Kaspersky recently warned that hackers have aggressively attacked the Remote Desktop Protocol (RDP) through brute force methods because of the increase of Work From Home (WFH) employees connecting the enterprise networks from home. Users should be especially careful during this time.
According to Kaspersky’s observation, whether it is China, Italy, the United States, Spain, Germany, France, or Russia, it has clearly seen an increase in the number of RDP brute force attacks since mid-March this year. Take Italy as an example, the number of daily attacks was less than 150,000 before March, but it jumped to 500,000 in mid-March and exceeded 900,000 in the second half. The relevant attacks that happened in the United States were around 200,000 before, but the number surpassed 800,000 in mid-March and reached 1.4 million in April.
RDP is Microsoft’s proprietary protocol that can be used to remotely access Windows workstations or servers. Brute force cracking refers to hackers attempting to force login through various accounts and password combinations. Researchers said that hackers speculate that poorly configured RDP servers will also increase when people switch to Work From Home (WFH). Kaspersky also estimates that hackers will not stop attacks in the short term, so it calls on companies and users to take protective measures, including using strong passwords, enabling two-factor authentication, requiring that RDP can only be accessed through corporate VPNs, turning off the port 3389 when RDP is not used, and backing up all important data.
LIFARS’ Cyber Resilience Experts leverage the latest data analytics algorithms based on the Tactics, Techniques, and Procedures (TTP) that attackers are known to use while utilizing Machine Learning, Artificial Intelligence, Behavioral Forensic Artifacts, and Threat Intelligence to detect ongoing or zero-day cyberattacks and Advanced Persistent Threats (APTs) and leveraging the latest IOCs to identify the probability of an enterprise compromise.
Our methodology enriches multiple sources of threat intelligence, as well as your internal network traffic, endpoints, and along with LIFARS forensic artifacts techniques for threats that have gone undetected. Our methodology relies on a stochastic probability of confirming a compromise. The examination of both false positives and negatives to ensure accuracy during IOC identification regardless of the hunt concerns network forensics or endpoint examination and pattern matching to identify compromises and weak areas within the environment. Our Threat Hunting Framework:
Strategic Targets & Tactics Selection
- Define and prioritize Threat Hunting missions of Network, Endpoint, and External targets and align with the internal team on procedures, tactics, techniques, processes, and policies.
- Define operational procedures for target interrogation, collection, and response.
- Prepare initial vectors and conditions of digital artifacts for Threat Hunting from known or behavioral intelligence such as IOCs.
Interrogation & Collection
- Offensive automated and manual Threat Hunting based on the known and evolving threat landscape to discover relevant forensic artifacts.
- Address systemic organized risk encompassing multi-staged and vectored vulnerabilities based on correlated Risk Scores, Threat Intelligence, and Assessments.
- Assurance post-breach clean-up via recurring Threat Hunting to Identify and Investigate additional malware, symptoms, and IOCs.
Detection
- Investigations to uncover IOCs, malicious patterns, symptoms and adversarial Tactics, Techniques, and Procedures (TTP).
- Converge and correlate proprietary, open-source, and 3rd party intelligence with LIFARS TTP.
- Leverage Machine Learning and Artificial Intelligence Analytics with deployed tools.
Enablement
- Correlate the context of TTP from attacks and attack campaigns to uncover linked data and enrichment of intelligence and hunting loop via content process advisory.
- Provide clients with meaningful insight and visibility into defensive cyber maturity detection and response.