Lessons Learned from the Windows Remote Desktop Honeypot Report


Threat actors spend much of their time on surveillance. Typical services generate many audit logs that may be hard to parse and locate potentially malicious events.

Since a lot of surveillance is automated, creating a specific machine that is open to the internet, waiting for probes and attacks, is incredibly useful and is known as a honeypot.

The wealth of data collected by a honeypot allows for an analysis of known and unknown attacks, which means that an organization can proactively track and block threats.

Relying strictly on threat disclosures means that you are reactive, but with a honeypot, you can identify a potential attack and block it before it becomes an issue!

Tracking Threats with Honeypots

With visibility into active attacks, it can be easier to understand the scale of the threat. For example, over several weeks in October of 2022, Specops collected 4.6 million attempted passwords on their honeypot system.

In a given year, that adds to millions of potential passwords that an attacker can use to get into your organization.

How, then, do honeypots work? A honeypot is nothing more than a system to bait threat actors into attempting an exploit. Once connected, the honeypot records the malicious attempt for later analysis.

An example of a basic honeypot is a Microsoft server virtual machine (VM) with a remote desktop protocol (RDP) connection open to the internet. With logging, you can see all of the attempts by an attacker for usernames.

Taking this to the next level, many different types of software cover a vast range of potential ways into a system. For example, pyrdp offers a man-in-the-middle approach. This allows you to watch in real-time a threat actor attempting an attack, along with controlling the attack.

Walking Through the Findings

What do recent reports show on the state of attacks?

Blumira analyzed their honeypot data from 2019 – 2020 against their Google Cloud Platform (RDP) VM and found that over 179,000 unique usernames were attempted from at least 122 countries.

Additionally, from 2019 – 2020, the incidence of attacks increased by 85%, reflecting the increasingly sophisticated and automated surveillance that threat actors use to collect data necessary for ransomware and infrastructure attacks.

A further example of how a basic Windows VM, with RDP open on the internet, can quickly be attacked is the analysis of attacks by TrustedSec.

They found an unprotected Windows 7 VM online for only 9 days recorded over 2,800 access attempts. Of those, 46 were successful. Several merely tested whether access worked, but several actively installed ransomware within minutes of connecting!

How to Mitigate Malicious Remote Access Attempts

Though the examples given here focused on RDP connections, a honeypot is not limited to that type of connection, and any remote access system is subject to attacks, like SSH.

What should an organization do to minimize the potential damage?

Three potential solutions will go a long way to protecting against many attacks.

  1. Implement robust password policies with checks against a breached password list.
  2. Protect any account with multi-factor authentication (MFA), ensuring that even stolen passwords cannot be used.
  3. Limit access to the remote connection behind a VPN or zero-trust connection.

Robust Password Policies

If an attacker gains access to a password dialog, which the most persistent attackers may do despite all other protections, then having a strong password policy is essential. Sufficiently long and complex passwords ensure that they are not easily cracked if their hashes are stolen.

Before the password is even created, a breached password list that checks the new password against known stolen credentials ensures that the most common variations are not used. Unique and complex passwords make an attacker’s job much more complicated.

Specops Password Policy with Breached Password Protection  checks your user’s passwords and prevents them from choosing a compromised password.

Many threat actors rely on pre-created lists of hacked passwords shared across services, but with the Breached Password Protection check, the likelihood of this use goes way down!

BPP Express List failed password change
BPP Express List failed password change
Source: ATALearning

Protecting Accounts with MFA

Layered on top of a strong password policy is the use of MFA. With a second authentication requirement, even a correctly guessed or stolen password does not ensure access. This indicates that an attempt was made when it was not expected, allowing a user to alert IT and take the appropriate steps.

Limiting Remote Access

Finally, removing the connection from the public internet makes it difficult for an attacker even to attempt to access the system. Commonly, the connection is put behind a VPN. Still, due to the configuration complexity, newer systems are using the concept of zero-trust that verifies every connection is authenticated and protected.

Protect Your Organization by Learning from Honeypots

Learning from the many active threats discovered through honeypots allows an organization to take proactive steps to stay ahead of the attackers. Locking down outside connections through VPNs or zero-trust services is not foolproof for the most persistent threat actors.

Combined with MFA, a strong password policy ensures threat actors will be stymied even when an attacker slips through. Enforce strong passwords through a solution such as Specops Password Policy, and be proactive in your organization’s security!

Sponsored and written by Specops Software



Source link