Beware the risks of vulnerable VPNs: update, maintain, monitor, and protect

We live in a world that is always on and always vulnerable. We need remote access to allow employees to work from anywhere, but that also means that our networks are exposed to everywhere.

If you still provide virtual private network (VPN) technology to your employees and do not include multifactor authentication, you are especially at risk of attack. VPN software is the root point of compromise for many successful attacks for domain takeover and ultimately the insertion of ransomware.

Vulnerabilities can range from those in the VPN client software itself to those in any network-connected appliances that allow for access. Brute forcing, password spraying, and credential stuffing are just some of the methods attackers use when they go after accounts to gain access to your network and steal information.

At a very fundamental level, you can begin to protect and police access to your VPN by ensuring that the software is always up to date, ensuring that you’re on top of any patches needed as well as any zero-days that may have been released for that VPN. And, of course, ensuring you have password strength policies in place with specific recommendations for creating the most secure.

Protecting a VPN: beyond the basics

Once you are up to date and patched, there is much more to be done to keep VPN access secure and the network protected. Start by denying IP connections and authentications from any network, internet asset, or software that anonymizes connection. You want to ensure that you can trace and log connections to specific addresses.

Ensure that you include in your employee policies and guidance a list of connections that are allowed into your network — no user should use services such as TOR (The Onion Router) to gain access to your firm’s network. Set up account lockout policies as well as an appropriate password policy so that long and strong passwords are not only encouraged but mandatory.

Note that while policies to implement increased password complexity should be enabled, password fatigue is real and also needs to be managed. Too many people merely add a letter to a password rather than choosing a better passphrase. Balance the need to change passwords under policy or industry regulations with the guidance that adding multifactor authentication (MFA) is more effective than changing passwords.

When setting up user accounts, even test accounts should have multifactor authentication in place. All managed-service providers and consultants should also have MFA enabled, and it goes without saying that their accounts need to be monitored for activity and use during the engagement period. Once the consulting window is closed, the associated accounts need to close as well.

Auditing and monitoring VPN devices is crucial to security

VPN devices should be audited to ensure that no default passwords are used and that any original passwords are reset. Ensure you audit and review devices that have been set up and confirm that they have been configured properly.

Review any security groups that have been set up to ensure that they are provisioned properly and that those users have access only to those locations, devices, and networks deemed necessary. Set up a schedule or script auditing to ensure that groups are configured properly and those that are no longer in use are disabled and removed from the network. Any local user on the VPN appliance should be monitored for access.

Ensure that you have signed certificates in use for all SSL VPN connections, which ensures that connections are secure and appropriately protected.

Look out for users making impossible travel moves

Ensure that you have a VPN solution that can monitor for impossible travel situations — if a user logs into one location at 7 a.m., they shouldn’t be able to log into a server in a different location an hour later in a country it would be impossible to reach in the given time. That’s why location tracking location is a key security component of any VPN solution.

That said, don’t rely on geolocation blocking. For many years this was an easy way to protect a network. You would determine that your employees only logged in from a specific location and block everyone who tried to gain access from elsewhere. Now attackers know how to use and abuse IP locations, and can even infiltrate home routers to obscure where they are, rendering blocking by geolocation ineffective.

Microsoft recently observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multistage backdoor dubbed Tickler that has been using password spray activity against thousands of organizations.

“In password spray attacks, threat actors attempt to authenticate to many different accounts using a single password or a list of commonly used passwords,” Microsoft said. “In contrast to brute-force attacks, which target a single account using many passwords, password spray attacks help adversaries maximize their chances for success and minimize the likelihood of automatic account lockouts.”

Make sure high-risk individuals using VPNs get more protection

For administrators and certain key at-risk individuals such as members of the C-suite or finance department, consider creating an IP allow list to limit VPN access to specific IPs in your network. Assign additional monitoring resources and protections to those individuals in your organization you suspect may be high on hacker target lists.

VPNs, like any business software, need monitoring, patching, and auditing no matter from where they are deployed. It doesn’t hurt to reevaluate your current platforms and consider alternatives such as managed-cloud VPN solutions, bearing in mind that MFA should be mandatory on all accounts.

Microsoft identifies some resources that one can use to monitor for such malicious activities in a network that provide guidance for the use of VPN resources. Should an incident occur, consider the reimplementation of MFA to ensure that no methods have been compromised.

Practice least privilege and ensure that systems are maintained with up-to-date software and endpoint protection. If there is a system in your network that, for whatever business reason, needs to be on outdated software, ensure that you isolate t and that it has no connectivity to the internet while also limiting access to key resources.

As Microsoft notes, to protect against password spray attacks, implement the following mitigations:

• Ensure that insecure, low-complexity passwords are eliminated.
• Always educate users to review sign-in activity and mark suspicious sign-in attempts as: “This wasn’t me”. The process of alerting the security team of a potential incident in progress should be emphasized. One should have a user attack playbook that is communicated to those users.
• Ensure that you reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted.
• Review your settings on workstations and turn on attack surface reduction rules to help prevent common attack techniques. At a minimum, you should enable the following policies: block executable files from running unless they meet a prevalence, age, or trusted list criterion and block execution of potentially obfuscated scripts

Attackers are doing everything they can to make it look like their activity is just normal traffic — take the time and precautions to make it as hard as possible for them to gain a toehold in your network.