Monitoring Privileged UserActions for Security and Compliance with SureLog: A

VPN Case

ertugrulakbas@anetusa.net

eakbas@gmail.com

Are You Providing VPN Access for Your Consultant?VPN usage is vital and is a fact of life for most organizations. VPN is key for being connected, even partners and third party vendors may get VPN to access to enterprise networks. VPN is also popular among cyber threat actors, as they can use it to gain privileged access to the network for the price of a username and password.

Being able to audit and monitor user activity across a Windows Server based Network and heterogeneous network is key to knowing what is going on in your Windows environment and heterogeneous environment. Monitoring user activity is vital in helping mitigate increasing insider threats.

As many members of the IT staff used the VPN to access the network remotely, this access could really have been from anywhere.

A common question taken from one of the well know global SIEM vendor blog site. “We have a requirement to track users that logon via vpn and then go on to logon to servers on our

environment, we can see the separate events but have not had success in getting a correlation rule with both of these to trigger or an alarm at the very least.”. There is no reply for the last 2 years for this requirement. SureLog has an answer for this requirement.

Do you really know what they are doing and what has happened?

A virtual private network (VPN) is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network. Nowadays VPN is widely used in many sectors for different reasons. Some use it to secure their end-user access to the corporate access others use it to give secure access to their outsource partners. Examples are widely available and create a growing demand for VPN-like services.

Control and Monitor VPN Access

While secure VPN solutions are a very good method to address different issues, it is very hard to control and monitor what is really happening inside the connection. When you provide VPN access to someone, you usually trust them. However, blind trust conceals the truth. When the VPN user can access critical systems or sensitive data, you definitely want to monitor and control their activities.

Automatic VPN tracking can help reveal malicious activities from insiders and outsiders.SureLog is uniquely suited to automate this massive task

It’s hard to gather information about VPN activity; what was really happening: An authorized user is logging in over VPN, escalating privileges, and shipping data out over SSH. Figure 1 is a diagram of the steps the admin took.

The administrator connected to the VPN from her home machine and logged in with her nor-

mal User ID of Banu. She was then granted a DHCP address of 172.16.23.21 to her home system’s MAC address of 00:0c:76:8b:c4:16. She then logged in as root, using SSH to the application server at IP address 172.16.99.99. A short time later, the firewall logged a successful outbound SSH/Secure Copy (SCP) session to address 1.2.3.4 from the app server, where the admin was using SCP to send data outbound. Sounds simple enough to catch, right? If the proper correlation and monitoring capabilities are in place, it could be. Usually, however, this is not the case.

ANET SureLog SIEM solution has proper correlation and monitoring capabilities for VPN monitoring without installing any agent.

Some sample monitoring scenarios:

A company uses secure VPN connection to grant access to their internal IT environment to an outsource IT partner. The outsource IT partner has access to all critical environments and the company can only hope that they will not do anything harmful.

A company uses secure VPN connection to grant access to their internal application to some users. The users can access the application remotely anytime without further control. If the application cannot monitor user activity, no one would know what happens exactly during a connection.

A company uses secure VPN connection to grant access to their IT environment to the internal IT team. System administrators can manage the whole IT environment without strict control and the company can only hope that they can trust their employees. In a forensics situation it is difficult to detect who did what and when on a server.

One rogue admin had logged in from a VPN connection, accessed these systems by logging in as root or Administrator directly, and copying sensitive files elsewhere. How could this have been detected?

Many organizations are facing both government and industry compliance requirements that involve implementing policies, audit processes, and security controls. Several of these call out privileged user management and monitoring specifically. Two examples are the Payment Card Industry Data Security Standard (PCI DSS) and the Federal Financial Institutions Examination Council (FFIEC) Information Security Booklet.

The PCI DSS is comprised of 12 sections, each focusing on a major aspect of information security programs. Section 10 is labeled “Track and monitor all access to network resources and cardholder data,” and contains two subsections that require privileged user monitoring:

Section 10.1: “Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user”

Section 10.2.2:“Implement automated audit trails . . . [for] all actions taken by privileged users”These requirements directly follow best practices, namely, to disallow the use of generic privileged user accounts such as root and Administrator directly (with tools like su and sudo), and also to generate and maintain logs related to all privileged user activity

SureLog VPN Tracking capability is not limited to firewall logs. SureLog will monitor FW, Servers and processes, File System logs. Automatic tracing algorithm has

VPN synchronization module: Monitor VPN connection and VPN close logs firewalls

Synchronize all the RDP, SSH, Process and File System events with VPN close event in order not to produce redundant reports

Monitor Multiple VPN connections to the same Server Correlate all the RDP, SSH, Process and File Access events according to VPN

source, destination IP pair, Server IP and User Name pair

Tracing VPN ->RDP VPN->RDP->RDP VPN ->RDP->Process VPN ->RDP->File Access VPN ->RDP->(Internet&WEB) Access VPN->RDP->RDP->Process VPN->RDP->RDP->File Access VPN ->RDP-> RDP-> (Internet&WEB) Access

VPN Multiple RDP Reports

SureLog SIEM VPN tracking reports are not limited with just first RDP connection. It’s tracing capability allows administrators to track multiple RDP records. SureLog will depict the previous RDP connection with parentrdpsource field since usernames are same

VPN Process Monitoring Reports

SureLog SIEM VPN tracking module reports running processes which was started by the VPN user. Process tracing has the ability to monitor deep RDP track. Process activities for both first and multiple RDP connections will be available. For multiple RDP connection previous RDP connection will be depicted as parentrdpsrc

VPN File Access Reports

SureLog SIEM VPN tracking module reports file access activities which was started by the VPN user. File activity traking has the ability to monitor deep RDP tracking. File activities for

both first and multiple RDP connections will be available. For multiple RDP connection previous RDP connection will be depicted as parentrdpsrc

VPN (Internet&Web) Access Reports

SureLog SIEM VPN tracking module reports internet &web access activities which was started by the VPN user. Internet&web activity traking has the ability to monitor deep RDP tracking. Internet&web for both first and multiple RDP connections will be available. For multiple RDP connection previous RDP connection will be depicted as parentrdpsrc

Statistical Reports

Statistical reports also available like top most reports.

Example Reports Top VNP Users Top RDP Servers Top RDP Users Top VPN Processes Top File Acces Top VPN Internet Access

Alarms:

Monitoring VPN activity and creating automated alarms is vital in some cases ad important for most of the time. Correlation rules:

If VPN user ertugrul will access computers other than x,y,z (whitelist), notify If any VPN connection is open more than 6 hours (Suspect long flow) , notify VPN servers whitelist VPN servers blacklist If a VPN user executes a nmap.exe (any process), notify If a VPN user access hosts.conf file, notify If a VPN user starts a traffic to IP X.Y.W.Z, notify If a VPN user starts a traffic other than A.B.C.D (Blacklist), notify If a VPN user starts a web request to anetusa.net, notify If a VPN user starts a web request other than anetusa.net(Blacklist), notify

There are many reasons to pay attention to VPN user activity. Aside from the risk of malicious behavior from insiders, even accidental activities can have disastrous consequences due to excessive privilege use. Many compliance mandates are now also stipulating the management and monitoring of privileged user activities, ranging from policy definition to implementation of least privilege and logging requirements.

References

http://www.anetyazilim.com.tr/public/documents/SureLog_Full.pdf

http://www.slideshare.net/anetertugrul/why-surelog

https://www.sans.org/reading-room/whitepapers/analyst/keys-kingdom-monitoring-privileged-user-actions-security-compliance-34890

https://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132