It is becoming increasingly common for organizations to rely on technology service providers to maintain and administer their network environment and for third-party vendors to routinely access their networks to fulfill their functional responsibilities. Whether it be an unintentional oversight or a targeted attempt to leverage protected information, risk exposures are often introduced via authorized connections. When analyzing network log events, it is essential for your organization to review approved administrative activity in order to ensure there is a legitimate business need driving the network change procedures.
In this video, Tyler Detect Analyst, Damion Vassell, discusses an instance where when monitoring log events, authorized VPN access from an atypical location raised suspicion of a potential threat for one of our Tyler Detect clients. The account was disabled before any data was compromised.
Brendan: We both know that authorized network access doesn’t always equate to approved or permissible network access especially when it comes to vendor relationships or third-party service providers. Can you give us an example of how Tyler Detect was able to uncover a scenario like that?
Damion: Sure. Just recently the Tyler Detecy team was able to identify unauthorized traffic on the network. Going through a client’s VPN logs we were able to determine that a vendor who previously had authorized access to the network – they had completed their work months ago, but still had access to the network – and they were able to use their credentials to login from an international location.
There’s one example of just because you have authorized access doesn’t necessarily mean that you are authorized to be on the network. Especially in a scenario like this where the work had been finished months ago and the change management did not take place. So, you have this person who’s able to remotely VPN from an international location.
Whether it be the result of an untrustworthy employee of simply a case of accidental happenstance, risk exposures are often introduced via authorized connections. That’s why Tyler Detect doesn’t just focus on errors and known vulnerabilities when reviewing your log events.
In this case, authorized VPN access from an atypical location raised suspicion of a potential threat. Tyler Detect analysis immediately notified our client, and they disabled the account before any data was compromised.
The Sage Advice Guide to Cyber Threat Hunting
As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.