Using Deception to Counter RDP Attacks
Written by: Mike Parkin, Product Marketing Engineer – A recent blog post by Ionut Arghire over at SecurityWeek highlighted both Remote Desktop Protocol (RDP) attacks, and attackers using obfuscation and encryption techniques to mask communication while they’re leveraging RDP. It’s an interesting read and it goes into some depth on the specific tools and techniques involved.
While these are not new techniques – either using a remote graphical desktop like RDP or the similar Virtual Network Computing (VNC) protocols and using encrypted back channels to hide the traffic – they are being reported more frequently. Fortunately, there are several best practices security administrators can implement to help mitigate these attacks and deception technology can be a powerful tool to counter them as well.
Attackers use RDP not only to access compromised hosts, they often scan for systems with open RDP access so they can compromise the open system and add it to their footprint. Deception technology disrupts their attack in several ways. First, by setting out decoy systems with available RDP services, an attacker will see a mixture of effectively identical systems and gain a false sense of the target landscape. If they engage with one of the decoy systems, regardless of whether they obfuscated or encrypted their traffic to get there, the decoy will identify them, trigger an alert, and record everything the attacker does. The forensic information the incident response team gleans from observing the attacker helps them improve their existing defenses, mitigating future attacks.
Beyond network decoys, deception placed on the endpoints in the form of breadcrumbs and deceptive credentials, including RDP specific credentials, leads attackers straight into the decoys and away from production assets. No matter how they executed their initial compromise, or whether they’re obfuscating their traffic, these deceptions lead the attacker into revealing themselves so the incident response team can stop the attack and remediate any damage. Once the defenders identify a compromised host, they can search for other systems the attacker accessed, including RDP connections, to better understand the scope of the compromise and thoroughly remediate it.
Another capability Attivo Networks offers that complements our deception capabilities is the ThreatPath solution. This solution lets the information security team visualize the access relationships between systems and what credentials give access to what hosts. With that information, they can easily identify potential threat paths an attacker could use to spread across the network and rectify them before an attacker could exploit them.
Deception is an easy addition to the security stack, reinforcing existing defenses and disrupting attacks even as attackers alter, obfuscate, and adapt their techniques. Deception shifts the balance of power to the defender.
Check out how Attivo Networks shifts the balance of power and can counter RDP attacks.