Remote Connectivity and VPN

Wiki > Remote Connectivity and VPN
Description Kill Chain Stage
VPN provides an attractive target for potential attackers for two reasons: first, VPN transmits sensitive information over public and shared networks and the extension of the network outside the perimeter makes assets more accessible for attackers. Secondly, a VPN does not have the layers of security found in perimeter defences, yet provides access from outside a perimeter to inside networks.

A VPN will often lack controls such as firewalls, intrusion detection, proxies and other controls that create a barrier from public networks to private and even a barrier for outbound traffic. Attackers therefore often try to find ways of exploiting hardware and software, and will take advantage of misconfigurations and poorly managed implementations.

1
Threat type to monitor
■    Misuse of VPN connections by authorised users

■    Misuse of VPN by unauthorised users

■    VPN connectivity from suspicious sources

Monitoring setup
■    VPN concentrators

■    Active Directory

Events Indicators
■    Increase in failed access requests

■    Requests from connections from unknown or suspicious external IP addresses

■    Connection attempts from suspicious geographical locations

■    User logged into AD from office and then requests for VPN connectivity within a short duration without logging off

■    Data harvesting

Rules
■    A VPN connection is followed by another VPN connection from the same user within 20 minutes but without a disconnection in between

■    Multiple failed VPN connection from the same or different IP addresses

■    Successful VPN requests from suspicious geographical regions or IP addresses

■    Multiple VPN requests from different users and multiple geographic locations

■    Multiple VPN requests from the same user but multiple geographical locations

■    Session bandwidth crossing the defined utilisation threshold

■    Failed and successful VPN requests from well-known suspicious addresses

Category: