On the 6th of June 2023, Cybersecurity and Infrastructure Security Agency (CISA) released a Guide to Securing Remote Access Software in collaboration with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD).
Overview
Remote access software tools offer a wide range of capabilities commonly used to maintain and enhance IT, operational technology (OT), and industrial control systems (ICS) services. These tools enable organizations to remotely oversee networks, computers, and devices, providing a proactive and flexible approach to IT/OT management. Remote access software, such as remote administration solutions and remote monitoring and management (RMM) tools, allows for functions like data gathering, maintenance automation, remote recovery and backup, and patch management. While legitimate use of remote access software improves efficiency and plays a critical role in business continuity plans, it also poses significant risks as malicious actors can exploit these tools.
Malicious Use of Remote Access Software
Remote access software provides convenient ways for IT/OT teams to detect network or device issues and proactively monitor systems. However, cyber threat actors are increasingly leveraging the same tools to gain broad access to victim systems. Remote access software, especially RMM, offers significant capabilities that attract malicious actors looking to maintain persistence and move laterally within compromised networks. Small- and mid-sized businesses relying on managed service providers (MSPs) and remote access software are particularly vulnerable to supply chain compromises and exploitation. The appeal of remote access software for threat actors lies in its ability to evade security tools, its lack of extensive custom development requirements, its potential to bypass software management control policies and firewall rules, and its facilitation of multiple cyber intrusions.
Associated Tactics, Techniques, and Procedures (TTPs) with MITRE ATT&CK References
Cyber threat actors leverage remote access software for various purposes employing, including initial access, persistence, deploying additional software and tools, lateral movement, and data exfiltration. They exploit vulnerabilities in software, manipulate legitimate software through supply chain compromises, use phishing campaigns to trick victims into downloading remote access software, exploit compromised credentials, and leverage third-party relationships for initial access. PowerShell is often used to silently deploy remote access software, and industry observations indicate the renaming of binaries to masquerade as legitimate processes. Remote access software enables threat actors to discover other systems on a network, move laterally through remote services, and establish command and control channels. The provided table maps these tactics and techniques to the MITRE ATT&CK framework.
Remote access software tools offer a wide range of capabilities commonly used to maintain and enhance IT, operational technology (OT), and industrial control systems (ICS) services. These tools enable organizations to remotely oversee networks, computers, and devices, providing a proactive and flexible approach to IT/OT management. Remote access software, such as remote administration solutions and remote monitoring and management (RMM) tools, allows for functions like data gathering, maintenance automation, remote recovery and backup, and patch management. While legitimate use of remote access software improves efficiency and plays a critical role in business continuity plans, it also poses significant risks as malicious actors can exploit these tools.
Malicious Use of Remote Access Software
Remote access software provides convenient ways for IT/OT teams to detect network or device issues and proactively monitor systems. However, cyber threat actors are increasingly leveraging the same tools to gain broad access to victim systems. Remote access software, especially RMM, offers significant capabilities that attract malicious actors looking to maintain persistence and move laterally within compromised networks. Small- and mid-sized businesses relying on managed service providers (MSPs) and remote access software are particularly vulnerable to supply chain compromises and exploitation. The appeal of remote access software for threat actors lies in its ability to evade security tools, its lack of extensive custom development requirements, its potential to bypass software management control policies and firewall rules, and its facilitation of multiple cyber intrusions.
Associated Tactics, Techniques, and Procedures (TTPs) with MITRE ATT&CK References
Cyber threat actors leverage remote access software for various purposes employing, including initial access, persistence, deploying additional software and tools, lateral movement, and data exfiltration. They exploit vulnerabilities in software, manipulate legitimate software through supply chain compromises, use phishing campaigns to trick victims into downloading remote access software, exploit compromised credentials, and leverage third-party relationships for initial access. PowerShell is often used to silently deploy remote access software, and industry observations indicate the renaming of binaries to masquerade as legitimate processes. Remote access software enables threat actors to discover other systems on a network, move laterally through remote services, and establish command and control channels. The provided table maps these tactics and techniques to the MITRE ATT&CK framework.
Detections
To detect unauthorized use of remote access software, organizations should establish a security baseline of normal network activity. Network defenders must be familiar with a software's baseline behavior to recognize abnormal and malicious use. Employing endpoint detection and response (EDR) tools is recommended for monitoring remote access software. The transcript mentions several remote access software products that may be leveraged by threat actors, including ConnectWise Control, Pulseway, Anydesk, RemotePC, and more.
Recommendations
The joint guide provides several recommendations for organizations, specifically MSPs, to defend against malicious use of remote access software. These recommendations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST and aim to protect against common threats. The recommendations include:
The Role of Managed Service Providers (MSPs)
Managed Service Providers (MSPs) play a critical role in the use of remote access software, as they often rely on these tools to remotely manage and support their clients' IT infrastructure. However, MSPs can also be a target for malicious actors seeking to gain unauthorized access to their clients' systems. Adversaries may exploit vulnerabilities in MSP infrastructure or compromise MSP credentials to gain access to multiple client networks. Therefore, it is crucial for MSPs to implement robust security measures to protect their systems and ensure the secure use of remote access software.
Best Practices for Secure Remote Access Software Usage
To mitigate the risks associated with remote access software, organizations should follow best practices for secure usage. These practices include:
By implementing these best practices, organizations can significantly enhance the security of their remote access software and reduce the risk of unauthorized access and potential data breaches.
To detect unauthorized use of remote access software, organizations should establish a security baseline of normal network activity. Network defenders must be familiar with a software's baseline behavior to recognize abnormal and malicious use. Employing endpoint detection and response (EDR) tools is recommended for monitoring remote access software. The transcript mentions several remote access software products that may be leveraged by threat actors, including ConnectWise Control, Pulseway, Anydesk, RemotePC, and more.
Recommendations
The joint guide provides several recommendations for organizations, specifically MSPs, to defend against malicious use of remote access software. These recommendations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST and aim to protect against common threats. The recommendations include:
- Maintain a robust risk management strategy based on standards like the NIST Cybersecurity Framework.
- Implement zero trust solutions or least-privilege-use configurations.
- Conduct user training programs and phishing exercises to raise awareness.
- Work with a security operations center (SOC) team for system monitoring.
- Audit Active Directory for inactive accounts and misconfigurations.
- Enable just-in-time access and two-factor authentication.
- Use safeguards for mass scripting and implement a script approval process.
- Leverage software bill of materials (SBOM) to maintain an inventory of software components.
- Consider external attack surface management (EASM) for enhanced visibility and continuous monitoring.
The Role of Managed Service Providers (MSPs)
Managed Service Providers (MSPs) play a critical role in the use of remote access software, as they often rely on these tools to remotely manage and support their clients' IT infrastructure. However, MSPs can also be a target for malicious actors seeking to gain unauthorized access to their clients' systems. Adversaries may exploit vulnerabilities in MSP infrastructure or compromise MSP credentials to gain access to multiple client networks. Therefore, it is crucial for MSPs to implement robust security measures to protect their systems and ensure the secure use of remote access software.
Best Practices for Secure Remote Access Software Usage
To mitigate the risks associated with remote access software, organizations should follow best practices for secure usage. These practices include:
- Risk Assessment and Vendor Selection: Conduct a thorough risk assessment of remote access software solutions before implementation. Evaluate the security features, reputation, and track record of vendors to ensure they follow industry best practices.
- Secure Configuration: Configure remote access software with strong security settings, including robust authentication mechanisms, encryption, and access control policies. Implement least privilege access to limit user privileges based on job roles and responsibilities.
- Regular Updates and Patching: Keep the remote access software and its supporting systems up to date with the latest security patches and updates. This helps address known vulnerabilities and protect against potential exploits.
- Strong Authentication: Enforce the use of strong and unique passwords for all remote access accounts. Consider implementing multi-factor authentication (MFA) to provide an extra layer of security.
- Monitoring and Logging: Implement comprehensive logging and monitoring mechanisms to track and detect any suspicious activity related to remote access software. Monitor login attempts, access logs, and system events for signs of unauthorized access or unusual behavior.
- Network Segmentation: Separate networks or system segments that require remote access from critical or sensitive assets. This helps contain potential breaches and restrict unauthorized access to sensitive information.
- User Education and Awareness: Train employees and system administrators on best practices for secure remote access usage. Educate them about the risks associated with phishing attacks, social engineering, and the importance of maintaining strong security practices.
- Incident Response Planning: Develop an incident response plan that includes specific procedures for handling security incidents related to remote access software. Establish clear roles and responsibilities and conduct regular drills to ensure preparedness.
- Regular Audits and Assessments: Conduct regular audits and assessments of the remote access software infrastructure to identify vulnerabilities and weaknesses. Engage third-party security professionals to perform penetration testing and security assessments.
By implementing these best practices, organizations can significantly enhance the security of their remote access software and reduce the risk of unauthorized access and potential data breaches.
Remote access software offers numerous benefits for organizations, enabling efficient IT/OT management and support. However, it also presents significant risks if not implemented and used securely. To mitigate these risks, organizations should follow industry best practices, conduct risk assessments, and implement robust security measures. Collaboration between MSPs and their clients is crucial to ensure secure remote access and protect against the potential misuse of these tools. By adopting a proactive and vigilant approach, organizations can maximize the benefits of remote access software while safeguarding their systems and data from malicious actors.
In conclusion, while remote access software offers numerous benefits for organizations, it is crucial to prioritize security to mitigate the associated risks effectively. As part of a comprehensive security strategy, we recommend considering the implementation of HoundER Attack Surface Management.
HoundER Attack Surface Management is an advanced security solution that specializes in identifying and managing potential vulnerabilities in an organization's attack surface. By using HoundER, organizations can gain a comprehensive understanding of their digital footprint, including all network assets, web applications, and potential entry points for attackers.
By employing HoundER Attack Surface Management, organizations can proactively identify and address security gaps related to remote access software. HoundER provides continuous monitoring, vulnerability scanning, and threat intelligence, enabling organizations to stay one step ahead of potential threats.
With HoundER Attack Surface Management, organizations can:
By leveraging HoundER Attack Surface Management, organizations can take a proactive and comprehensive approach to secure their remote access infrastructure. With its advanced scanning capabilities, threat intelligence, and actionable insights, HoundER empowers organizations to minimize the risk of unauthorized access, protect sensitive data, and ensure business continuity.
Investing in HoundER Attack Surface Management demonstrates a commitment to robust security practices and helps organizations stay ahead in the ever-evolving threat landscape. By partnering with HoundER, organizations can confidently embrace the benefits of remote access software while minimizing potential security risks.
HoundER Attack Surface Management is an advanced security solution that specializes in identifying and managing potential vulnerabilities in an organization's attack surface. By using HoundER, organizations can gain a comprehensive understanding of their digital footprint, including all network assets, web applications, and potential entry points for attackers.
By employing HoundER Attack Surface Management, organizations can proactively identify and address security gaps related to remote access software. HoundER provides continuous monitoring, vulnerability scanning, and threat intelligence, enabling organizations to stay one step ahead of potential threats.
With HoundER Attack Surface Management, organizations can:
- Identify and assess potential risks: HoundER scans the attack surface, providing detailed insights into vulnerabilities and weaknesses associated with remote access software and related systems. This information helps organizations prioritize their security efforts and allocate resources effectively.
- Strengthen security posture: By proactively managing the attack surface, organizations can strengthen their security posture. HoundER offers recommendations and actionable insights to remediate vulnerabilities, helping organizations maintain a robust and secure remote access infrastructure.
- Monitor for emerging threats: HoundER continuously monitors the attack surface, keeping organizations informed about new vulnerabilities, emerging threats, and changes in their digital footprint. This enables organizations to promptly respond and adapt their security measures accordingly.
- Enhance compliance: HoundER assists organizations in meeting regulatory requirements and industry standards by providing visibility into potential security gaps and assisting in the implementation of necessary controls.
By leveraging HoundER Attack Surface Management, organizations can take a proactive and comprehensive approach to secure their remote access infrastructure. With its advanced scanning capabilities, threat intelligence, and actionable insights, HoundER empowers organizations to minimize the risk of unauthorized access, protect sensitive data, and ensure business continuity.
Investing in HoundER Attack Surface Management demonstrates a commitment to robust security practices and helps organizations stay ahead in the ever-evolving threat landscape. By partnering with HoundER, organizations can confidently embrace the benefits of remote access software while minimizing potential security risks.
