CERT Warns Bad Actors Are Targeting Remote Access – How Security Operations Find And Route These “Below The Radar” Attacks

New Ransomware/Exfiltration Campaign Targeting Remote Access Resists Resolution Through Data Restoration

By Saryu Nayyar, CEO, Gurucul

Remote access tools, such as VPN’s, RDP, VNC, Citrix, and others, have always been an inviting target for attackers.  Even 2003’s Matrix Reloaded used an exploit against an old version of Secure Shell (SSH) as a plot device in a rare cinematic example of a real-world cyber-security threat.  The recent shift to a remote workforce in response to a global pandemic has made remote access an even more inviting target for threat actors of all stripes.

As a recent report from New Zealand’s CERT pointed out, malicious actors are actively focusing on remote access vectors, using a range of attack techniques.  While unpatched systems are an ongoing issue, attackers are also targeting weak authentication schemes, including a notable lack of two-factor authentication.  The users themselves are also a primary target.  Targeted email such as spear phishing, which goes for a specific target, or cast-netting, that targets people within a single organization, have a history of success and have seen a noticeable rise.

Fortunately, information security professionals still have a range of tools and techniques they can use to help prevent breaches and to mitigate them when they do happen.

Many attack scenarios, especially ones involving remote access attacks, start with targeting the users themselves.  Many penetration testers will tell you the users are the easiest target and the first thing they’ll go after.  But this also gives an organization the opportunity to convert their user base form part of the attack surface into their first line of defense.  Making sure you have trained them on best practices and have enabled a strong multi-factor authentication scheme can go a long way to preventing unauthorized access.

For many organizations, the Security Operations team, rather than their users, is mainline of defense.  Even when the services are provided whole, or in part, by a third party, they are the ones who have the ultimate responsibility for the organization’s security well-being.  This means assuring they have the correct tools and the right training is as important as making sure the users are trained and equipped.  The question becomes whether they have the right tools and training to identify and mitigate attack profiles that have now shifted to target the remote workforce.

The threats they have been historically focused on have not disappeared, but they may no longer be the primary attack surface.  Likewise, the tools they use to identify and mitigate attacks may not be the best ones now that the attacker’s focus has shifted.

Threat actors have become increasingly skilled at compromising systems and then hiding their activity “below the radar” to avoid detection, which makes their activity harder to detect.  More so now that they have a remote workforce to both target for attack and use for concealment.  That means the SecOps team will need to look at the situation holistically rather than relying on single indicators of compromise.

To that end, an advanced security analytics platform that can consolidate all the organization’s security data into a single place and then perform AI-based analytics the entirety of the data may be in order.  By looking at all the information, it is possible to identify anomalous behavior that differs subtly from what’s expected, or accepted, for a normal user.  That can be the first indication of a compromise.  Using machine learning techniques, the system can adapt to the changing threat surface and present a risk-based assessment of the SecOps team.

Combined with their existing tools and efficient automation, security operations personnel can get ahead of an attack to keep a single compromised account or remote access system from escalating to a serious data breach.

About the Author

Saryu Nayyar AuthorSaryu Nayyar is the CEO of Gurucul. She is an internationally recognized cybersecurity expert, author, and speaker with more than 15 years of experience in information security, identity and access management, IT risk and compliance, and security risk management sectors. She was named EY Entrepreneurial Winning Women in 2017. She has held leadership roles in security products and services strategy at Oracle, Simeio, Sun Microsystems, Vaau (acquired by Sun) and Disney, and held senior positions in the technology security and risk management practice of Ernst & Young. She is passionate about building disruptive technologies and has several patents pending for behavior analytics, anomaly detection, and dynamic risk scoring inventions.

Saryu can be reached on Twitter at @Gurucul