RDP is a proprietary protocol developed by Microsoft that allows users to connect remotely to another computer over a network. It facilitates remote access, making it convenient for system administrators, IT support teams, and even regular users to manage and troubleshoot computers from a distance. However, this very convenience has become a double-edged sword.
Recent reports highlight the severity of the RDP problem:
Sophos Incident Response Cases (2023): In a study analyzing over 150 incident response cases from 2023, Sophos found that RDP was implicated in 90% of cyberattacks. This percentage has never been higher since tracking began in 2020. Cybercriminals exploit RDP to gain initial access to target endpoints, making it a preferred entry point.
Initial Access Point: In 65% of the cases studied, RDP served as the gateway for attackers to infiltrate networks. Once inside, they would move laterally, install malware, disable endpoint protection tools, and establish remote access.
Repeat Offender: In a chilling example, an attacker successfully compromised a victim four times within six months by exploiting exposed RDP ports. Each breach allowed the attacker to wreak havoc anew.
Several factors contribute to RDP’s vulnerability:
Exposed Ports: Organizations often leave RDP ports exposed to the internet, making them easy targets. Attackers scan for open ports and exploit weak credentials or known vulnerabilities.
Credential Stuffing: Attackers use automated tools to test common usernames and passwords. If an RDP server has weak credentials, it becomes a prime target.
Lateral Movement: Once inside a network, attackers escalate privileges and move laterally. RDP provides an ideal pathway for this lateral movement.
To mitigate the risks associated with RDP, consider the following measures:
Network Segmentation: Isolate critical systems from RDP exposure. Limit access to only authorized users and devices.
Strong Authentication: Implement multi-factor authentication (MFA) to fortify RDP logins. This adds an extra layer of security beyond passwords.
Regular Audits: Regularly audit RDP configurations and close unnecessary ports. Patch vulnerabilities promptly.
VPN or Secure Gateway: Use a virtual private network (VPN) or a secure gateway to funnel RDP traffic. This reduces direct exposure to the internet.
Logging and Monitoring: Monitor RDP activity for suspicious behavior. Set up alerts for failed login attempts and unusual patterns.
The FBI, CISA, and the Australian Cyber Security Centre (ACSC) have all issued warnings about RDP risks. Businesses must take heed and adopt a proactive stance. Secure your RDP services, educate employees, and stay informed about emerging threats.
Remember, in the battle against cyber adversaries, prevention is the best defense. Let’s fortify our digital ramparts and keep our organizations safe from the relentless tide of RDP attacks.
The National Security Agency (NSA) has rolled out a comprehensive roadmap to strengthen internal network security. Stepping away from the traditional trust-all model, the focus is on embracing a cutting-edge zero-trust framework. This transformative approach assumes the presence of potential threats, urging organisations to implement stringent controls for resource access. In simpler terms, it's like upgrading your home security system from assuming everyone is trustworthy to actively verifying each visitor's credentials. The NSA's recent guidance delves into the nitty-gritty of fortifying the network and environment components, offering practical steps that even non-tech enthusiasts can understand. Let's break down these game-changing strategies and explore how they can revolutionise cybersecurity for everyone.
Unlike traditional models, the zero-trust architecture operates under the assumption that a threat could already exist, necessitating stringent controls for resource access both inside and outside the network perimeter. To gradually advance zero-trust maturity, the NSA emphasises addressing various components, or pillars, vulnerable to exploitation by threat actors.
The recent guidance from the NSA zeroes in on the network and environment component, encompassing hardware, software assets, non-person entities, and communication protocols. This involves intricate measures such as data flow mapping, macro and micro segmentation, and software-defined networking (SDN).
Data flow mapping starts with identifying where and how data is stored and processed. Advanced maturity is achieved when organisations possess a comprehensive inventory, ensuring visibility and mitigation of all potential routes for breaches. Macro segmentation involves creating distinct network areas for different departments, limiting lateral movement. For instance, an accounting department employee doesn't require access to the human resources segment, minimising the potential attack surface.
Micro segmentation takes security a step further by breaking down network management into smaller components, implementing strict access policies to restrict lateral data flows. According to the NSA, "micro segmentation involves isolating users, applications, or workflows into individual network segments to further reduce the attack surface and limit the impact should a breach occur."
To enhance control over micro segmentation, the NSA recommends employing SDN components, offering customizable security monitoring and alerting. SDN enables centralised control of packet routing, providing better network visibility and allowing the enforcement of policies across all segments.
The NSA categorises each of these components into four maturity levels, ranging from preparation to an advanced phase where extensive controls and management systems are in place, ensuring optimal visibility and growth of the network.
While constructing a zero-trust environment is a complex endeavour, the result is an enterprise architecture that can withstand, detect, and respond to potential threats exploiting weaknesses. The NSA initially introduced the zero-trust framework guide in February 2021, highlighting its principles and advantages. In April 2023, they released guidance on advancing zero-trust maturity in the user component.
By adopting these strategic measures, organisations can significantly enhance their resilience against cybersecurity threats. The principles of zero-trust not only provide a robust defence mechanism but also empower organisations with the tools to proactively address multiplying cyber challenges.
Traditional firewalls focus on monitoring traffic via IP addresses and port numbers. They are designed to block or allow traffic based on these parameters. However, they stumble when it comes to deeply examining packet contents to pinpoint specific applications or services. This shortcoming blurs the line between safe and harmful traffic, particularly as encryption becomes the norm in modern communication.
For example, a traditional firewall may allow traffic from a trusted IP address, but it cannot determine if the traffic contains malicious content. Similarly, it may block traffic from an untrusted IP address, but it cannot determine if the traffic is actually harmless. This lack of visibility into the contents of network traffic leaves your network vulnerable to attacks.
To address these limitations, next-generation firewalls (NGFWs) have been developed. NGFWs go beyond traditional firewalls by incorporating additional security features such as deep packet inspection, intrusion prevention, and application awareness.
Deep packet inspection allows NGFWs to examine the contents of network traffic in real-time. This enables them to identify and block malicious content, even if it is coming from a trusted IP address. Intrusion prevention systems (IPS) provide an additional layer of protection by detecting and preventing known vulnerabilities and exploits.
Application awareness allows NGFWs to identify and control specific applications or services, regardless of the port or protocol used. This provides greater visibility and control over network traffic, allowing you to block or allow traffic based on the application or service rather than just the IP address or port number.
Traditional firewalls are no longer adequate for protecting your network against modern cyber threats. Next-generation firewalls provide greater visibility and control over network traffic, allowing you to better protect your network against attacks. If you’re still relying on a traditional firewall for your network security, it may be time to consider upgrading to a next-generation firewall.
Threat actors can be stopped from attacking networks when minor modifications are done to make their campaigns more problematic. The suggestion comes from the latest research by info sex experts at NSA (National Security Agency), Fastly, and John Hopkins University. The paper titled "Sludge for Good: Slowing and Imposing Costs on Cyber Attackers" explains various small security measures and network conditions that make a technical red tape and can probably slow down the data collection and exfiltration process.
"three events over the past three years have illustrated actions consistent with slowing cyber attackers using sludge: defense of the 2020 U.S. elections, counter-ransomware efforts, and responses to Russia’s invasion of Ukraine. In this section, we describe how these examples demonstrate and achieve sludge-like impacts. Sludge was not inevitable for any of these events. The cybersecurity community in the public and private sectors could have exclusively pursued zero tolerance and complete elimination of the problems using technical and non-technical solutions. Instead, these examples offer support that slowing the adversary was a component of the strategy."
The concept of sludge became popular in 2021 from a book by legal scholar Cass Sunstein. The idea, according to the authors, is not to openly prevent an attack, but instead, offer enough obstacles and inconveniences in the way to waste the time of any individual who attempts to attack the network.
To this date, the majority of the cyber defenses have been designed to be usually effective and strong and remove or stop threat actors as soon as possible. The experts have laid out an approach where they deploy defenses that want to increase the usage of hackers' resources and time while trying to make as little harm as possible to the victim.
In reality, the sludge can take the form of anything from honeypot machines to login banners and fake databases- anything that will waste the time and resources of a potential hacker and save a network from the threat of any compromise. Some of the potential techniques are multiple verification needs, compulsory acknowledgments, and usage of cloud instances to make temporary infrastructure that hackers can't exploit for continuous access.
The experts accepted that these steps will also make it easy for users that want genuine access. However, they also said that administrators can modify changes or workarounds that helped actual users while still causing inconvenience to hackers.
Cybersecurity experts mostly aim to reduce their recovery time period, failure rates, and lead times. If threat actors attack likewise, sludge can be used to tactically increase negative results.