Remote Connectivity and VPN
| Description | Kill Chain Stage | |
| VPN provides an attractive target for potential attackers for two reasons: first, VPN transmits sensitive information over public and shared networks and the extension of the network outside the perimeter makes assets more accessible for attackers. Secondly, a VPN does not have the layers of security found in perimeter defences, yet provides access from outside a perimeter to inside networks.
A VPN will often lack controls such as firewalls, intrusion detection, proxies and other controls that create a barrier from public networks to private and even a barrier for outbound traffic. Attackers therefore often try to find ways of exploiting hardware and software, and will take advantage of misconfigurations and poorly managed implementations. |
|
|
| Threat type to monitor | ||
| ■ Misuse of VPN connections by authorised users
■ Misuse of VPN by unauthorised users ■ VPN connectivity from suspicious sources |
||
| Monitoring setup | ||
| ■ VPN concentrators
■ Active Directory |
||
| Events Indicators | ||
| ■ Increase in failed access requests
■ Requests from connections from unknown or suspicious external IP addresses ■ Connection attempts from suspicious geographical locations ■ User logged into AD from office and then requests for VPN connectivity within a short duration without logging off ■ Data harvesting |
||
| Rules | ||
| ■ A VPN connection is followed by another VPN connection from the same user within 20 minutes but without a disconnection in between
■ Multiple failed VPN connection from the same or different IP addresses ■ Successful VPN requests from suspicious geographical regions or IP addresses ■ Multiple VPN requests from different users and multiple geographic locations ■ Multiple VPN requests from the same user but multiple geographical locations ■ Session bandwidth crossing the defined utilisation threshold ■ Failed and successful VPN requests from well-known suspicious addresses |
||