach their objective. A web server for the public booking site, for example, will have a trusted connection to internal systems, such as a database server to support online reservations. If an attacker gets access to that internal server, they can easily see what other systems are connected. This provides an opening for a SQL injection or some other attack on systems across the network.
Smart Segmentation
While internal networks are segmented and governed by rules, that’s not enough. You need safeguards based on Zero Trust principles. A key foundation of Zero Trust is a more advanced segmentation technology that can establish not only which devices on the network talk to one another—but also how these devices talk to one another.
This involves collecting data about the organization’s IT infrastructure (this can be achieved via a mix of agent-based sensors, network-based data collectors, virtual private cloud flow logs from cloud providers, and integrations that enable agentless functionality). The result is a detailed map of the infrastructure that allows security teams to view activity in a granular way—on both a user level and a process level—in real time and historically.
This understanding of how devices communicate enables security teams to determine what “normal” traffic looks like, allowing the creation of segmentation policies based on actual workloads. Unusual behavior that may be indicative of an attack is detected and the threat actor’s movement within the network is restricted or blocked. Think of it as having a software-defined firewall around each of the systems within your infrastructure, including those systems within the same segment.
Learning the Patterns
However, this protection cannot be based simply on static rules. There will occasionally be valid exceptions to “normal” traffic that you don’t want to block. More critically, the bad actors are always changing up their tactics in the never-ending “whack-a-mole” game of cybersecurity. What’s needed is an ongoing, AI-based analysis of traffic flows to learn whatever the “new normal” is. This enables you spot the often subtle nuances that can be indicative of suspicious traffic, heading off an attack before it can be detonated.
As today’s sophisticated, targeted attacks on hospitality businesses show, stopping a bad actor at the front door isn’t always possible. Once that uninvited guest is inside your infrastructure, how can you defuse the situation and minimize the “blast radius” of an attack. Smart segmentation that relies on a granular, dynamic awareness of what’s occurring throughout your environment is a key component of a robust Zero Trust strategy.
Trust but Verify
That strategy should be multifaceted, including secure authentication processes, such as those based on FIDO2 and WebAuthn standards. These standards establish a strong cryptographic relationship between the user’s web browser, the MFA device (e.g., a mobile phone), and the authentication service itself at the time of the user registration process. Each request must pass through this secure ecosystem, ensuring that authentication tokens reach only the intended recipient and cannot be intercepted or redirected to another user, such as in man-in-the-middle (MITM) attacks.
All of the technologies described in this article exist today. Yet many hospitality businesses continue to rely on a combination of traditional security tools and luck. Taking an approach based on the idea of “trust but verify” by leveraging today’s smart segmentation technologies can give you the edge in the ongoing battle to keep uninvited guests out of your critical systems.
About the Author
Tony Lauro is currently Director of Security Technology & Strategy for Akamai. He's been involved with information security since the late 90s, when he worked for a large US-based telecom provider. Since then, Tony has worked with Akamai's top global clients to provide cybersecurity guidance, architectural analysis, web application and network security expertise.