As enterprises instruct employees to work from home to control the spread of coronavirus, IT security teams are facing an unenviable challenge: security sprawling and vulnerable networks.
To ensure business continuity and protect their networks from attacks, IT teams are asking remote workers to use a virtual private network (VPN) to access the corporate network. Previously only used to support a fraction of network activity, VPNs are now a major enterprise communication channel. This sudden spike in VPN usage not only causes operational bottleneck, but can also lead to serious cybersecurity challenges.
VPN servers and their vulnerabilities have always been an attractive target for hackers. Despite an alert from the Cybersecurity and Infrastructure Security Agency (CISA) warning of the continued exploitation of a VPN vulnerability, many VPN servers still remain unpatched. This is because, until now, VPNs have been used mostly by business travelers or people who want to access the corporate resources off-hours; the VPN traffic held a small share of total traffic to the network, and because of its insignificance, IT security teams often procrastinated patching VPN servers. Another major reason for leaving the VPN servers, along with firewall and routers, unpatched is that they are patched more slowly than the application servers and desktops.
With the sudden increase in remote work adoption, many enterprises don't have time to patch, test, and deploy VPN services. This has opened up a huge opportunity for hackers.
However, even if enterprises fully patch all their VPN servers, firewalls, and routers, hackers are fast enough to take advantage of short vulnerability windows to get into the network and set up backdoor accounts, especially for high-value targets.
You should patch all your VPN servers, firewalls, and routers as soon as possible. To prevent and detect hackers who exploit zero-day vulnerabilities or short vulnerability windows, do some threat hunting regularly. Threat hunting is the process of exploring your network to see if you have any indicators of hacker activity. Look for activities like outgoing pings from a system in your network; conduct behavioral analytics; seek out any unusual resource accesses or logons; and more. You may sometimes find the trails of hackers who got into your network before the security loophole was sealed.
VPNs are enticing for hackers; if they can get into a network via a VPN connection, they have access to everything on the network. Often, enterprises don't have segmentation or limitations for VPN use because they're used by internal employees and/or third-party vendors. Hackers take advantage of this lack of security to gain access to every resource in the network, scan for other vulnerable machines, breach devices to steal credentials and sensitive data, and perform other harmful activities. Even if the firewall and VPNs are fully patched, they can't help you deal with this particular threat. (But you should still patch them to keep out hackers who leverage vulnerabilities.)
Monitor your VPN usage, especially now while more employees than ever are using them. You can even try setting up a VPN usage dashboard on your security analytics solution to constantly keep an eye on critical parameters, like which user is logging in from where and for how long. Regularly monitor the session activity of each VPN user and look for anomalous VPN usage behaviors. Quickly configure your behavioral analytics solutions to adapt to the remote work model and spot deviations on VPN usage behaviors.
Thorough monitoring like this will not only help resolve your cybersecurity challenges, but also helps to resolve IT operational bottleneck. The inferences from this monitoring can help fine-tune your VPN rate limits and connection thresholds, and assist you in optimizing your VPN resources.
It's easy to exhaust resources on VPNs and associated firewalls, even with a low volume distributed denial of service (DDoS) attack. Attackers can send a small amount of Transmission Control Protocol (TCP) packets with the SYN flag checked, another batch of TCP packets with the ACK flag, and another set with the URG flag, and so on to bring down your network firewalls until they can no longer handle any new connections. These DDoS attacks are difficult to detect because they don't trigger the volume threshold of VPN connections.
Additionally, Secure Sockets Layer (SSL) VPNs are vulnerable to SSL flood attacks just like your web servers; in this type of attack, the attackers try to exhaust the VPN server resources using a high volume of SSL handshake requests.
Monitoring VPN connections on different devices and tuning thresholds accurately to capture abnormal activities are key to mitigating these types of attacks. However, tuning thresholds and rate limiting can be tricky. To get the right threshold, it's imperative that you understand your normal VPN traffic in terms of both the volume and the number of connections expected. In a normal scenario, gauging these parameters can be easily done with the help of a traditional security information and event management (SIEM) tool. However, with the overwhelming number of employees accessing VPNs at this time, you need a behavioral analytics solution that can study the change in the number of connections and volume, as well as the usage pattern, adapt to it, and accurately report on the anomalies.
Don't let hackers feed on your fear. Stay safe and come out strong on the other side of the tunnel.