Counteracting Remote Access MITRE Threat Actions with VNC

Without some form of remote access, threat actors conducting a cyberattack simply wouldn’t succeed. Threat actors leverage remote access services at a number of points within an attack, making it an important – and perhaps necessary – part of a cyberattack. So, how can you plan and prop up a defense against attacks?
remote access MITRE threat actions VNC Connect

To best plan a layered defense, it’s necessary to understand the enemy and the actions they take. One of the most respected ways to do this is to use the MITRE ATT&CK Framework. For those new to the framework, it’s pronounced “Miter”, like a mitre saw, and “Attack” with the actual name being an acronym for “Adversarial Tactics, Techniques, and Common Knowledge”. The MITRE ATT&CK Framework classifies threat actions into Tactics (think of these as a high-level goal for the threat actor), techniques (these are general types of actions such as using PowerShell), and procedures (these are the specific actions taken by a threat actor).

There are a number of commonly used malicious techniques that involve remote services. In this article, I want to first cover where remote services are misused by threat actors, according to MITRE, and then discuss where an implementation of VNC that takes advantage of more secure methods of authentication can help to counteract a threat actor’s ability to gain access to, move around, and act within your environment.

To align this article with MITRE’s ATT&CK Framework, I’m going to list out a MITRE tactic, list out the specific technique along with MITRE’s technique number for reference, and provide some insight into how remote access is misused at this point in an attack.

Let’s jump in.

Initial Access

According to MITRE, “Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.”

External Remote Services (T1133)

The use of externally-accessible remote services for initial access is quite common; as an example, in ransomware attacks, RDP compromise is the number one initial attack vector, occurring in about 30% of all ransomware attacks. Additionally, admin- or user-level RDP access is the most popular access type advertised for sale on dark web forums.

Persistence

This includes techniques “that adversaries use to keep access to systems across restarts, changed credentials and other interruptions that could cut off their access.”

External Remote Services (T1133)

This *is* the same technique mentioned above; it’s just used by threat actors with a different intent. In Initial Access, remote services are utilized to gain entry into your network.  Here, it’s about utilizing that same method of access over and over throughout the entirety of an attack.

Lateral Movement

Any technique used to facilitate a threat actor’s ability to move from system to system within your network, usually using legitimate credentials.

Remote Services (T1021)

While there are a myriad of ways to move laterally – including SMB shares in Windows, Telnet/SSH sessions, pass-the-hash attacks, and more, the use of remote services is observed in 39% of ransomware attacks and is seen commonly in other kinds of cyberattacks.

Remote Service Session Hijacking (T1563)

This is a slight variant of the simple use of Remote Services; in this case, there is an existing session for a given user, with attackers leveraging the correct credentials and interacting with that user’s desktop session.

Command and Control

With one or more systems compromised and accessible by threat actors, this tactic seeks to “communicate with systems under their control within a victim network.” How this is accomplished depends on the tools available to and used on the compromised endpoint.  For example, use of a web browser to pull down C2 communications and payloads would blend into the noise of regular web traffic.

Remote Access Software (T1219)

In the same way, if remote access is already allowed within an environment, it too can blend in – this may be why 63% of ransomware attacks include some form of Command and Control with Remote Access Software.

With all this misuse of varying flavors of Remote Access, how can VNC neutralize cyberattack efforts?

Counteracting Threat Actions with VNC

The key to the repeated use of Remote Services as part of cyberattacks today all revolves down to one critical aspect: a lack of secure authentication. It’s really quite simple; with most remote access configured with ease of use in mind, there is little more requirement than providing a valid username and password. With this as the “default” (more or less), most organizations are certainly validating the credentials are correct, but they aren’t validating it’s the credential owner that’s authenticating.  The end result is that remote access assists the threat actor to achieve their goals.

VNC solutions provide organizations with a means to cost-effectively replace the insecure remote access with something just as easy to use, but with greater security. Reputable VNC-based solutions have evolved, seeing the security gaps left by default configurations of Windows’ RDP, and have focused on providing secure remote access in a number of ways:

  • Advanced Authentication Support – Looking beyond the default of an Active Directory environment, support for on-premises and cloud-based single sign-on (SSO) platforms, use of RADIUS servers over HTTPS, and other authentication providers reduces an attacker’s ability to leverage Active Directory-based credentials – something commonly done.
  • Support for Multi-Factor Authentication – Supporting additional factors, including smartcards, X.509 certificates, and RADIUS (as a second factor) creates a degree of difficulty for threat actors who only have access to basic username/password credentials.

Taking Heed of MITRE’s “Warning”

In a way, the tactics, techniques, and procedures listed in the ATT&CK Framework are individual warnings, saying “a threat actor somewhere is doing this”.  The proper response is to look at the actions taken by threat actors and learn from them by modifying whatever part of your environment is impacted.

In the case of Remote Services, the answer lies in looking beyond the simple username and password and leveraging VNC-based secure remote access solutions that take advantage of more secure implementations of authentication, that will stop threat actors in their tracks. Go back to the first sentence in this article – without remote access, attacks can’t succeed.  So, by using VNC solutions to make remote access authentication more secure, you gain the benefit of still maintaining any needed remote access, while improving your organization’s security posture.

Nick Cavalancia MVP

Nick Cavalancia MVP

Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 28 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, and Master CNI. He has authored, co-authored and contributed to dozens of books on various technologies. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.

Share this post

Share on facebook
Share on twitter
Share on linkedin

Stay up to date, straight to your inbox

RealVNC® uses cookies. For more information, please read our privacy policy.