As ransomware gangs shift their focus from holding data for ransom to exfiltrating it and extorting payment from victim organizations, the data breach seems to be gaining steam as the threat action of choice. This evolution of ransomware makes the annual Verizon Data Breach Investigations Report (which uses tens of thousands of potential and confirmed data breaches to establish what modern-day data breaches look like) all the more valuable this year.
In its 15th year, this report provides insight into how data breaches occur, and how long they take to detect; it also gives you an idea of where to place your focus when strengthening your cybersecurity posture.
In this year’s report, there is a recurring theme worth mentioning around the use of “desktop sharing” software as part of data breach attacks – which Verizon defines as including “Remote Desktop Protocol (RDP) and third-party software that allows users to remotely access another computer via the Internet.” With 80% of data breaches involving an external threat actor, that bad guy needs to gain entrance into the victim network somehow.
And in the case of “Desktop Sharing” software (which is, in essence, any kind of remote access solution, including RDP), many organizations are simply handing the attacker the keys. Plenty of Dark Web forums list credentials for sale – no doubt stolen previously in phishing and social engineering attacks. So, by simply putting together a credential from the Dark Web, and a remote access solution externally accessible, the cybercriminals have all they need to begin the process of stealing data from an organization.
According to the report, this use of “desktop sharing” within data breaches is material: abuse of remote access solutions is the #4 initial attack vector in data breaches (with the expected hacking and phishing being at the top of the list). It’s also the #3 initial attack vector in Intrusion-related data breaches and is utilized in 40% of all ransomware incidents.
This should come as no surprise, given that remote access solutions provide threat actors with interactive access to a desktop on an endpoint, allowing them to take advantage of any credentialed access the currently logged-on user has.
The Verizon data should serve as a warning of just how threat actors see remote access/desktop sharing as a tool to take advantage of should it be present. So, what steps can you take to secure your organization while still allowing externally facing remote access to internal resources?
There are a number of proactive steps you can take that will minimize the threat surface that remote access creates:
- Stop using the basic Remote Desktop Protocol (RDP) – I’ve written about this several times already. Any organization that has RDP (not to be confused with Microsoft’s Remote Desktop Services) exposed to the Internet to make it “easy” for employees to log onto company resources is also making it easy for the attacker. And changing ports does nothing to stop attackers, as they scan every accessible port and look for an RDP response.
- Use secure, supported remote access software – the Verizon report discusses attacks in which zero-day vulnerabilities in remote access solutions were used to facilitate initial access. Be certain the remote access solutions you use are both supported and tested for vulnerabilities.
- Use Secure Authentication – This is probably the most important, as the previous two recommendations may just cause you to put another remote access/desktop sharing solution in place that may introduce the very same risks – just with another solution. According to Verizon, the top threat action in actual breaches is the use of stolen credentials. So, if the remote access solution used only requires a username and password, it’s relatively easy for threat actors to log on. The inclusion of multi-factor authentication is a sure-fire way to make it impossible for threat actors to leverage existing desktop sharing for malicious purposes.
- Realize there’s a Human Element in data breaches – According to Verizon, the human element (that is where a person contributes to the success of a data breach whether intentionally or unwittingly) is present in 82% of all data breaches. This stat alone tells you that your basic productivity-centric remote access (that is, an implementation without the safeguards mentioned above) is going to eventually result in a threat actor gaining access – whether that be via a user falling for a credential theft phishing scam, using an insecure password that can be guessed during a password spray attack, etc. So, it’s necessary to consider the security measures in the previous bullets.
Minimizing the Risk of Remote Access-Based Data Breaches
Data breaches are quickly becoming the norm again, with many gangs exchanging out the disruptive nature of ransomware attacks (which generally attract the attention of law enforcement and even government entities) for simple exfiltration and threatening to publish or sell the data. So, if you have a remote access solution in place, it’s time to realize the potential risk it poses to the organization and take steps to secure it properly. By following the steps above, you can eliminate the use of remote access as an asset for threat actors’ intent on breaching your organization’s data while maintaining operations for remote workers who rely on remote access daily.
