How do you steal something that doesn’t exist? That’s the thinking behind the widespread fallacy that virtual desktop infrastructure (VDI) is more secure than physical desktops.
.png?width=1200&height=628&name=VDI%20Exposed-blog_1200x628_v.1.2%20(1).png)
People assume that when a desktop session runs in a virtual environment, it’s somehow untouchable. Even if hackers wanted to launch a virtual desktop attack, the thinking goes, it would have no place to originate or propagate. Therefore, hackers wouldn’t even bother targeting virtual machines.
It’s a comforting notion. Unfortunately, it’s entirely incorrect.
The Hard Truth About VDI Security
Partly due to misleading marketing messages and partly due to wishful thinking, many users believe VDI offers much stronger security than it actually does. Common misconceptions include that hackers can’t launch an attack into a virtual session since there isn’t local storage, and that ending a session (in a non-persistent VDI) sanitizes any threats present in that session. There’s a kernel of truth in both those assumptions, but that’s all.
Virtual sessions may not have local storage, but they still have abundant entry points. Should a hacker gain access to a virtual session, it’s a short jump to servers full of critical data and apps. The virtual desktop infrastructure has little value as an endpoint but tremendous value as a starting point for lateral movement.
Ending a session won’t help, either. Hackers have learned how to establish persistence in a virtual network so their attacks get resurrected into each new session. In recent years companies have increasingly deployed VDI, however, many deployments have security holes that make it even easier to establish persistency and exploit data at will.
Making matters worse, unrealistic expectations about VDI security mean most companies rely exclusively on protections surrounding the host server. Consequently, the sessions themselves exist alone in the wild. They’re unsecured without endpoint protection in place – and once hackers get inside a session it’s already too late.
The hard truth about VDI security is that it doesn’t deter hackers. On the contrary, it attracts bad actors looking for an easy target.
Ways to Attack a Virtual Desktop
From a hacker’s perspective, virtual desktops are no different than their physical counterparts – any attack that works on one works on the other. That includes a whole arsenal of attacks: infostealers, banking Trojans, keyloggers, screen scraping, password recording, and many more. Virtual desktops may be distinct in terms of mobility and accessibility. In terms of security, however, they’re basically like all desktops: under attack from all sides.
To illustrate how agnostic hackers are when it comes to targeting desktops, consider zero-day attacks that leverage security flaws overlooked by developers. These flaws are the same regardless of whether an app is running on a physical or virtual desktop. Being virtual doesn’t provide any defense at all.
The same is true for phishing attacks – still one of the common and successful ways adversaries achieve Initial Access on a network. A malicious link included in a phishing email appears identical on a virtual or physical desktop. What happens after clicking the link might differ, but the point is that new technology like VDI doesn’t provide immunity or even modest protection against cyberattacks – including those that have existed for decades.
If a VDI session is compromised, it can expose an organization to variety of threats like malware, insider threats and ransomware.
A Realistic Approach to VDI Security
Understanding the flaws in VDI security is an important first step, but the hard work comes next: securing every virtual session without inflating the number of resources dedicated to cybersecurity to an unsustainable level.
Realistically, that’s not possible. VDIs may face similar types of threats to physical desktops, but that doesn’t mean they have the same defensive posture. Updates to antivirus signature databases or machine learning algorithms can compromise VDI performance, creating a tension between the accessibility of virtual machines (their best feature) and the security they require in a dangerous digital environment. Additionally, deploying endpoint detection and response platforms risk network strain from constant telemetry collection and monitoring.
Fortunately, they don’t need them, necessarily. Automated Moving Target Defense (AMTD) takes an entirely new approach to VDI security. In the simplest terms possible, it doesn’t expect to stop all the possible techniques an adversary might leverage in their attack because that would be futile.
Instead, AMTD applies evasive maneuvers to the application memory, preventing many of the tactics required to achieve goals such as Initial Access, Lateral Movement, Privilege Escalation, and more. Not only is this approach more effective than existing methods of VDI security, but it’s also more efficient too.
Stopping Undetectable Attacks with Preemptive Cyber Defense
Traditional detection-based approaches can’t stop undetectable attacks targeting VDI. Until recently, true threat prevention has been hard to achieve. As security leaders look to adopt holistic and progressive cyber strategies they’re turning to preemptive cyber defense — an approach underpinned by the ability to anticipate and act against potential threats before they occur. Gartner recognizes AMTD as an innovative technology that enables preemptive cyber defense.
Powered by AMTD, Morphisec’s Anti-Ransomware Assurance Suite offers a flexible, layered approach with Adaptive Exposure Management, Infiltration Protection, Impact Protection and Incident Response Services.
If you rely on VDI (especially to enable remote work), it’s time to consider preemptive cyber defense to protect your infrastructure from ever-evolving and sophisticated threats. 
.png?width=571&height=160&name=iso27001-(2).png)