Written by: Robert Crisp, VP of Field Technical Operations at Attivo Networks – With the recent rapid rise in the number of remote and mobile workers, VPN infrastructures are under risk. Increases in the scale and load on VPN infrastructures are taxing these remote worker technologies, and less secure operations are creating new opportunities for attackers.
As with any network infrastructure technology, VPNs are an attractive target for attackers – they are a trusted path into the network. Should attackers compromise the VPN infrastructure, they could potentially gain access to the internal network and the Administrative management infrastructure, logging, and even Active Directory.
Unfortunately, when a company needs to adjust to the needs of the business rapidly, they cannot always implement all “normal” security controls. In the requirement to maintain business operations, choices are made, which can impact the defined security practices and exposing potential holes for attackers to exploit. When this occurs, a security practitioner should make sure they have adequate detection capabilities in place to quickly inform security teams when a bad actor has gotten through their prevention defenses.
Detection via cyber deception is a top solution of choice for efficiently addressing normal as well as “spiked” in-network threat detection needs.
Among its many benefits, detection through deception technology provides an effective overlay, providing a “security blanket” level of assurance while implementing new technologies, expansions, or topology changes.
One of the core functions of the Attivo Networks ThreatDefend® platform is the ability to create campaigns focused on deceptive credentials. These campaigns are incredibly flexible and designed around real or fake account names, user names, and even service-type accounts, including cloud and SaaS applications. Such a variety allows for almost unlimited creativity in deploying and managing deception campaigns.
Although the typical use case is to create deceptive credential campaigns for use on endpoints, servers, and cloud environments that alert when attackers access them, it can also monitor the usage of critical accounts without deploying the credential campaigns to endpoints.
SIEMs log failed attempts to access infrastructure services, but their sheer volume often results in analysts not giving them the appropriate attention, even though such events can indicate nefarious activity. By configuring the ThreatDefend platform to monitor the SIEM for the failed use of these critical accounts, the organization gains an effective alerting mechanism that enables concise and actionable details on such activity.
Figure 1: Attivo deception campaigns allow for the deployment of deceptive credentials to production EPs as well as monitor SIEMs for the attempted use of credentials on critical systems
The following example of service account monitoring is from an Attivo customer and occurred during the initial roll-out and configuration of the Attivo solution.
- The customer created a deceptive credential campaign around real-world service account names for critical infrastructure devices
- They then configured the BOTsink deception server to monitor the SIEM for logon failures using the service account campaign. The solution generated a high-level alert when the SIEM logged a service account login failure.
- The BOTsink server alerted on SIEM-generated login failures into the organization’s VPN concentrators using the device service accounts and default password. The alert included the attacking IP, the IP of the VPN concentrators, and the details of the account used.
- The security response team investigated the alerts and determined that an attacker group was systematically and slowly probing the organization’s VPN devices to gain access without bringing attention to their activity.
- Despite a robust security posture, Attivo was the only deployed solution that alerted the security team to the attacker activity, allowing them to respond quickly, and audit the configuration of the organization’s VPN deployment.
Figure 2: Example real-world alert detail generated during the scenario
Had the attempt been successful, the attackers would have gained access to the organization’s network and RADIUS server infrastructure.
Along with the example, Attivo provides other methodologies to secure VPN access to corporate networks.
- Deploying deceptive credentials for VPN accounts on remote worker endpoints.
- Projecting decoys into the landing subnets for VPN connections inside the organization. This method provides an extremely effective tool for detecting and alerting unauthorized scanning behavior. It is also essential to consider that most VPN deployments are in bridged mode, resulting in all connections existing on the same broadcast domain. Anyone who gains unauthorized access via VPN can take advantage of this while running network scans, ping sweeps, etc. because it would be difficult for security teams to identify the source of the activity.
The ThreatDefend platform is a proven solution for organizations to protect their VPN access points and remote workforce. To learn more, please visit www.attivonetworks.com