Author: Roman Arutyunov, Co-Founder and Senior Vice President of Products, Xage Security
The Cybersecurity and Infrastructure Security Agency (CISA), along with other U.S.-based and international partners, have released a Guide to Securing Remote Access Software.
Remote access technologies have been widely abused and exploited by threat actors for many years. From protocols like Remote Desktop Protocol, to widely used generic technologies like Virtual Private Networks, to remote management and monitoring products like Kaseya VSA, which was used to widely disseminate ransomware in 2021, these technologies are a juicy target for cyberattackers at every level of sophistication. Furthermore, the use of remote access, and remote monitoring and management technology has skyrocketed in recent years. This is partly due to increased remote work driven by COVID-19, as well as general challenges in staffing technical positions, especially in cybersecurity and industrial control systems/operational technology, driving businesses to hire remotely to access a broader talent pool. On top of that, the number of OT assets in the field has grown by 10x over the past decade and a half. There are simply too many to manage by sending humans to often remote and dangerous locations to maintain these assets in person.
Additionally, the recent People’s Republic of China State-Sponsored Cyber Actor (dubbed Volt Typhoon) that was discovered living off the land in U.S. Critical Infrastructure brought the vulnerability of remote access software back into the spotlight.
So it is no surprise that CISA and their partners are promoting methods to secure remote access software. The CISA Guide to Securing Remote Access includes a meaty list of MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) in which remote access technology is implicated, as well as a list of specific vendor technologies that have been actively abused by attackers. Most importantly, it includes a set of recommendations for all organizations to implement, to secure their remote access and remote management and monitoring software.
Three Key Lessons in CISA’s Guide to Securing Remote Access Technology
On the face of it, the recommendations in CISA’s guide are good. Many are basic security hygiene recommendations, being reframed for specific use in remote access scenarios. But there are a couple of salient themes in the choices CISA made about what to include in this document that are vitally important to recognize and act upon.
Lesson 1: Prevention is A Requirement. Detection Alone is Not Enough.
A large number of recommendations in the guide are prevention focused. While detection plays an important role, prevention is foundational to effective security.
Secure Remote Access Software is a juicy target for attackers because it is allowed and desired in the given environment. This introduces some major challenges for detection. The low-hanging fruit is to set up detections for usage of any unapproved remote access software. Monitoring for unacceptable behavior of the approved remote access software is also a good thing to do, but ultimately leads to the dreaded “alert fatigue” that plagues the entire chronically understaffed cybersecurity industry.
The majority of CISA’s recommendations are preventive in nature and are focused on controlling access and limiting the attack surface. These include:
- When possible, employ zero trust solutions—or least-privilege-use configuration—which can be endpoint- or identity-based.
- Enable just-in-time access and/or two-factor authentication based on the level of risks
- Implement network segmentation to minimize lateral movement and restrict access to devices, data, and applications.
- And many others..
Detection is still an important aspect of a layered defense-in-depth model, but preventive actions are more foundational and should be done first before investing heavily in threat detection. If you have to choose between deploying MFA and a detection technology, choose MFA first.
Lesson 2: Identity Is At the Center of Everything, Both for Attackers and Defenders
Essentially every major cyberattack that hits the headlines has compromised identities or credentials involved in some way. Abusing legitimate credentials is a favorite technique of ransomware gangs and nation-state adversaries alike. The CISA guide makes numerous recommendations around identity, authentication, and access control, including:
- Audit Active Directory for inactive and obsolete accounts or misconfigurations.
- Enable just-in-time access and/or two-factor authentication based on the level of risks.
- Adopting of MFA across all services and products
- Not reusing admin credentials
The most valuable investments you can make in securing your organization against remote access software abuse or any other type of attack are focused on securing the identities, credentials, and privileges in your environment.
Lesson 3: Zero Trust Is The Ultimate Goal
Many of the pieces of advice in CISA’s guide point to a zero trust strategy being the best way to avoid having remote access used against you. Many organizations are on this journey already. Organizations with critical assets at the operational edge have a unique set of challenges as they pursue zero trust, but progress is being made, and CISA’s Guide rightly acknowledges the importance of this pursuit. The guide notes:
“While Zero Trust is the ultimate goal, segregating customer data sets (and services where applicable) from each other–as well as from internal company networks–can limit the impact of a single vector of attack.”
This is one of many recent U.S. Federal Documents to push zero trust as the ideal strategy to pursue. From the Department of Defense Zero Trust Roadmap to the White House’s national cybersecurity strategy issued this year, Zero Trust Architecture has been a key subject.
Xage Security delivers Zero Trust Remote access that eliminates many of the risks outlined in the CISA Guide, and helps organizations achieve Zero Trust security across OT, IT, and The Cloud. Read more in our eBook: Top 5 Must Haves for Modernizing Secure Remote Access