Cyber Defense eMagazine January 2020 Edition

More documents

Recommendations

Info

30 How To Mitigate The Risks Of Remote Desktop Protocol By Chris Morales, head of security analytics at Vectra Remote Desktop Protocol (RDP) is an invaluable tool for any business wanting to save money and create efficiencies through centrally controlling all its computer assets no matter how far away or isolated. However, such a capability is also a tempting prospect for cybercriminals looking to exploit the system for their own gains, with Vectra research highlighting that malicious RDP behaviours are experienced by nine out of ten organisations. The research also reveals which industries and size of organisations have the most RDP detections, along with examples of how cybercriminals and state-sponsored actors are using RDP. Why is RDP so attractive? Traditionally, a business that wanted to fix issues on its computers that were situated away from its central offices had two choices; either send out engineers to resolve the issue or have them permanently stationed locally. Neither option is ideal with a call out costing in the region of US$2,200, while having an engineer based on a remote site is unlikely to be cost effective. Further, as more than 60 percent of machine issues can be fixed remotely, it is no wonder more and more companies are turning to RDP. Using the protocol, one engineer can do the work of a whole team without the need to leave a central control room through being able to potentially access and control every computer on the network. However, it is this very capability that makes infiltrating an organisation’s RDP so attractive for threat actors, enabling them to cause chaos without being detected. No wonder the FBI has warned that such activity has been on the rise since mid-late 2016. 30
31 Industries under threat According to our research, manufacturing was the most targeted sector for malicious RDP behaviours, accounting for 20 percent of incidents monitored across nine industries, followed by finance and retail. Manufacturing also accounted for the highest number of RDP Recon and Suspicious Remote Desktop activities observed. An RDP Recon incident is when several failed attempts to establish an RDP connection are detected, potentially indicating that a threat actor is trying to access a system using different login combinations or is looking to identify active accounts. Conversely, Suspicious Remote Desktop is activated when unusual characteristics are detected following a successful RDP connection, such as an RDP server that is usually logged into using English keyboard inputs, is accessed by someone using a German keyboard. In relation to the size of an organisation experiencing RDP attacks, medium manufacturing firms topped the list with large manufacturing businesses also making the top ten. Medium retailers and medium financial institutions also witnessed high levels of malicious RDP behaviour. As a whole, medium organisations experienced the most RDP detections with 6.9 per 10,000 workloads or devices, small organisations had 6.5, while large businesses had 4.5. There are two factors worth considering when looking at these numbers. First is that the size of the company in relation to the number of employees is not indicative of number of devices. For example, manufacturing has significantly more connected devices than workers. The second is that larger organisations are likely to have greater resources focused on countering cyber threats. Using RDP to attack RDP has been used in many cyberattacks recently, the most notable of which is SamSam. This hacking and extortion scheme affected more than 200 organisations, enabling the perpetrators to amass US$6 million in ransom payments and inflict US$30 million of damage. Through RDP the threat actors were able to carry out privilege escalation, malware infection and execute files without user authorisation or action. State-sponsored actors are also using RDP to commit espionage and sabotage. Take APT40, a threat actor cell identified by FireEye as supporting China’s naval ambitions for modernisation. The group uses RDP to move laterally through the networks of organisations involved in the development and production of naval technologies to steal data, carry out reconnaissance and execute malware. FireEye research also points to a threat actor group using RDP to carrying out clandestine operations on behalf of Iran, called APT39. The group leverages RDP against targets in the Middle East, Europe and the United States to facilitate movement and long-term access to a network to gather information and cause sabotage. Mitigating the risk of RDP attacks While there are significant risks of threat actors maliciously using RDP to gain access to a network, businesses around the world find it invaluable for their day-to-day operations, seeing the benefits far outstripping any danger. Therefore, those continuing to use RDP must look to mitigate these risks. This can be achieved through limiting RDP access to only those that need to use it and employing strong credential and authentication 31
Page 1 and 2: 1 Best Practices for Building A Com
Page 3 and 4: 3 CONTENTS Welcome to This Very Spe
Page 5 and 6: @CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 7 and 8: 7 7
Page 9 and 10: 9 9
Page 11 and 12: 11 11
Page 13 and 14: 13 Your website could be vulnerable
Page 15 and 16: 15 15
Page 17 and 18: 17 17
Page 19 and 20: 19 19
Page 21 and 22: 21 A further challenge arises from
Page 23 and 24: 23 About the Author Haythem Hammour
Page 25 and 26: 25 Focus on detection Although prev
Page 27 and 28: 27 What’s the Security Misconfigu
Page 29: 29 As more and more businesses begi
Page 33 and 34: 33 How to Know If Someone Is Watchi
Page 35 and 36: 35 you are running in the backgroun
Page 37 and 38: 37 These stats make it clear why sm
Page 39 and 40: 39 · Provide staff especially thos
Page 41 and 42: 41 The current state of insecurity
Page 43 and 44: 43 3. Support heterogeneous network
Page 45 and 46: 45 • Enables troubleshooting of i
Page 47 and 48: 47 It’s not just medical research
Page 49 and 50: 49 Europe Cybersecurity Market Size
Page 51 and 52: 51 Some of the key vendors in the E
Page 53 and 54: 53 Iot Security and Privacy Securit
Page 55 and 56: 55 information such as DNA informat
Page 57 and 58: 57 Lessons Learned Unlike newer pro
Page 59 and 60: 59 Seven Security Predictions For 2
Page 61 and 62: 61 will target state and local vote
Page 63 and 64: 63 7) Attackers Will Find New Vulne
Page 65 and 66: 65 Certification Programs There are
Page 67 and 68: 67 Fraud: A Look Back At 2019 And W
Page 69 and 70: 69 technologies. They’re also col
Page 71 and 72: 71 • A list of valid credentials
Page 73 and 74: 73 Making the Transition The shift
Page 75 and 76: 75 to get a view on the entire IT e
Page 77 and 78: 77 The Decade Ahead for Cybersecuri
Page 79 and 80: 79 About the Author Matthew Gyde is
Page 81 and 82:
81 datacenters before heading out t
Page 83 and 84:
83 About the Author Paul Martini is
Page 85 and 86:
85 85
Page 87 and 88:
87 87
Page 89 and 90:
89 89
Page 91 and 92:
91 91
Page 93 and 94:
93 93
Page 95 and 96:
95 95
Page 97 and 98:
97 97
Page 99 and 100:
99 99
Page 101 and 102:
101 101
Page 103 and 104:
103 You asked, and it’s finally h
Page 105 and 106:
105 TRILLIONS ARE AT STAKE No 1 INT
Page 107 and 108:
107 107
Page 109 and 110:
109 109
Page 111 and 112:
111 111
show all

Cyber Defense eMagazine January 2020 Edition

Create successful ePaper yourself

Delete template?

Save as template?