How just-in-time VPN access might have helped in the case of the APT10 attacks

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Network Security | Data Breaches

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Just in case you missed it — I did a blog post for AWS using an AWS IoT Button to open up network access to a VPN. Sometimes people say, well you can get through a firewall with tricky packet manipulations, so firewalls are useless.

Well, you can only use those tricky packet manipulations on an OPEN port! A closed port is still a closed port. No network communications can occur on that port. A closed port can also expose questionable activity. So I am still a big fan of basic firewall rules as part of an overall security architecture.

I have been called “obsessed” with network traffic since my first breach where the network admins at a large hosting company told me “not to worry about it,” and you don’t need outbound firewall rules…Everyone who understands network security uses outbound firewall rules now but back then hardly anyone did, and I couldn’t understand why. That’s the point where your data is leaving your network! It is also useful for making an attacker’s job a bit harder when pivoting through a network. More importantly, I used network traffic to prove that attackers had compromised my system.

Network traffic is one of the best ways to help you spot a compromise. Malware can turn off host-based protections and host-based firewalls. Malware can cause standard host-based administrative tools to lie to you. More on that later and how to overcome that scenario. But I like to say, “The network doesn’t lie.” The source and destination addresses need to be accurate to get packets where they need to go. The payload needs to be accurate to serve its purpose. Of course, attackers will try to obfuscate the packet contents, and hide the payload with encryption, and proxy traffic through different sources, but a strategically designed network can help you spot clues in network traffic that something is going wrong more easily. I spoke about this in a presentation about cloud network security at my Seattle AWS Meetup and an AWS Community Day Event.

Let’s see how the just-in-time VPN access solution could help using a real-world scenario. A recent rash of attacks are coming from APT10 in China as reported by Wired and others. For those not familiar with an APT stands for “Advanced Persistent Threat” and there are many articles online about that topic, however basically attacker organizations all over the world are trying to get at your data. These groups are analyzed by various security companies to follow their tactics, activities, and breaches resulting from their actions.

As reported in the Wired article the attackers would get into MSPs (Managed Security Providers) using various techniques an then “Using those privileges, they would initiate what’s known as Remote Desktop Protocol connections with other MSP computers and client networks.” An MSP is a company that provides security services to another company such as setting up networks, patching systems, and monitoring network traffic.

Ok, let’s apply our just-in-time VPN access to this scenario. If our RDP access is set up behind a VPN, the attackers would first need to break into the VPN endpoint to get access to RDP, so this adds to our defense in depth. But it doesn’t solve the problem. In this case, the attackers were actually on the administrator’s machines via malware called REDLEAVES andPLUGX.

Well, if the administrator has to click a button to get into the VPN, the attackers don’t have access to this button just by getting that malware onto the administrator’s computer. The attacker could still potentially get into the VPN, but it would have to be during the timeframe when the administrator opened the VPN network. If the attacker tried to access the VPN after the administrator double-clicked the button, the firewall rules would block them.

Would this have stopped the attack? Maybe not. Perhaps the attacker could be taking crafty actions at the same time the administrator was using remote access services, but it would hopefully be more difficult to go unnoticed by the administrator.

Additionally, if the administrator locked down the network to access the VPN, other clues might be present to indicate something nefarious is happening. When the administrator double-clicks the button to set the firewall rule to deny access to the VPN endpoint, the logs might show the attackers making access attempts and getting blocked. This suspicious traffic showing blocked traffic originating from a known administrator’s machine could lead to an investigation to determine if there is a misconfiguration, human error, or malware.

If your network is wide open, with no segregation and no monitoring, you won’t be able to spot these attacks as easily. Not to mention you’ve made an APT’s job much easier!

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2019

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab