Cybersecurity is a constant game of cat and mouse, with attackers and defenders locked in a perpetual race for finding, exploiting and patching vulnerabilities. With most of the world still working remotely, and by all indications looking to stay that way for the foreseeable future, it’s no surprise that attackers have locked onto compromising remote access tools. Based on what we’ve learned from our threat intel analysts, incident response teams and customers, we’ve compiled several findings, as well as best practice recommendations for securing remote user access.
Credentials are the holy grail for attackers – achieve legitimate user access, and you’re free to move about a corporate network undetected. Then, any activity the attacker performs is cloaked under the guise of legitimate user behavior. This is made worse by traffic encryption, which shields the attacker from inspection by most network security tools. If the headlines are any indication, it’s clear that attacks leveraging VPNs and remote access tools are on the rise. This year’s Oldsmar Florida water plant hack was the result of a lack of cybersecurity precautions and best practices being in place. SolarWinds, in part, leveraged stolen passwords and two-factor authentication (2FA) bypass. Then there are compromises of the VPNs themselves, including recent disclosures about zero-days in Fortinet and Pulse Secure. According to the Department of Homeland Security, the DarkSide ransomware group, responsible for the Colonial Pipeline attack, has been leveraging vulnerable remote access infrastructure to compromise organizations. Among the recommendations DHS makes are limiting user access to remote desktop software and implementing strong authentication.
The challenge for today’s defenders is that they have data everywhere and much of it is in third-party software-as-a-service (SaaS) applications outside of corporate-owned data centers. Employees connect directly to SaaS applications, bypassing any sort of security inspection done at corporate headquarters. Even for those organizations that connect back to headquarters, most traffic is encrypted and uninspected. Microsoft Remote Desktop Protocol (RDP), Secure Shell (SSH) and Virtual Network Computing (VNC) remain popular, along with a host of open source VPNs. Most organizations rely heavily on personally owned devices, leveraging a combination of these remote access methods together.
With devices and applications which you don’t own managing the data that you do own, it’s easy to see how security becomes problematic. The explosion in the use of personally owned devices during COVID expanded the attack surface for every organization almost overnight. But, performing incident response is difficult, especially if the point of origin of the attack was an unmanaged, employee-owned device. Forensic data can only be obtained from the internet service provider or with the user’s consent. Attacks that leverage multiple, chained exploits can require retrieving logs from the cloud provider, the endpoint owner, the ISP – and then correlating all of that with any data the organization actually owns. When you factor in the number of ways an unmanaged device can access corporate networks – direct to application, tunneling protocols and VPN – you can see how attacker dwell time can easily swell into the better part of a year undetected.
Most personally owned devices have lax or nonexistent security controls compared to corporate devices. The barrier to entry for attackers is consequently much lower. Spear phishing, hacked home routers (which may be unpatched or using weak security controls), or unpatched, vulnerable applications on the endpoints themselves are all routinely seen by our incident response teams. Small and medium sized businesses often leverage BYOD at scale, finding it cost prohibitive to issue managed devices; compromised remote access is particularly damaging for them.
Although some organizations have implemented deny and allow lists, Web Application Firewalls (WAFs) and Cloud Access Security Brokers (CASBs) to secure SaaS apps, synchronizing policies across these tools is a manual effort that remains inconsistent. It’s not uncommon for security teams to be completely unaware of which users have credentialed access to third-party applications or those with super-user privileges. While many organizations have begun implementing 2FA, they often fail to implement the practice for corporate email, such as Microsoft Exchange or Gmail. This oversight offers an easy entry point for attackers. Others fail to implement uniform authentication or security controls on their SaaS applications, like GSuite or Office 365.
If there’s a lesson to be learned from a year of remote access abuse, it’s that visibility remains the single biggest challenge. Although the ideal solution is to manage all remote access through a single, global service edge that combines networking and security, there are some steps organizations should take immediately to secure themselves. Like defense in depth, a multi-layered, remote-access, security approach that provides redundant layers of inspection and enforcement.
We recommend the following:
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.