Internet-exposed services can pose a significant risk to the security of a network. While many services are designed to be exposed and may be required for certain types of remote access, newly discovered vulnerabilities or weak credentials are frequently exploited by threat actors to gain initial network access.
Even services purpose-built for secure remote access are often compromised when vulnerabilities are discovered.
Exposing risk
Public IP addresses are constantly being scanned to identify hosted services and any missing security patches. In some cases, these scans are conducted by legitimate agencies tracking internet usage.
However, threat actors also conduct regular scans across the internet in hopes of identifying a vulnerable service for exploitation. This is especially true following the publication of a security advisory for a new vulnerability, as threat actors rush to exploit as many vulnerable instances as possible before they have been patched.
While this emphasizes the need for a prompt patch cycle, patches may not always be immediately available, leaving a need for other ways to secure exposed services.
The possibility of users selecting weak or re-used passwords also poses significant risk. Even when a service is not known to be vulnerable, threat actors may attempt a brute force or credential stuffing attack in hopes of gaining access to a legitimate account. Sometimes, these attacks may continue for a significant period of time since they require minimal resources on the part of the threat actor.
Brute force attacks
A brute force attack involves attempting to authenticate to a service with every possible combination of characters that may be in a user's password. While this requires an extremely high number of attempts to be successful, the amount of time required to successfully compromise an account is drastically reduced when short or simple passwords are used.
Credential stuffing attacks
A credential stuffing attack involves attempting to authenticate to a service with credentials known to be used by the same user for other accounts.
These credentials are often collected when other websites or services are breached, and can be very effective since password reuse across multiple accounts is common.
Compounding factors
External services compromise can be especially impactful if access is granted to an administrative account. In fact, administrative accounts are typically among the first targeted when an exposed authentication service, such as RDP or a VPN, is identified.
If compromised, these accounts allow a threat actor to access privileged commands or information within the network. This may additionally make initial detection of compromise more difficult since the actions typically necessary for a threat actor to escalate the privileges of a compromised account are not present.
Compromise may also be especially impactful where the targeted service regulates access to multiple systems, such as Remote Monitoring and Management (RMM) software.
Compromise of this type of service may grant elevated access across a large portion, or all, of the network, and may be leveraged to install and execute malware or malicious tools. In some cases, this has led to widespread deployment of ransomware immediately following initial network compromise.
3 steps to reduce the risk of exposed services
It's not possible to fully eliminate the risk posed by exposing services to the internet, however proper configuration can significantly decrease the level of associated risk.
In particular, the following precautions can reduce the likelihood of a successful compromise:
1. Employ a remote access VPN
We suggest using a remote access VPN as the single point of remote access to your network. As discussed, exposing multiple services to the internet increases the risk of any one service being compromised. But, a VPN can be used to expose only the single VPN service, allowing local access to additional services following VPN authentication.
VPN software often offers more secure authentication features than other services as well, since it's intended to be used in this way.
If you would like more information, we have a full blog on typical VPN uses and recommendations available here: VPNs: Security best practices for businesses. When a VPN is used as a single point of access, we still recommend further securing it with the recommendations below.
2. Enforce the use of multifactor authentication (MFA)
In the event that user account credentials are compromised, either through a brute force attack or re-used credentials, enforcing a second authentication factor can still consistently prevent malicious account access.
We have compiled additional information on authentication protocols and MFA here: MFA and passkeys: Why a password is not enough.
3. Apply an access control list (ACL)
An ACL can be used to restrict access to exposed services—such as to only allow connections from the IP address ranges or geographic locations from which your users are expected to access the service.
This typically has a significant impact on the extent of attempted exploitation and compromise since for any other remote system it will appear that no service is exposed at all. Most enterprise firewalls support the addition of ACLs on external traffic to exposed services.
4. Implement a password policy
Consider the use of secure password-less authentication where supported (such as passkeys).
Where passwords are required, implement a password policy requiring the use of a password manager to generate complex and unique credentials for each account in use, particularly accounts exposed to the internet.
Securing with Field Effect MDR
Security best practice involves a layered approach, consisting of a combination of secure configuration, prompt security patching, threat surface reduction, and active monitoring.
Field Effect MDR takes a holistic approach to monitoring exposed services, including changes to both risk level and active threats, by:
- Monitoring for newly exposed services, including unintentionally exposed services.
- Monitoring for vulnerable software associated with an exposed service.
- Monitoring for brute force or credential stuffing attack patterns.
- Sharing timely threat and risk intelligence reports on newly discovered vulnerabilities.
- Monitoring for malicious techniques and behavior following initial compromise.
