Vectra research reveals 90% of
surveyed organisations exhibit
form of malicious RDP behaviours
ectra, a leader in network threat
detection and response (NDR),
has disclosed that the Remote
Desktop Protocol (RDP) is a widely
exposed and vulnerable attack surface
and will likely continue in the near future
due to the protocol’s prevalent use.
V
Cyberattackers characteristically follow
the path of least resistance to achieve
their objectives. They will attempt to
use existing administrative tools before
they introduce new malicious software
to perform internal reconnaissance,
move laterally and exfiltrate data from
a network. One of the most popular
administrative tools is RDP, which is
used by IT system administrators to
centrally control their remote systems
with the same functionality as if they
were local. RDP is an even more vital
tool for managed service providers
(MSPs) in their management of hundreds
of client networks and systems.
Manufacturing and finance organisations
have the highest rate of RDP detections
at 10 and eight detections per 10,000
workloads and devices, respectively.
The top five at-risk industries are
manufacturing, finance and insurance,
retail, government and healthcare. The
top three industries – manufacturing,
finance and insurance, and retail –
www.intelligentciso.com
|
Issue 19
Within the manufacturing industry, mid-
sized organisations had the highest rate
of RDP detections at a rate of 20 per
10,000 workloads or devices, which is
82% higher than medium-sized retail,
which is the next highest industry sub-
segment and 100% higher than small
finance and insurance organisations.
Although the manufacturing industry has
the highest rate of RDP detections, IT
managers in manufacturing organisations
are likely to prefer the massive cost and
time savings of centralised management
enabled by RDP over the increased
potential abstract risk of a cyberattacker
exploiting it.
The use of RDP provides significant
business value because it enables
centralised management of geographically
distributed business systems.
“Cybercriminals know that RDP is an
easy-to-access administrative tool
that allows them to stay hidden while
carrying out an attack,” said Chris
Morales, Head of Security Analytics at
Vectra. “It’s essential for security teams
to understand how RDP is used by
attackers because it will continue to be a
threat in the near future.”
As they make their way through the
attack lifecycle, cybercriminals perform
internal reconnaissance and move
laterally in an attempt to identify and
access systems that contain valuable
data. The ubiquity of RDP on Windows
systems and its frequent use by system
administrators make RDP the ideal tool
for attackers to avoid detection while
performing these functions.
The 2019 Spotlight Report on RDP is
based on the analysis of data in the
2019 Black Hat Edition of the Attacker
Behavior Industry Report, which reveals
behaviours and trends in networks from
a sample of more than 350 opt-in Vectra
deployments from January-June 2019.
The Attacker Behavior Industry Report
provides statistical data about
behaviours that attackers exhibit while
trying to blend in with existing network
traffic and mask their malicious actions.
The Cognito platform accelerates
network detection and response using
sophisticated AI to collect, enrich and
store network metadata with the right
context to detect, hunt and investigate
hidden threats in real time.
The Cognito platform scales efficiently to
the largest organisations’ networks with
a distributed architecture using a mix
of cloud, virtual and physical sensors
that provide 360-degree visibility across
cloud, data centre and user and IoT
networks, leaving attackers with nowhere
to hide. u
59
According to the Vectra 2019 Spotlight
Report on RDP, from January to
June 2019, the company’s Cognito
platform detected 26,800 suspicious
RDP behaviours in more than 350
deployments. Data from Vectra confirms
that RDP remains a very popular
technique for cyberattackers, with 90%
of these deployments exhibiting RDP
attacker behaviour detections.
together account for almost half (49.8%)
of all RDP detections.