Kaspersky reported that nearly 30% of cyberattacks involved using legitimate remote management and administration tools— software that helps IT and network administrators perform their daily tasks, such as troubleshooting and providing employees with technical support —so they can remain undetected for a long time.
Attackers can run processes on endpoints, access, and extract sensitive information, bypassing various security controls that detect malware. It’s difficult to determine these attacks as they can be both parts of a planned cybercrime activity or a regular system administrator task.
To minimize the chances of these legitimate tools being used to infiltrate, Kaspersky recommends the following measures:
Restrict access to remote management tools from external IP addresses. Ensure that remote control interfaces can only be accessed from a limited number of endpoints
Enforce a strict password policy for all IT systems and deploy multi-factor authentication
Follow the principle of offering limited staff privileges and grant high-privileged accounts only to those who need this to fulfill their job.
To timely detect and react to such attacks, Kaspersky proposed implementing an Endpoint Detection and Response (EDR) solution with an MDR service. Check Kaspersky’s MITRE ATT&CK® Round 2 Evaluation that helps to choose EDR products that match their specific organization’s needs.