icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons

Remote Access Detection

by Cody Dumont
February 29, 2016

Information technologists use remote access for several types of management and support of computing systems. Malicious users also use the same technologies to exfiltrate data and perform actions such as illegally monitoring users. This dashboard helps organizations monitor for remote access vulnerabilities and usages. The components included in the dashboard are associated with vulnerabilities and events related to standard protocols of SSH, VNC, and RDP. Proprietary protocols such as pcAnywhere, Apple Remote Desktop, WebEx, Google Desktop, and GoToMyPC are also included.

The content in this dashboard embraces all collection methods from SecurityCenter Continuous View (CV). By using Nessus and the Passive Vulnerability Scanner (PVS), the components are able to identify systems capable of remote access. Nessus looks for installed software, browser plugins, and other artifacts pointing to desktop control software to identify systems with remote access capabilities. PVS passively monitors network traffic to identify vulnerabilities and perform host, application and operating system discovery using advanced packet analysis. The dashboard does not report on Skype and other software that is capable of sharing, but does not allow remote control of a system. 

The Log Correlation Engine (LCE) is used to log PVS events and track other remote access related events. LCE also provides the ability to monitor NetFlow information by either collecting NetFlow flows or by using the Network Monitor Agent.  The Network Monitor Agent works similar to a NetFlow collector, but stores the records in a LCE-friendly method. An additional benefit of the Network Monitor Agent is that any syslog messages captured will also be forwarded to LCE for analysis.  The NetFlow and Network Monitor Agent can detect traffic patterns, which can then be identified as interesting. One of the components uses the destination port filter; this shows common ports used for several protocols related to remote access to identify possible remote access activity. This traffic may be false positives, but should be investigated to determine if malicious activity is occurring.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets.  The dashboard can be easily located in the SecurityCenter Feed under the category Threat Detection and Vulnerability Assessments. The dashboard requirements are:

  • SecurityCenter 5.2.0
  • Nessus 6.5.4
  • PVS 4.4.0
  • LCE 4.6.1
  • Tenable NetFlow Monitor
  • Tenable Network Monitor

SecurityCenter CV can identify vulnerabilities, and help eliminate blind spots on your network, such as systems capable of remote access.  SecurityCenter CV uses Nessus and PVS to detect missing patches, incorrect configurations, lapsed defenses, incomplete monitoring, and network intruders. Tenable’s unique combination of detection, reporting, and pattern recognition leads the market place in Continuous Monitoring. By taking a proactive approach to continuous monitoring, SecurityCenter CV can identify critical risk across the entire enterprise.

Components

Verizon 2015 DBIR - Remote Access:  The Verizon DBIR notes that it is important to restrict remote access to systems. This matrix assists the organization in monitoring its remote access. The Unusual VPN indicator is highlighted purple when a VPN login originates from an IP address that is not normal for the user ID. Multiple indicators highlight VPN, SSH, RDP, VNC, and SSL traffic events within the last 72 hours, including potential intrusion events, events associated with known bad IP addresses (threatlist), and long-term events. The VPN Sniffed and SSH Sniffed indicators are highlighted purple if those protocols, respectively, are passively detected on the network. The Compliance Fails indicator is highlighted red if there are any remote access compliance failures. The GoToMyPC and RemotelyAnywhere indicators are highlighted purple if those applications are detected on the network. Clicking on a highlighted indicator will bring up the analysis screen to display details on the detections and events and allow further investigation.

Remote Access Detection - Remediation Summary: This table provides information on vulnerability remediation solutions available for remote access vulnerabilities. Each solution provides the percentage of risk reduction, the total hosts affected, and the percentage of vulnerabilities resolved. The filter for this table uses a new filter available within SecurityCenter 5.2.0 Perl Compatible Regular Expression (PCRE) in the Plugin Name field.  This allows for a more strategic use of strings to include all the options found during the component’s development. This component can be used to obtain a list of patches that can be installed to quickly remediate vulnerabilities and reduce risk.

Indicators - Network Anomalies and Suspicious Activity: This component takes many of the various detection technologies for botnets, malicious file hashes, anomalous network traffic, spikes in system logs and continuous scanning activity and places them into one spot.

Remote Access Detection - Vulnerabilities Indicator: This component displays warning indicators for 28 specific remote access applications.  The useful part of this component is the depth taken to find the obscure remote access applications or separate common applications within their respective operating systems.  This component can assist the organization into gaining and understanding how at risk or how accessible the organization is to outside control over systems.  An indicator will display purple when a vulnerability has been detected in that specific remote access application.

Remote Access Detection - Remote Access Port Tracking: This component uses NetFlow and Network Monitor analysis to identify systems with traffic that may be related to a specific protocol.  LCE also provides the ability to monitor NetFlow information by either collecting NetFlow or by using the Network Monitor Agent.  The Network Monitor Agent works similar to a NetFlow collector, but stores the records in a LCE-friendly method. The NetFlow and Network Monitor can detect traffic patterns and which can then be identified as interesting traffic.  The filters use the “Destination Port” filter as the ports are on well-known sources, and tracking based on “Destination Port” will result in less false positives.  When a pattern is discovered the indicator will turn purple.

Remote Access Detection - Exploitable, High CVSS Score, and Compliance Vulnerabilities: This component provides overview of vulnerability details with respect to seven remote access methods. This component displays the number of systems with remote access capable applications. For each protocol, the percentages of vulnerabilities that are exploitable have a CVSS score of 7.0 or above and are noted as compliance vulnerabilities. For each percentage, 0 to 24 percent will display green, 25 to 49 percent will display yellow, 50 to 74 percent will display orange, and 75 to 100 percent will display red. The IT security team should attempt to keep all of these percentages as close to zero as possible.

Remote Access Detection - 90-Day Trend of Vulnerabilities: This chart presents a 90-day trend analysis of remote access vulnerabilities on the network. These include vulnerabilities associated with SSH, VNC, RDP, Apple Remote Desktop, WebEx, and GoToMyPC.