Recently, TechTarget covered Sophos’ midyear Active Adversary Report for Tech Leaders, which analyzes data compiled by the company’s Incident Response team for the first half of 2023. The report contains some eye-opening stats for any organization utilizing Windows machines as an element in its IT infrastructure.
Read on to see the stats and get recommendations on how to mitigate risk, including utilizing GO-Global when delivering Windows applications.
RDP and Compromised Credentials
While Sophos’ report indicated that ransomware remains the number one attack type, attackers leveraged Microsoft® Remote Desktop Protocol (RDP) in 95% of attacks, up from 88% in 2022. In 77% of the 2023 attacks, RDP was used to leverage compromised credentials for internal access (threats that originate from inside an organization, like employees, vendors, or partners) and lateral movement (techniques an attacker uses to move through a network after gaining access).
According to Sophos, RDP remains “one of the most widely abused tools” because it comes pre-installed on most Windows® OS. Prior to Windows 11, RDP was not configured with brute force protection, making those accounts more vulnerable. In Windows 11, Microsoft started enabling Account Lockout Policy by default. The policy automatically locks users’ accounts for 10 minutes after failing 10 login attempts in a row, which helps to mitigate brute-forcing.
Another contributing factor pointed out by Sophos is that MFA has not been aggressively implemented as part of corporate security policy.
These factors contributed to making compromised credentials the leading root cause of the attacks analyzed in Sophos’ midyear 2023 report.
Reducing RDP Leverage
To reduce RDP leverage, the Sophos report advises that organizations should mandate that RDP use is “necessary, limited, and audited”, and implement MFA across the organization. Sophos acknowledges that securing RDP is not trivial—but doing so will have noticeable impact. Simply the act of creating a “no-RDP-access” roadblock means that an attacker must take extra time on a workaround, providing more time for an organization to detect such activity and implement a defense.
Organizations can reduce risk by ensuring that Windows 11 users have not disabled Account Lockout Policy and that Windows 10 and 8.1 users enable Account Lockout Policy on their machines. Alternatively, users can disable RDP between remote desktop sessions.
Unfortunately, most end user computing teams know that relying on end users to lock down or disable RDP is not a reliable way to address the compromised credential issue. And Windows ISVs using Microsoft RDS to deliver their application to customers are not in a position to dictate the Windows settings on their customers’ machines. As Sophos suggests, to continue using RDS and RDP and reduce the threat of compromised credentials, limit use of RDP as much as possible, enable RDP Account Lockout Policy on Windows machines where you can, and implement MFA for every user.
Alternatives to RDP
For companies using Microsoft RDS and RDP to deliver Windows applications to users or customers, there is one alternative solution that eliminates the need to use RDS and RDP.
GO-Global® provides full replacements for Microsoft’s multi-session functionality, Remote Desktop Services, and Remote Desktop Protocol. GO-Global replaces RDP with RapidX Protocol (RXP), a proprietary, low bandwidth protocol. Because RXP is closed source, it offers additional defense against attackers, compared to RDP’s open-source protocol.
For additional security, GO-Global includes 2FA, which renders brute force and dictionary password searches useless. And GO-Global + SSO provides support for OpenID Connect, which allows organizations to use modern identity providers enable single sign-on into GO-Global Windows hosts.