Guide to Securing Remote Access Software

OVERVIEW: REMOTE ACCESS SOFTWARE

Remote access software and tools comprise a broad array of capabilities used to maintain and improve IT, operational technology (OT), and industrial control systems (ICS) services; they allow a proactive and flexible approach for organizations to remotely oversee networks, computers, and other devices. Remote access software, including remote administration solutions and remote monitoring and management (RMM), enables managed service providers (MSPs), software-as-a-service (SaaS) providers, IT help desks, and other network administrators to remotely perform several functions, including gathering data on network and device health, automating maintenance, PC setup and configuration, remote recovery and backup, and patch management.

MALICIOUS USE OF REMOTE ACCESS SOFTWARE

Remote access software provides IT/OT teams with flexible ways to detect anomalous network or device issues early on and proactively monitor systems. Cyber threat actors are increasingly co-opting these same tools for easy and broad access to victim systems.While remote access software is used by organizations for legitimate purposes, its use is frequently not flagged as malicious by security tools or processes. Malicious actors exploit this by using remote access software to establish network connections through cloud-hosted infrastructure while evading detection.This type of intrusion falls into the category of living off the land (LOTL) attacks, where inherently malicious files, codes, and scripts are unnecessary, and cyber threat actors use tools already present in the environment to sustain their malicious activity. For additional information and examples of LOTL attacks, see the joint Cybersecurity Advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.

ASSOCIATED TTPS

Cyber threat actors use remote access software for initial access, maintaining persistence, deploying additional software and tools, lateral movement, and data exfiltration. As such, remote access software— and RMM in particular—is often used by cybercriminals in ransomware incidents, and in certain APT campaigns. For an example of APT usage, see the joint Cybersecurity Advisory Iranian Government- Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks.

DETECTION

Network administrators and defenders should first establish a security baseline of normal network activity; in other words, it is critical for network defenders to be thoroughly familiar with a software’s baseline behavior in order to recognize abnormal behavior and detect anomalous and malicious use.Network defenders should correlate detected activity with other suspicious behavior to reduce false positives.

Access the Full Guide from this link : https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf