How VPNs Help and Hinder Cybersecurity

VPN’s have become almost an assumed part of how people can more safely explore the internet. VPN users can do everything from encrypting traffic while on public WiFi, to obscuring the end location of a user from advertisers. This flexibility of services has led to a large increase in people installing VPN software in an effort to protect themselves online. Unfortunately, this encryption also means that cyber security professionals will be seeing a large amount of traffic from multiple parts of the globe. This behavior can be both alarming and concerning. How can you or your Blue Team know whether the connection attempt from London to your login page is legitimate or not? Alternatively, login behavior you would normally write off as normal from a regional ISP could turn out to be the opening salvo of a brute force attempt from an opportunistic hacker using a VPN to hide his location. 

The most important aspect of protecting a network from hackers is understanding the threats that you are likely to encounter within normal business operations. Short of perfect cyber security, which is impossible, the Blue Team needs to prioritize what aspects of cyber are the most vital to protecting business functions. One way you can better understand the threats to your organization is by utilizing the MITRE ATT&CK framework (https://attack.mitre.org/). This free-to-use knowledgebase can help a security team get a handle on what threats might be the most common attack vectors hackers might use to impact their work network. For example, a hacker group like “Ember Bear” has been known to target financial institutions in North America and often uses a certain routine in their attempts to gain access to a network.  Using cyber threat intelligence reports about this organization, your Blue Team can more effectively prioritize and deploy mitigations for the more common attacks directed at the work network.

Another method of having a better security posture with the popularization of VPN traffic is having a better understanding of the type of traffic going through your network. One such tool that can help you parse through the data in your network is a network intrusion detection system (NIDS) such as Security Onion. A NIDS can log and store suspicious network events for manual review by a Blue Team. Alternatively, companies like Mile High Cyber can provide even more tailored services such as Office365 login monitoring and managed endpoint detection and response. Who’s running your Blue Team and sorting out VPN traffic from around the world?