Mandiant have recently published their 2015 M-Trends report which highlights the new attack trends they have identified through their role as security incident first responders over the last year. It is an interesting and informative report which is worth a read, and can be found here (registration is required, I’m afraid!). A couple of key points from the report caught my attention, most notably how attackers are exploiting remote access facilities such as VPNs.
Remote access as the attack vector
According to the report, Mandiant have found that a number of attacks included compromise remote access points to gain a foothold into the organisation’s IT infrastructure, specifically remote connections i.e. Virtual Private Networks (VPN) and Remote Desktops (RDP) that only require a username and password are most at risk of being compromised. Attackers simply re-use valid credentials stolen from compromised end-user systems, the Active Directory domain or through social engineering.
Even certificate-based remote access is vulnerable, as attackers use a variety of tools to extract certificates from compromised end-user systems, or stole VPN certificates that had been distributed to users in an insecure manner, such as attached to unencrypted emails or stored on open network file-shares.
Once attackers breached the remote access security controls, they were able to blend into the normal remote access traffic from other employees to maintain access to the target’s network, which allowed them plenty of time to find other internal vulnerabilities to exploit. VPN logs were a telltale source of evidence: the source IP addresses of authenticated user sessions targeted by the attack would change quickly, switching between address blocks owned by distinct IP providers across separate geographies. However, not companies actively monitor their remote access logs…
Protecting your remote access points
Regular password expiry may provide some protection, but an attacker could still be on your systems for up to the duration of the expiry period, which means anything up to 180 days (the default setting on some Microsoft domain controllers). Your systems will be disrupted and your data will be long gone by that time.
One (relatively) simple way to secure remote access is through employing two-factor authentication technology, as the compromise of static credentials such as usernames, passwords and certificates will not compromise the security of remote access into your corporate network. There are countless two-factor authentication solutions to choose from, including hardware based solutions (e.g. RSA SecureID), software-based solution (e.g. Google Authenticator) and mobile phone/SMS-based solutions.
Whether you do employ two-factor authentication or not, you still need to monitor your remote access logs for suspicious activity that may indicate a breach (or breach attempt.) This could include:
– high volumes of failed login attempts for specific user accounts
– concurrent remote access sessions using the same credentials
– unexpected remote connections from foreign locations (especially if you do not have staff that work from those locations)
– uncharacteristic remote log-ins outside of business hours
– users with shorter than normal VPN connection times, but from wildly varying locations
Finally, have a tested response plan ready to contain and investigate any potential breaches of your remote access infrastructure.
Remote access is the front door into your IT network. Secure it as you would your physical premises – lock, monitor, respond.