Partner Program Overview
Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.
Learn MoreInfrastructure
Quick Links
Case Study
Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.
Learn MoreFeatured Topic
Newsletter
In a series of posts, the Microsoft Threat Intelligence team announced yesterday that the Vanilla Tempest threat actor is using INC ransomware to target the US healthcare sector. What struck me the most was the use of RDP for lateral movement.
Figure 1 Microsoft posts on Vanilla Tempest (source: X)
At first glance, you may wonder how they did this without credentials. But remember that hackers can use credential dumping, pass-the-hash, and pass-the-ticket techniques on a compromised system even if they do not have credentials at the onset. This is how the adversary can quickly infiltrate large swaths of the network in minutes after the initial access. It may also allow the attacker to compromise and take over domain controllers, significantly impacting the business.
Figure 2 Lateral movement using RDP
There is a simple solution to address this attack vector. What if we restricted RDP access to only necessary sources? In most enterprises, this will be a small number of bastion hosts, privileged access management (PAM) systems, and vulnerability scanners.
Figure 3 Preventing lateral movement by restricting RDP access
Implementing these restrictions in a network firewall is possible, but not all internal traffic traverses the firewall. Over 85% of enterprise traffic is east-west and never sees perimeter-based firewalls, so this is not a reliable approach. However, all your enterprise systems have a powerful built-in firewall—Windows Filtering Platform on Microsoft Windows systems, nftables on Linux, etc. Why not leverage this to restrict unauthorized RDP access right at the host?
ColorTokens Xshield leverages the built-in host firewall to protect your entire network from RDP-based lateral movement. All it takes is deploying a lightweight agent, visualizing your RDP traffic, creating a policy template allowing approved sources, and pushing this out to all your systems. Applications running on your systems are unaffected, and there is zero downtime. Depending on the size of your network, you can do this in hours or just a few days.
Figure 4 Xshield policy to restrict RDP access
And if you are a new Xshield customer starting your microsegmentation journey, please ask your Customer Service Manager how you can address this imminent threat as soon as possible.
If you are not an Xshield customer and would like to learn how we can help, please contact us here.
By submitting this form, you agree to ColorTokens
Terms of Service and
Privacy Policy