How do you steal something that doesn’t exist? That’s the thinking behind the widespread fallacy that virtual desktop infrastructure (VDI) is more secure than physical desktops.
People assume that when a desktop session runs in a virtual environment, it’s somehow untouchable. Even if hackers wanted to launch a virtual desktop attack, the thinking goes, it would have no place to originate or propagate. Therefore, hackers wouldn’t even bother targeting virtual machines.
It’s a comforting notion. Unfortunately, it’s entirely incorrect.
The Hard Truth About VDI Security
Partly due to misleading marketing messages and partly due to wishful thinking, many users believe VDI offers much stronger security than it actually does. Common misconceptions include that hackers can’t launch an attack into a virtual session since there isn’t local storage, and that ending a session (in a non-persistent VDI) sanitizes any threats present in that session. There’s a kernel of truth in both those assumptions, but that’s all.
Virtual sessions may not have local storage, but they still have abundant entry points. Should a hacker gain access to a virtual session, it’s a short jump to servers full of critical data and apps. The virtual desktop infrastructure has little value as an endpoint but tremendous value as a starting point for lateral movement.
Ending a session won’t help, either. Hackers have learned how to establish persistency in a virtual network so their attacks get resurrected into each new session. With companies rushing to implement VDI in response to the coronavirus pandemic, many deployments have security holes that make it even easier to establish persistency and exploit data at will.
Making matters worse, unrealistic expectations about VDI security mean most companies rely exclusively on protections surrounding the host server. Consequently, the sessions themselves exist alone in the wild. They’re unsecured without endpoint protection in place – and once hackers get inside a session it’s already too late.
The hard truth about VDI security is that it doesn’t deter hackers. On the contrary, it attracts bad actors looking for an easy target.
Ways to Attack a Virtual Desktop
From a hacker’s perspective, virtual desktops are no different than their physical counterparts – any attack that works on one works on the other. That includes a whole arsenal of attacks: infostealers, banking Trojans, keyloggers, screen scraping, password recording, and many more. Virtual desktops may be distinct in terms of mobility and accessibility. In terms of security, however, they’re basically like all desktops: under attack from all sides.
To illustrate how agnostic hackers are when it comes to targeting desktops, consider zero-day attacks that leverage security flaws overlooked by developers. These flaws are the same regardless of whether an app is running on a physical or virtual desktop. Being virtual doesn’t provide any defense at all.
The same is true for phishing attacks – still one of the common and successful ways adversaries achieve Initial Access on a network. A malicious link included in a phishing email appears identical on a virtual or physical desktop. What happens after clicking the link might differ, but the point is that new technology like VDI doesn’t provide immunity or even modest protection against cyberattacks – including those that have existed for decades.
A Realistic Approach to VDI Security
Understanding the flaws in VDI security is an important first step, but the hard work comes next: securing every virtual session without inflating the number of resources dedicated to cybersecurity to an unsustainable level.
Realistically, that’s not possible. VDIs may face similar types of threats to physical desktops, but that doesn’t mean they have the same defensive posture. Updates to antivirus signature databases or machine learning algorithms can compromise VDI performance, creating a tension between the accessibility of virtual machines (their best feature) and the security they require in a dangerous digital environment. Additionally, deploying endpoint detection and response platforms risk network strain from constant telemetry collection and monitoring.
Fortunately, they don’t need them, necessarily. Moving target defense takes an entirely new approach to VDI security. In the simplest terms possible, it doesn’t expect to stop all the possible techniques an adversary might leverage in their attack because that would be futile. Instead, moving target defense applies evasive maneuvers to the application memory, preventing many of the tactics required to achieve their goals such as Initial Access, Lateral Movement, Privilege Escalation, and more. Not only is this approach more effective than existing methods of VDI security, but it’s also more efficient too.
If you rely on VDI (especially to enable remote work), it’s time to take a closer, more critical look at security.