Oftentimes, when an attacker is logging into a valid user account, they’ll do so during business hours to disguise the traffic in the mass of other traffic. That’s generally where a password did match, and the bad guy got in. Then, I’d pivot, looking for successful authentications via that same IP. If password spraying is the attack method, you may see a single auth attempt per account. When looking for Credential Stuffing, look for a spike of failed authentications coming from a single IP. Either way, they should be populating the Authentication data model. Now, your authentication events may come directly from the VPN itself, or from your Active Directory events. To do that, I’d peek at the Access Center. You’ll probably see a big spike at the usual start of the business day, but if it’s in the middle of the night, it might be worth peeking at. Tracking VPN connections over time is a great way to identify any spikes that may pop up. Next up, time to track your volume of VPN connections. Once you’ve identified the perimeter and VPN vulnerabilities it’s time to get to patching! OR, if you want to be more specific, you can target specific CVEs or specific hosts via the Vulnerability Search dashboard. Then, we can take a peek via the Vulnerability Center dashboard. Let’s start with leveraging that vulnerability assessment tool that’s been laying around, and scan the VPN and any perimeter related devices. So first things first, let’s make sure that VPN and perimeter of yours is up to date. Heartland, Target and Home Depot all come to mind, not just from an attack perspective, but also from a vulnerability perspective. Some of the largest breaches in history involved the VPN. If 2FA (two factor authentication) isn’t in place, credential stuffing is a very real way to break in. VPNs often don’t contain the layers of security found in perimeter defenses, yet provide access from outside the network. Hackers no longer have to breach the perimeter itself to find sensitive data, but rather, exploiting even just one remote access flaw could be sufficient to breach a system. That extension of the corporate network is a tasty vector because it’s much more accessible for attackers. VPNs transmit sensitive information over both public and private networks. Also, be sure to check out the additional posts my colleagues have shared about keeping your infrastructure secure in this new environment we all live in. In the spirit of enablement, I’ve put together a quick list of dashboards that can help add that extra bit of visibility for our faithful Splunk Enterprise Security customers. Now that working from home is our new reality, we've found that many of our customers are taking a much closer look at the technology that binds us all together and allows us to access corporate resources: the humble VPN.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |