Cybersecurity in ATM: Investigating VPN Logs in Incident Response

For about two decades, security leaders were told over and over by many vendors that the key to good security is setting up proper VPNs (virtual private networks) which promised encryption and protection against malicious actors. With the rise of remote work, global work forces, contractors and trusted 3rd parties having access to the company network, having the right solution in place, coupled with proper logging and monitoring, can help you detect any potential issues before they become a major incident.

As VPNs become more advanced and offer more logging and insight capabilities, it is important to review what is available and ensure that the appropriate level of data is being captured to track back to the source host. For example, having logs that indicate all connection and authentication attempts are crucial for the security of a VPN setup, as the VPN endpoint is exposed to the internet and if there are compromised credentials, or a successful brute force attack, malicious actors may gain access to your corporate network. This happens in many cases where organizations have failed to adopt Multi-Factor Authentication.

That’s why VPN logs should be monitored in real-time for any anomalies. Any excessive authentication attempts or multiple failed attempts by a particular user, as well as historically, geographically improbable logins, may indicate that an attack is underway.

One Piece of the Puzzle

As with the rest of the security stack, VPN logs are only one piece of the puzzle, but do play a critical part when investigating account activity within your environment. In most modern-day security operations centers, these logs are forwarded to a logger and correlated with other data points being fed into the SIEM to help determine whether or not there is a potential situation. If there is, an alert or incident will be created within the SIEM for the analysts to review and investigate further.

Additional Areas of Focus

If your organization still has a lot of data inside the corporate walls, you need to focus on VPN traffic monitoring to detect suspicious activity and known threats. While IT operations should also focus heavily on remote employees’ VPN usage, their primary focus should be ensuring there’s adequate availability over VPN for employees to access. Insights and visibility are the key starting points for monitoring an organization’s VPN. A security information and event management (SIEM) solution provides alerts is ultimately what both IT operations and the SOC need.

• Unusual Region (Origin): Either an unusual location that stands out, or possibly an abnormally high activity count that could indicate a large concentration of employees authenticating, or possibly a large set of failed activity like a brute force attack coming from a particular region. Either way, a bottom “X” or a top “X” will reveal activity that you should investigate.
  
  
• Unusual Top User (Origin): Most users will only generate a few counts here. You should investigate users that generate a large count for possible issues with the client, or configuration settings. You may also spot a rare username that designates it’s a service account, or privileged user account that typically does not log in via VPN. Using the counts and sorting by top “X” or by bottom “X” will most likely reveal users who require further investigation.
  
  
• Unusual Activity Found on the Threat Activity Map: Quickly identifying where connections are occurring (or being attempted) around the world will help in identifying locations that should be investigated for unknown legitimate use. For example, where a sales team is traveling to a part of the world that has not normally been observed. Some companies have policies in place regarding international travel, such as requiring that users contact security before traveling for security briefings, use temporary traveling equipment that is authorized for overseas travel, etc. Identifying legitimate VPN use may reveal other policy violations. Identifying high counts of activity from areas of the world might identify a brute force attempt. You will need to spend a little time here to identify what should be investigated, and eventually get a feel for what is abnormal to further investigate.

Investigating, performing pivots, and gathering data will reveal additional use cases that are unique to your business. An additional use case might be that users should always disconnect from a VPN session and not let the session timeout. “Max Session Timeout Reached” logs can be identified in your SIEM. Talking to your stakeholders, security leadership and IT teams can really help develop the right use cases so that your incident response team understands what normal and authorized activity versus what an anomaly could be. 

Conclusion

As an incident responder having a baseline of what is normal and expected by working with the security operations teams and other internal teams can help you home in on what could be a potential threat actor exploiting the environment. 

 Stay tuned with our publications as we will continue to explore this topic.