CISA Releases Guidance For Securing Remote Access Software

June 08, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA) issued a “Guide to Securing Remote Access Software” as cyber threat actors continue to leverage these tools to target victims. The thorough guidance, co-authored by the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD), helps users balance the usefulness of remote access tools with the potential threats they pose if exploited.

“Legitimate use of remote access software enables efficiency within IT/OT management—allowing MSPs, IT help desks, and other providers to maintain multiple networks or devices from a distance. It also serves as a critical component for many business environments, both small and large empowering IT, OT, and ICS professionals to troubleshoot issues and play a significant role in business continuity plans and disaster recovery strategies,” the guide stated.

“However, many of the beneficial features of remote access software make it an easy and powerful tool for malicious actors to leverage, thereby rendering these businesses vulnerable.”

Cyber threat actors have been known to deploy living off the land (LOTL) attacks, in which they establish network connections via cloud-hosted infrastructure and entirely evade detection. Throughout the process, these threat actors use tools already present in the environment to sustain their malicious activity, rather than having to deploy malicious code.

In fact, CISA recently issued a cybersecurity advisory regarding China state-sponsored threat actors using LOTL attacks to evade detection.

The guidance suggested that remote access software is enticing to threat actors because it does not require extensive capabilities, it does not always trigger security tools, and it may enable actors to bypass software management control policies.

Despite remote access software’s many advantages for threat actors, network defenders can still take action to mitigate risk by learning about common cyber threat techniques and remaining aware of common warning signs.

“Network administrators and defenders should first establish a security baseline of normal network activity; in other words, it is critical for network defenders to be thoroughly familiar with a software’s baseline behavior in order to recognize abnormal behavior and detect anomalous and malicious use,” the authoring agencies stated.

“Network defenders should correlate detected activity with other suspicious behavior to reduce false positives.”

Organizations were strongly encouraged to leverage a robust risk management strategy based on reliable standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Additionally, the guidance stressed the importance of auditing remote access software and its configurations, implementing network segmentation, and leveraging a zero trust architecture.

The guidance also provided detailed recommendations for MSPs and IT administrators and developers of products with remote access capabilities. Lastly, the organizations encouraged United States organizations to report any suspicious activity to their local FBI office.