And yet, organizations utilizing as simple implementation as opening TCP port 3389 so Microsoft’s built-in Remote Desktop Services can function are doing so in droves. According to cyber insurer Coalition’s Cyber Insurance Claims Report, the number of organizations with RDP enabled when they applied for cyber insurance nearly doubled when comparing the first half of 2020 to the same period in 2021.
And it makes sense to see so much remote access enabled today; organizations need to provide a way for their remote workforce to continue to be productive when working outside the office. You likely use remote access also as a means to logically move within the business network, enabling IT teams to support all of the locations remotely.
But, just as you see remote access as a means to elevating the productivity of a remote workforce, the reality is that cybercriminal associations are keenly aware of this. They have found plenty of ways to take advantage of the very same benefits you now enjoy from having remote access enabled within the company.
In this blog, I want to take a look at exactly how forms of remote access (that include Microsoft’s Remote Desktop Connection and even a dash of built-in tools that allow the threat actor to work entirely remotely without even gaining access to the desktop of the compromised machine) are used within cyberattacks, as well as discuss what steps you can take to mitigate the risk created through remote access.
I want first to mention that despite often having differing names, such as data theft, ransomware, and malware attacks, cyberattacks tend now to use the same tactics, techniques, and procedures, with the difference being the final action that defines the specific cybercrime. So, as you read through this article and you see, say, a stat about ransomware attacks, I want you to think of ALL cyberattacks.
So let’s start by looking at how Remote Access is used in cyberattacks today.
1. Initial Access
Threat actors need to gain access to your environment somehow, and there are only a few options available – generally speaking: vulnerability, phishing/social engineering, and remote access.
Compromising remote access and phishing tend to vie for the top spot as the most used initial attack vector in ransomware attacks (as defined by Technique 1133 in MITRE’s ATT&CK Framework). As of Q4 2021, they were tied, according to ransomware response vendor Coveware’s Q4 2021 Quarterly Ransomware Report. And were responsible as the initial attack vector in 61% of ransomware claims for cyber insurer Hiscox. Brute force guessing of passwords (a common tactic used in conjunction with remote access) was in 78% of all ransomware attacks. In many cases, cyber attackers may have purchased user credentials on the dark web for an average of just $3 (along with the IP address to access the RDP session).
2. Lateral Movement
Once logically inside your network and after the compromised endpoint has been reconfigured to facilitate persistence and act as the threat actor’s foothold, it’s necessary to move within your network. It’s assumed that OS credential dumping is used to gather elevated credentials, which are then used via remote services (such as remotely running PowerShell sessions) or remotely connecting to the Remote Desktop Services running on other internal endpoints servers. In fact, according to Coveware, the use of Remote Services (MITRE Technique 1021) is seen in 39% of all ransomware attacks.
3. Command and Control
Once threat actors have access to the systems that give them entry to data, applications, and services that aid to the overarching cybercrime goals, they need easy access to a given set of systems. In many cases, threat actors use third-party Remote Access Software (which usually runs over TCP port 80 because of its lack of blocking in- and outbound traffic). According to Coveware, 63% of ransomware attacks perform Command and Control actions using Remote Access Software (MITRE Technique T1219).
Doing Something About Your Remote Access Problem
It’s evident from the industry data mentioned above that leaving any kind of build-in remote access enabled only helps the bad guys. It’s equally apparent that your organization isn’t just going to stop allowing the remote access that its employees currently enjoy. So, you’ve got to do something that balances the organization’s remote productivity and cybersecurity needs.
There are a few steps you can take.
- Stop Using Built-in Remote Desktop Software – regardless of what OS your endpoints are using, threat actors are all too familiar with these products (more than even your internal IT and Security teams!). And they know how to abuse a remote connection to their advantage.
- No More Internet Access to Remote Desktop Software – You can use this in conjunction with step 1 above or on its own. The biggest reason for this step is that threat actors know how to scan the web for your Internet-facing remote access services (and you changing the default port has zero impact on your remote desktop service being found).
- Consider Third-Party Remote Access Software – Unlike OS vendors that include some default remote access capabilities, 3rd party remote access software vendors have spent material amounts of time ensuring their product is secure. It can integrate additional security layers, which brings me to my next step…
- Use Multi-Factor Authentication (MFA) – however you choose to make systems accessible across the Internet, don’t simply rely on a username/password combination. Some great MFA solutions integrate with remote access products to ensure only the owner of a credential can utilize it, keeping threat actors from logging on even with a valid credential.
- Consider Zero Trust – This is a whole string of articles on its’ own, but zero trust is the concept of “never trust, always verify.” Should you go down the path of zero trust in your firm, the remote access would be scrutinized to make sure aspects of the access request (e.g., the remote IP used, the time of day, day of week, the system being accessed, and the credential being used) aren’t out of the ordinary; should they be found to be suspicious, the request for remote access is denied.
Minimizing the Risk. Maximizing the Access.
Keeping the workforce operating is paramount, but cyber attackers use the same tools and solutions. Because of the remote nature of your hybrid workforce today, it is necessary to look at how your current remote access strategy actually enables threat actors and, therefore, adds to your cyber risk – and take steps to reduce that risk.
By looking at your current remote access strategy through the lens of how it’s used today in cyberattacks, you’ll begin to think about precisely where you’re aiding cyberattacks, as well as identifying what parts of your strategy would need to be better secured.
Whether the answer lies in replacing your current remote access solution or simply putting additional security layers in place, you must assess where your remote access increases your risk. Extra security protocols would be so threat actors need more than just the access itself to begin the work of hacking into your environment and take the appropriate steps to thwart cyberattacks while keeping your remote workforce working.