By: Joseph Pizzo,
Information and Cyber Security Engineering Leader at TrapX Security
No business owner goes to work thinking “I’m going to get hacked today” despite seeing multiple data breaches happening to some of the world’s largest enterprises. Despite that, most businesses use a certain tool that puts them in great risk of getting breached. That tool is the Remote Desktop Protocol (RDP).
What is RDP and what are its vulnerabilities?
RDP is generally used to allow remote access to a computer. After logging in, one can control that computer remotely, in almost the same way they control their own computer. RDP even comes built-in with most versions of Microsoft Windows. When used within a private network, it’s a powerful business tool. Unfortunately, it’s not secure enough to safely expose to the Internet.
How do attackers exploit RDP?
One of the most common breach scenarios, whether by an insider (a rogue employee) or by an external attacker who has successfully breached the perimeter, happens through RDP.
In addition, there are several vulnerabilities that are associated with RDP. These start at credential losses, hijacking, and even MS15-067 – a vulnerability in RDP that allows remote code execution by cyber attackers.
The first thing an attacker will do when successfully entering an organization’s perimeter is to scan the network to identify what systems are available and what servers are running on these systems. I strongly a deception strategy that will account for these scans immediately, however, if there is a passive reconnaissance running, these network scans could be harder to detect.
Is there anything that could be done to detect or prevent attacks in RDP?
Yes indeed. TrapX Security, provides multiple levels of attack and exploit awareness to RDP attacks; whether systems are actively scanned or passively identified.
At first, active scanning will be immediately identified. If someone touches a TrapX Medium Interaction or High Interaction trap, their attempt to breach, or run an exploit against a system (including vulnerabilities), will immediately be discovered. This is because, as a trap, the whole point is that nobody should be touching them. If these traps are touched (by anything), it is definitely a sign that someone is trying to access information unauthorized.
When passive scanning is in place and is being used for reconnaissance, it is much harder to detect. However, with the use of Deception Tokens (lures) as bait on existing desktops, laptops, servers and other various devices, the attacker is lured right into a trap.
Can you please give us a more detailed example?
Sure, and I will also explain how TrapX detects and prevents the attack.
When an attacker has specific information about the victim network, it is often easy for them to attack via broad strokes. Take for example credential loss and exploitation:
When targeting a network, an attacker will often randomly attempt to connect to known services on a stream of class C IP addresses.
Let me show you how a cyberattacker does this using RDP:
An attacker starts checking RDP port 3389 on sequential or random IP Addresses. The TrapX DeceptionGrid trap will first see the traffic on the network and, immediately allow the connection to the traps that are set up as servers and desktops allowing for RDP connections. This sets off an immediate alert that there is something going on that shouldn’t be happening.
The next area that’s activated is the TrapX DeceptionGrid’s FullOS (High Interaction) trap. This is where a wrapper is placed around the virtual machine that is a copy of the default image used in that environment. This is just as realistic as setting up an emulated system that matches the environment, and this provides an interactive “real” RDP session. The purpose of the FullOS trap is to provide for more granular detail on the breach or exploit that occurred in a ddition to a detailed forensic investigations.
What are your recommendations to prevent RDP attacks?
A Deception Strategy built around TrapX Security covers every necessary scenario to protect against and provide awareness and visibility into RDP Attacks, among other attacks.
Planning is important to this process, but the availably of deception tokens (lures), emulated systems and FullOS systems will deliver complete coverage to thwart an unwanted RDP event.
To try the TrapX DeceptionGrid [for free] in your network go to: https://trapx.com/deceptiongrid-download-request/
To learn more about deception technology go to https://trapx.com/
Joseph Pizzo is a veteran of the InfoSec and CyberSecurity industry with over 20 years of experience with Forensics, Threat Intelligence, Anti-Malware, Attack Simulation and general security. Joe had previously worked for Guidance Software, Access Data, RSA Security, Norse and has most recently consulted for a variety of security startups including Verodin and Secdo. Joe is a regular contributor and often sought out for print, web and broadcast media.