The working landscape has been dramatically changed by the current pandemic, Covid-19, that has caused entire workforces to work remotely. Of course, the concept of remote access is not new and has been an accepted fact of life for some decades now as many organizations have already introduced remote working in some capacity. Furthermore, dependency on the corporate network and the assets behind it had already been reduced by the development of cloud computing and Software-as-a-Service (SaaS) applications, such as Salesforce.com and Microsoft Office 365. That said, the typical CIO could still rely on the fact that the bulk of enterprise IT activity was occurring within buildings belonging to their organization.
Now, that has all changed. Covid-19 pandemic has resulted in social distancing measures and caused all non-essential workforces to become remote. Video calls have replaced meetings, work breaks, lunch breaks, even after work drinks. This transition has been easier for those workforces more geared to remote work, but most employees are starting to find their feet in this brave new world. However, behind the scenes, the process is complicated. A lot of services are still operating from a data center or infrastructure that the corporation owns which means that, in most cases, access to these services is guarded by a form of VPN infrastructure.
The VPN has always been critical to the IT environment, but the crisis has escalated this exponentially so that now the VPN is at the very center of the enterprise operations. Unsurprisingly, commercial vendors of these technologies are rapidly expanding their offerings, working hard to catch up with the increased demand from their customers. VPN technologies are already quite mature and widely used as enhancements to security, to the extent that it can be assumed that any organization that a nation-state actor might be interested in would already have such infrastructure deployed.
Defending against attacks
An unfortunate by product of the increased reliance on VPNs is that a range of adversaries will seek to exploit these technologies to further their aims, including launching brute force attacks on user accounts to get unauthorized access. However, there are several other techniques that also need to be countered.
Over the past few years, a number of vulnerabilities in popular implementations such as Citrix Netscaler have been published. For several reasons, the vendor has not always been able to rapidly publish patches to remedy the vulnerability that had been recognized. In fact, when patches are available even the most prepared organizations can face delays in the deployment. In fact, nation-state actors have used these vulnerabilities to gain a foothold on the VPN infrastructure and stage a successful intrusion of numerous targets. However, if a robust forensic examination is not carried out then it can be difficult to determine if the systems have been compromised. Therefore, even applying the available patch wouldn’t be sufficient as there is a gap between the vulnerability becoming known and the application of the patch.
The education and non-profit sector often make use of such packages as OpenVPN which have a robust open-source community behind them. These are also widely used in smaller organizations. NETSCOUT’s recent H2 2019 Threat Intelligence Report captures how a vulnerability in an OpenVPN was exploited and used to launch a large number of DDoS attacks against a range of targets last year. One of the main problems with OpenVPNs is that they are used on such a large scale that even if there is a patch available, there will still be a vulnerable device for an attacker to utilize.
Due to the escalated importance of the VPN at this time, we at NETSCOUT Arbor expect that DDoS attacks against such remote access infrastructure, will increase. Any fault or erosion in these services could have a severe impact. In some cases, this fault is inherent, for example if it has been poorly designed or rushed. An example of this would be if the VPN concentrator and public website are in the same netblock, then an attack on the website might impede remote access to the web infrastructure team and deny them the ability to make changes to counter the threat.
There are several measures that businesses can put in place to protect against these attacks, for example:
- Constantly and consistently patch and secure the VPN infrastructure
- Put in place two-factor authentication, this applies across all areas of the business but is especially vital for remote access
- Make sure all VPN logs are going to a SIEM and being correlated to other security monitoring
One of the ways that threat actors can inflict damage is by denying access via a DDoS attack. Therefore, as well as being secure, it is crucial that the availability of this infrastructure is not impacted as without it, entire workforces will be halted.
There are several ways businesses can protect the availability of secure remote access infrastructure, for example:
- Issue Acceptable-Use Policies (AUPs) to the remote workforce and implement split-tunneled VPN, both of these measures will protect the enterprise from becoming collateral damage in an online-game related DDoS attack
- Avoid identifying the VPN infrastructure by not including it in the hostname, for example ‘https://vpn.[insertcompany].com’ draws immediate attention to the VPN
- Protect the infrastructure using either a commercial DDoS protection service or an on-premise Intelligent DDoS Mitigation System (IDMS), or even a combination of both
The pandemic has brought remote access to the fore but, when this is over, it is likely that remote working will become part of the ‘new normal’. Remote access is here to stay so it is important that businesses protect themselves now and into the future.
Hardik Modi, AVP Engineering, Threat and Mitigation Products, NETSCOUT