Paper walls

As discussed in earlier article, one of the most common initial access vectors is the human aspect. However, today I want to delve into a very common issue I see all too often: incorrectly configured edge security, such as your Virtual Private Network (VPN) connection.

Improperly configured edge security is an easy target for threat actors. I have attached a live threat map that shows the "known" malicious traffic. If we take this visual representation and imagine a fraction of the traffic being targeted at your network, you can begin to understand why this is an issue.

Defacto -> Ransom:

Now, I’m going to peel off the Band-Aid: we, as security professionals, need to stop allowing default configurations to be set up. I can’t emphasize enough how many times I’ve observed a CISCO AnyConnect setup that was simply set up and forgotten, with ZERO hardening.

Cisco is not the only target here; I want to emphasize that other commonly targeted systems include:

Checkpoint
Fortinet
SonicWall
Etc

Now, you may ask, "But it’s a VPN—they still need credentials?" Well, you are correct. However, when you're seeing 100,000+ failed web VPN logins, the impact on your accounts and availability becomes a significant issue. Not to mention, if you forget MFA, you've essentially created a metaphorical time bomb, as eventually, a threat actor will guess correctly.

Remember, the bad guys only need to be correct once!

Let’s consider a theoretical scenario to emphasize the point above:

A threat actor gets lucky just once, at three in the morning, and your evening security team fails to note the abnormality.
The credentials found are reused, and the attacker gains access to a development workstation.
On this workstation, the user has local admin privileges, allowing the attacker to pull credentials from memory and enumerate the domain after disabling security measures.
The newly discovered credentials are found to have DCsync rights, which are then used to gain domain admin access.
By eight in the morning, users begin attempting to log in but report to IT that they are having trouble accessing their work accounts.
Your security team starts investigating and discovers that ransomware is currently being deployed.

In this theoretical scenario, there are areas where a well-versed internal security team, as well as my security products, would catch the threat. However, the key point here is to emphasize not even giving attackers the chance to get in. We, as security practitioners, often speak of defense in depth, but this should not mean ignoring your edge.

Vendor Responsibility:

Most of the time, the vendor will have recommendations that are unfortunately often forgotten due to strict timelines or the "set and forget" selling point that sales associates use nowadays.

Implement Hardening Measures for Secure Client AnyConnect VPN

This document describes hardening measures to improve and protect the security of your Remote Access VPN solution.

CiscoContributed by Cisco Engineers Neal RocheEscalation Leader VPN JP Miranda ZamoraEscalation Leader AAA FW VPN

Policy and Objects | Administration Guide

Fortinet docs logo

I will not place all the blame on the client for these bad practices, as the vendor is aware of these configurations, with documentation available to fix these default setups. The existence of these articles provides a fair argument that vendors are aware of the issue.

Summary:

In modern networks, we need to ensure that edge security devices are properly configured to prevent attackers from having these easy wins nowadays. We should also start requiring our vendors to be upfront about configurations that are less than ideal out of the box, rather than promoting a "set and forget" mentality.

Below are some excellent references for further reviewing this activity: