This week, the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released guidance on the process organizations should use when choosing a VPN and deploying this technology, particularly in light of recent attacks that have taken advantage of poorly secured VPNs.
"The guideline is good and timely with the increased risks and attacks. Sooner would have been better, but most good network and cyber teams already did a lot of the hardening in there," said Kevin Kerr, Lead Security Principal Consultant Americas for Trustwave's Consulting & Professional Services.
The NSA and CISA believe such guidance is needed based on the danger posed by using poorly designed and implemented VPNs, leading to the large-scale compromise of a corporate network.
"Multiple nation-state, advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices," the agencies said. "Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic's cryptography, hijack encrypted traffic sessions, and read sensitive data from the device."
Kerr agreed, noting the risk associated with VPNs is not new, and it is an issue that organizations have been dealing with for several years.
"VPNs have always been a risk as they allow direct access into the company and their systems from remote users, 'trusted' partners/vendors/subs/etc., and they can hide what is going in/out of the company," he said.
Regardless of the VPN product chosen, the federal government said organizations have to maintain a strong patching program as threat actors will quickly, sometimes within 24 hours, attack a known vulnerability.
The risk of what can happen when VPNs are not adequately maintained is evident in the Colonial Pipeline Co. attack in July. The investigation into the attack found the attackers likely compromised months earlier using the login credentials for a legacy VPN application that the IT team had lost track of and lacked protections such as multifactor authentication.
This oversight resulted in the attacker placing ransomware into Colonial Pipeline's network, forcing the company to shut down its fuel pipelines, pay a $4 million ransom and have the data of 5,800 current and former employees compromised.
The government suggests organizations avoid entire classes of VPNs, particularly those referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs.
"These products [SSL/TLS VPNs] include custom, non-standard features to tunnel traffic via TLS. Using custom or non-standard features creates additional risk exposure, even when the TLS parameters used by the products are secure," the agencies said.
Instead, the agencies recommend implementing standardized Internet Key Exchange/Internet Protocol Security (IKE/IPsec) VPNs that have been validated against standardized security requirements for VPNs. Additionally, those in the market for a VPN should refer to the National Information Assurance Partnership (NIAP) Product Compliant List. The products recommended on this list are NIAP-certified devices that are rigorously tested by third-party labs against well-defined security features and requirements.
Other federal recommendations include:
- Reading vendor documentation to ensure potential products support IKE/IPsec VPNs;
- Disable the SSL/TLS proprietary or non-standards-based VPN fallback, if possible;
- Ensure that potential products use FIPS-validated cryptographic modules and can be configured to use only approved cryptographic algorithms;
- Check that a product supports strong authentication credentials and protocols and disables weak credentials and protocols by default;
- Request and validate a product's Software Bill of Materials (SBOM), so the risk of the underlying software components can be adjudicated.
Trustwave Chimes In
While the federal suggestions are spot on, Kerr noted some, such as limiting functionality and capability, ensuring logging, and emphasizing patching, are not new. However, CISA and the NSA did slip in a few new thoughts, he said.
"There were some new items in there too. For example, it looks like they added some supply check items based on the SolarWinds compromise and its impact on companies," he said. "They also upped emphasis on using IKE/IPsec encryption."
Following federal guidelines and having solid cybersecurity practices in place is a great start, but Kerr noted there are areas where companies lag.
- Companies may be relying on network staff that are great with internal networks but do not understand or are not trained on remote access,
- Network and cyber teams are not working in unison when implementing and managing remote access;
- Teams are not looking at defense-in-depth capabilities;
- Endpoint security is not integrated with remote access tools;
- System health is not checked when remoting in;
- Behavior analytics (time of use, geolocation, etc.) are not being used, and staff is relying on traditional logging;
- Companies are not using industry best of breed commercial VPNs or are using consumer-grade gear.
Kerr also suggested that organizations look at newer Secure Access Service Edge (SASE) technology allowing greater granularity of remote access control.
John Cartrett, director SpiderLabs North America, recommends that any organization worried about being the next headline evaluate how an adversary simulation engagement would help validate any assumptions of its current preventive and detective capabilities and bring clarity to any areas that require immediate attention.
“Here at SpiderLabs, adversary simulation engagements have two distinct paths, red and purple. Red teaming is an adversarial operation bent on making an organization's worst nightmares come true in a controlled manner and under the light of full disclosure,” Cartrett said. “A purple team operation is a collaborative project where an organization's defenders are coached in detecting the dark arts by senior defenders and red team operators.”