April 12, 2018
Webinar Series: Purple Teaming - Validating Detection & Response Capabilities
My team regularly assists clients in battling with users trying to access non-business related sites or remote locations that may have been deemed not work appropriate. Before we blame the end-user for not respecting the rules our organizations have set, we must remember that not all end users are aware of the risks involved when they visit these nefarious locations. On top of that, not everyone is able to utilize only business related information for the full 8 hours of the workday! But there are plenty of clean websites that usually aren’t blocked that are known clean sites and can get your mind off work for some time. We need to continue to block sites that are known bad despite the battle it may take.
Some of the tools we’re seeing in the wild include Web-based proxies, Free VPN services, RDP services, and other remote access tools. The number of options users have to evade the rules you as a network admin put in place can cause a major headache. Playing whack-a-mole with each and every service that pops up in logs or on an IPS can be overwhelming and tedious. An old saying goes well in this situation, “nothing in life is free”. If you see a web proxy offering a free service, you can guarantee this service is taking the data end users are generating and doing whatever they please. One safer option if in the rare case someone requires anonymized VPN use, is a paid service such as NordVPN or Private Internet Access VPN. Unfortunately, most users go the free VPN or proxy route which puts the corporate network at risk.
On top of evading business related firewall rules, these proxies and VPN’s have been analyzed by security experts only to find that the provider’s are actively collecting user data. And in some cases, even hijacking the host traffic for redirection. For example, Christian Haschek an Austria-based security researcher, wrote a script that analyzed 443 open proxies (no pun intended). He found that the 79 percent of surveyed proxy services forbid secure, HTTPS traffic. Imagine browsing the internet on purely plaintext HTTP traffic, which would not encrypt any data behind the scenes, just freely passing your requests along to a computer network that has malicious actors analyzing the incoming data around-the-clock. These are risks end-users don’t often take into account. We need to educate these users absolutely, but we need to be taking the route of blocking these services using the tools we invested in.
Before implementing these security protocols to block P2P, RDP and VPN services it is essential to analyze all your locations logs to find legitimate services your company uses. Often times, IT users will be using a VPN service that is legitimate but is not one your team is aware of. It is important to identify these use-cases for whitelisting later in the process. Once you analyze a minimum of 7 business days, you should have compiled a list of legitimate programs that are being categorized as P2P, RDP or Proxy services. Identify the programs that are deemed acceptable by the IT team to be used on the business network. This is to be considered your exemption list. Most modern day firewalls have an area to exempt or exclude certain services and block entire services by apptype. In the exemption/exclusion area, enter in all the programs you found to be normal business use. After the exemption list is made you should consider setting all P2P, Remote services, and VPN services to block. This will considerably cut down those attack vectors and block users from using malicious P2P and VPN. Initially, you will want to implement these blocks for a specific testing group. The IT team is usually a good initial testing group. Then, slowly roll out the new blocking policies for the rest of the company. Happy blocking!Referenceshttps://www.wired.com/2015/07/proxy-services-totally-unsecure-alternatives/
Security news, tips, webinars, and more straight to your inbox.
