Remote Access Cybersecurity: New CISA Best Practices

Key remote access cybersecurity takeaways from the new CISA guide to best practices

Navigating the remote access cybersecurity landscape

In today’s ever-connected working world, remote access software has become a lifeline for organizations. It’s the magic wand that IT support teams and Managed Service Providers (MSPs) use to troubleshoot IT issues, provide helpdesk support, perform backups and data recovery, reconfigure devices, install new software, apply patches, and monitor for suspicious network activity. However, like any powerful tool, it can be a double-edged sword.

The other side of the coin: Risks of remote access

While remote access software is used to improve efficiency and productivity, there is a potential risk of misuse of this software, and remote access solutions are actively targeted by cyber threat actors​. Malicious actors often exploit these tools to evade detection and establish network connections through cloud-hosted infrastructure, launching attacks that are difficult to detect, a technique often referred to as “living off the land” (LOTL)​.

Unsurprisingly, remote access software is one of the main ways ransomware actors gain initial access to victims’ networks and evade security solutions. They may exploit vulnerabilities to gain access to systems, then install legitimate remote access software or use social engineering techniques to trick individuals into installing the software, providing access to victims’ devices and networks​1.

A cybersecurity blueprint for remote access

To address these concerns, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD) have recently published a comprehensive guide for all organizations that use remote access software, particularly MSPs. This ‘Guide to Securing Remote Access Software,’ with best practices, protections, and mitigations developed by CISA and the National Institute of Standards and Technology (NIST), is designed to help organizations protect against the most common cyber threats, tactics, techniques, and procedures used by cybercriminal groups and nation-state threat actors​1.

Key remote access cybersecurity landscape recommendations from the guide

The guide emphasizes several key recommendations for network defenders:

• Removal of implicit trust through zero trust adoption significantly limits the likelihood, consequences, and time to remediation of any breach. Specifically, it further recommends “the management of internal architecture risks and the segregation of internal networks.”This zero trust approach helps prevent threat actors from moving laterally within the network, even if they manage to gain initial access, thereby bolstering the overall security posture in a remote work environment.
• Audit installed remote access tools to identify Remote Monitoring and Management (RMM) software. Knowing which remote access tools are installed on your network is important because unauthorized or malicious software could present serious security risks.This involves a systematic review of all network software with remote access capabilities. Auditing for RMM software involves checking for:

1. Software signatures: Software has identifiable signatures that can be checked against a list of known RMM software.
2. Network traffic: RMM software often communicates with servers to receive instructions and send data. This traffic can be monitored and analyzed to identify RMM software.If unauthorized RMM software is found during the audit, it could indicate that a third party has access to the network, potentially allowing them to control networked devices, extract data, or perform other malicious activities. Therefore, the audit is crucial in securing your organization’s network.

• Implement application controls to prevent the execution of unauthorized RMM software. Application controls are security measures put in place to ensure that only authorized applications are allowed to run on an organization’s systems. Several types of application controls can prevent the execution of unauthorized Remote Monitoring and Management (RMM) software:

1. Behavior-based Security Software: This software monitors system behavior for signs of malicious activity, including the execution of unauthorized software, and can block suspicious actions.
2. User Privilege Controls: These controls limit the ability of users to install or run software based on their user permissions. The risk of unauthorized software being installed or run is minimized by enforcing the principle of least privilege (PoLP), where users are granted the minimum levels of access necessary to perform their tasks.
3. Antivirus and Antimalware Tools: These tools often include features for identifying and blocking potentially unwanted applications (PUAs), including unauthorized RMM software.
4. Endpoint Detection and Response (EDR) Systems: EDR systems provide real-time monitoring and alerting for potential threats, including unauthorized software installations or executions.
5. Application Whitelisting: This is a proactive security technique where only a pre-approved list of software applications are permitted to run on the systems. Any software not on this list is automatically blocked, preventing unauthorized or malicious software from executing.
6. Application Blacklisting: This is the opposite of whitelisting, where specific applications known to be malicious or unwanted are blocked from running. However, this approach can be less secure than whitelisting, as it relies on being able to identify all potential threats in advance.

Organizations can protect their systems from unauthorized or malicious RMM software by implementing these controls and maintaining a robust security posture.

• Use only authorized RMM software on your network over approved remote access solutions, such as Virtual Private Networks (VPNs) and Virtual Desktop Infrastructures (VDIs), and Secure Shell (SSH).Using these types of solutions means that even when accessing your RMM software remotely, the connection is secure, helping to prevent eavesdropping or other forms of cyberattacks.
• Block both inbound and outbound connections on common RMM ports and protocols​​.RMM software, like other networked applications, uses specific network ports and protocols for communication. By blocking these specific ports and protocols, you can prevent unauthorized RMM traffic. However, be mindful that this should be done in a way that does not disrupt the functionality of authorized RMM tools.

While seemingly straightforward, these steps can potentially bolster organizations’ security posture significantly, making it harder for malicious actors to exploit remote access software.

A call to remote access cybersecurity action

As cybersecurity practitioners, we must remain vigilant and proactive in our defense against cyber threats. With the increasing dependence on remote access software, we must understand its risks and benefits and make informed decisions about its use.

The guide provides an invaluable resource for IT, operational technology (OT), and industrial control systems (ICS) professionals and organizations, offering best practices for securely using remote access software and how to detect and defend against malicious actors abusing these tools​​.

As we continue to navigate this remote frontier, let’s remember: the security of our networks isn’t just about the tools we use; it’s about understanding their potential risks, managing those risks effectively, and constantly adapting to the evolving threat landscape. It’s with knowledge, diligence, and the right guidance, that our busy security and IT support teams can keep our networks safe, secure, and productive for everyone.