Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm director of the Practice Identity and Access Management here at KuppingerCole Analysts. We’re running up to cyberevolution. Our cybersecurity / AI event in Frankfurt. And for that, I have invited Warwick Ashford. He is a Senior Analyst with KuppingerCole Analysts acting out of the UK. Hi Warwick.
Hi Matthias, yes. I'm looking forward to cyberevolution. I think it's going to be really exciting in Frankfurt, nice new venue and a whole new look event. And yeah, looking at some really interesting stuff. I was looking at the agenda yesterday and I'll be moderating some of those sessions, so I'm really looking forward to that.
Yes, absolutely. Also looking forward to that. I think it's going to be informative and it's going to be fun, I think, really. So cybersecurity and I've mentioned cyberevolution, having this touch of AI and modern and modern types of reacting to cybersecurity threats and also more modern, more emerging cybersecurity threats. We want to talk about the opposite today. So we want to talk about some old fashioned horror that is around for quite a while. And this is something that you highlighted also in a Leadership Brief, I think, a document that you published last year. And it's still, unfortunately, still a very current topic that we need to look at. We want to talk about RDP and RDP threats, and RDP being a vector for attackers to threatening our services, our machines, our data. First of all, first question, of course, if there is a three letter acronym in the room, what is RDP and what does that mean and why has it become such a critical tool for business as of now?
Thanks, Matthias, yes, the remote desktop protocol, RDP is one of the key enablers of remote access. Basically, it's a powerful network protocol that was originally developed by Microsoft to enable network administrators and support technicians to maintain, diagnose and fix problems remotely. So while employees can access their work computers without leaving home or while traveling on business from anywhere in the world. So RDP enables users to connect to another computer in a remote location via a graphical user interface to control a remote desktop session. So that means they can delete or copy text between applications as well running on the guest and the host machine. So now this is extremely useful for remote working and troubleshooting, which is driving the extensive use of RDP in operational technology or OT networks as well as IT networks. It’s much more cost effective to maintain OT systems remotely than to keep a dedicated team at each site, sending technicians to work onsite. So consequently, RDP is one of the most widely used remote access protocols. However, RDP is also one of the most popular initial cyber attack vectors. As you mentioned earlier, and it's all too often overlooked as from a security point of view. So as you said, we're not talking about something that's super sexy, but it's something that's really important and must not be overlooked.
Yeah, right and popular means it's of course, an attack surface that needs to be protected. And as you've mentioned, it's quite dated. It's been around for some while. So I assume there are also known vulnerabilities, so it needs some additional protection. So where are the vulnerabilities and why has it become such a prime target for cyber attackers? And I have read that it's mainly or mostly around the topic of ransomware. Can you explain a bit more, what's going on there?
Yeah, sure. So you mentioned ransomware. I mean, that was one of the reasons that I got attracted to researching this topic was that I saw a report that, you know, most of the top ransomware families have been recorded to use this. But I'd say there are kind of three main reasons why it's become a prime target. First, anything that is popular is always going to be a target for attackers. They only have to develop an attack once and then they can apply it widely. And in the case of RDP, its biggest attraction for attackers is that it's so widely used and that's only increased. So remote access was gaining momentum because it cuts commuting time and cost. It enables a better work life balance. And that means organizations can hire the best talent wherever they happen to be and that people can pursue job opportunities without having to relocate, without having to move home. But the COVID 19 pandemic accelerated this trend enormously. So as a result, an unprecedented number of people are working from home, and many appear set to continue doing so either full time or in a hybrid fashion. So remote working is now increasingly common with RDP clients available for most versions of Windows, MacOS, Linux, Google, Android, Apple iOS providing connections between clients, servers and virtual machines. Second, while RDP potentially provides an impressive array of security capabilities, including smart card authentication, 128 bit encryption for data, TLS security. Not all RDP clients support these features under all circumstances. In addition, many organizations are failing to address known RDP vulnerabilities, with many patches not applied for three or more years after their release. So that's the perennial problem in security. Not up to date, no up to date patching. I don't know when we are going to solve that problem, but it comes up every time we discuss security at our events. Third, web crawlers like Shodan make it quick and easy for attackers to identify misconfigured RDP ports and vulnerable internet facing machines. In addition, exploiting a legitimate network administration tool like RDP, makes it easier for attackers to maintain a low profile and remain undetected because, after all, they're using a legitimate tool. So it's quite hard to pick up that activity. So remote administration tools like RDP have become increasingly popular as an attack vector since around 2016. I think with the rise of dark markets selling RDP access. Initial access brokers or IABs are becoming a key element of the crime as a service underground economy. And in 2018, the FBI's Internet Crime Complaint Center warned that cyber attackers have methods for identifying and exploiting vulnerable RDP sessions to compromise identities, steal login credentials, and of course, as we've already mentioned, launch ransomware attacks. So in summary, RDP is ubiquitous. Attackers can remain undetected because RDP is an admin tool and it's often easy to exploit RDP vulnerabilities as an initial attack vector because not all RDP clients are created equal. RDP credentials can be purchased on the dark web, and many organizations are still not following security best practice when it comes to RDP. So poorly implemented RDP presents a great opportunity for attackers to get into a target organization, scan ports, harvest credentials, escalate privileges, inventory assets and install malware, particularly ransomware.
So, usually it's difficult, or sometimes it's difficult to ask the right question after such a, after an answer from a guest being a host of a podcast. But there are tons of questions that I would like to ask, because all of this results from what you just explained, but maybe starting with one thing. So the use of RDP is convenient and convenience means people like to use it. And on the other hand, we have all these negative aspects that you've mentioned, not patching, these credentials being around. And what are some of the misconceptions when organizations still want to use RDP and when they want to balance cybersecurity and risk management on the one hand and convenience for the users, or the administrators on the other hand, what can be done wrong? Of course, the second question would be then, how can they do it better?
Well, I think the biggest misconception is the assumption that it's safe. That all RDP clients are equally secure, that all RDP implementations are equally secure. So it's essential that organizations fully understand the risk. They must take it seriously and either find an alternative to RDP or take a series of comprehensive steps to mitigate that risk by reducing the opportunity for attackers to gain access in the first place to their networks via this route. And I think the common mistakes are, I think I mentioned some of them already, is not using the latest versions of operating systems and keeping them patched, not using the latest versions of RDP with strong encryption mechanisms, not ensuring all RDP servers are patched up to date, not blocking unused ports, not using group policy to block remote access to machines that just aren’t needed and not using strong access control policies.
Right. If you've mentioned the dark web and the availability of the credentials there, if that that has happened, if the credentials are already there and can be purchased and can be targeted. I still have a bit of a naive approach towards the dark web, but I've never been there. But I assume you can really target organizations and you can really focus on specific data. What... Can you explain in more detail how these credentials are then typically used? Is this the traditional entering a system, lateral movement, moving within the environment? Is this the way that attacks like that work then?
Yeah, sure. So basically it's just getting in and with all the keys to the kingdom. And I think the important thing is that all RDP credentials account for most of the IAB listings. They are also widely available for sale on dark markets for as little as $5, according to a research paper that I saw. So for a very small investment, attackers have the means of taking control of a powerful network protocol and this allows an individual to control the resources and data of a computer over the Internet. So it's kind of just enabling them to kind of walk through the front door, basically without any checks. So RDP provides complete control over the desktop of a remote machine. So armed with stolen RDP credentials, attackers can establish a remote connection with the target machine with the same rights as anyone logging in with legitimate credentials, including, as you said, the ability to move laterally, exfiltrate data, install ransomware and so on.
Right. Second question was how to do it better. You've mentioned the patching, and I think this is true not only for RDP vulnerabilities or these types of attacks. This holds true for everything that we do in IT. And you've mentioned, or I've mentioned your document, and in this document you've mentioned lots of recommendations on best practices to avoid or to mitigate these risks. What would be some recommendations that you would give the audience just right now to say, okay, what should an organization do to continue using RDP but to do it properly?
While like most things in security, I'd say a comprehensive approach is best. Understand your exposure and fill in the gaps. But if organizations who are using RDP do nothing else, they should avoid using open RDP connections over the Internet. Avoid giving anyone direct access to an RDP server, enforce strong login policies, use the latest versions of the operating systems, keep them patched, as you said, use the latest versions of RDP with strong encryption mechanisms because not all of them have that and ensure that all RDP servers are patched up to date.
Right, RDP to me sounds always a bit like early 2000s when it comes to using these services. On the other hand, you've mentioned in your document that Zero Trust and applying a Zero Trust approach could also help in mitigating this risk. So we have this more or less bit dated technology, but still very currently used. And on the other hand, modern concepts like Zero Trust. How can Zero Trust help in mitigating that risk in improving security? How has that played together?
Well, at the simplest level, Zero Trust to me anyway is a security model or paradigm in which there's a strict identity verification and access control for every user or device in a network, ensuring that data is secure while at the same time ensuring that it's accessible to all those who need it. So that's kind of the basis of what you need in an organization, is you need people who do to remain functioning in their jobs, get to access the data they need. But you've got to ensure that, you know, it's verified the access and that it's controlled. So there are several principles that are consistent with the Zero Trust approach to security, which help organizations to reduce their vulnerability to cyber attacks exploiting RDP. So these include going passwordless or using strong passwords with MFA, that's multi-factor authentication, of course. You can also apply the principle of least privilege to limit access to required systems only. So don't have access all over the place when it's only required for a specific number of machines. You can also specify which users are allowed to access systems via RDP. And if you've got a policy like that, any violation of that policies is likely to flag up. And if somebody’s credentials are compromised and then those credentials are used to access the machine via RDP, if that person doesn't normally access a machine and doesn't have those rights, then, you know, you've already sorted out that problem. The other thing you can do is ensure local admin accounts are unique, that they're not shared and wherever possible, put RDP servers in a demilitarized zone, DMZ or restricted area.
Right, That sounds like quite a wide range of methodologies, of mitigating measures to support in using RDP much more securely than it's done in some organizations at least. If we look into the future, and we are analysts, what is the expected future for RDP, for remote access solutions in general? Do you expect some changes here, some more strict integration with PAM, for example, or will it just not go away? Is it here to stay?
Well, that's kind of a discussion all in itself. How long have you got, Matthias? First off, I'd say is that passwords are - it’s like passwords, is that the use of RDP won't disappear overnight. It's too widely used. But organizations should continually reassess why they need RDP and they should explore potentially safer alternatives such as a remote desktop gateway, which serves as a kind of intermediary or gateway for RDP Sessions providing a secure and controlled way to access remote resources. And that's very much in line with Zero Trust, as we discussed earlier. Where RDPs deem to be absolutely necessary or people that want to move off of it straight away, protect your systems by using a firewall, for example, and monitor and secure RDP with intrusion detection and endpoint protection systems. Security and compliance considerations I think are going to drive the adoption of remote access solutions that offer robust security features such as encryption, MFA, and better so passwordless MFA, as we are always recommending at KuppingerCole. RDP and other remote access solutions will need to align with Zero Trust principles as this gains traction. And I really do think it is because it makes the most sense in the modern world. And then in terms of future technologies, I think we'll see a lot of evolution in remote access solutions in the coming months and years. Remote access solutions will need to adapt to provide secure access to things like edge devices and systems. Cloud based remote access solutions and desktop as a service I think are likely to become more prevalent and as alternatives or in conjunction with RDP. And then talking about cloud, remote solutions need to accommodate hybrid and multi-cloud environments because that's just the reality of today's business IT, I'm sure you'll agree. And there will need to be a focus on performance and user experience. So solutions that offer low latency and high quality video and audio and ease of use will be more popular. And then I mentioned compliance earlier that will continue to be a factor. Remote access solutions will need to ensure support for regulations and we can't talk about the future without talking about AI and automation. So remote access solutions I think will increasingly incorporate automation and AI for tasks such as threat detection, system monitoring and user support. And then you asked about emerging technologies. So there we've got 5G and edge computing, as I said earlier, and the Internet of Things and the Industrial Internet of Things and all these wonderful new technologies that are coming. But they all will have remote access available. And then finally secure remote desktop services and similar technologies will need to evolve to meet these modern security and scalability needs. So I think the future of RDP and remote access solutions in general is likely to be shaped by a combination of all these factors. So while remote work is here to stay, I think the security and performance aspects of remote access are paramount and solutions that can strike a balance between ease of use and robust security will be highly sought after and they will be the market leaders.
Right, so we've come full circle. So we're back at AI supporting cybersecurity, although we talking about RDP. So we've come full circle. We've mentioned cyberevolution in the beginning and that has this tagline of an AI controlled IT security as well. And if our audience takes something home with them, if they implement five of the measures that you've just mentioned before, protecting RDP, which I assume they had not had on their radar for Cybersecurity Secure Awareness Month, I think this will increase the cybersecurity in many organizations. If you just update your client to the most recent version and if you just upgrade the operating system below that IoT device that somewhere out in the green, and then you access it much more securely, then something has improved already. So this would be a good starting point. And while you're there, there's a lot more to do. Any final thoughts, Warwick, before we close down, when it comes to RDP? Of course, I need to mention that, there is, of course this Leadership Brief that I've mentioned earlier. It's from 2022, but it's available, of course in our research library and people have easy access to that. So I would really recommend to go to kuppingercole.com and read that document. Anything else from your side?
No. Mathias, I think you summed it up beautifully. It just kind of always amuses me like at security events, it always all comes back to best practice really. You know, I think we spend a lot of time thinking about of the latest and greatest attacks and so on. But at the end of the day, these are all basically the same things. They're all kind of phishing attacks, they’re all after the same. They're all after the same things. And a lot of issues, you know, if you just practice, you follow best practice, a lot of those things are taken care of. So I think RDP is another example of where, yes, there are very specific things that you can do for RDP, but just by following security best practice, you can eliminate a lot of those vulnerabilities.
All right. And maybe as a final thought, if credentials are for sale on the dark Web, maybe you want to change your credentials from time to time. That might be a good starting point as well. So thank you very much, Warwick, for being my guest today for shedding light on some of the more ignored part of cybersecurity. And where there really can be easy measures to improve the cybersecurity posture in general. Looking forward to meeting you in Frankfurt. And everyone who's interested in joining us there, please visit us, shake hands and talk to Warwick and, or me. And if you have any questions, if you have any comments, please reach out to Warwick or me or if you're watching this on YouTube, just leave a comment below that video in the comments section or send us an email. We are happy to discuss that. Happy to take your feedback, happy to take your suggestions, what to cover next on this podcast. And until then, thank you very much for being our audience today, for being my guest today, Warwick, and hope to have you on this podcast very soon again. Thanks Warwick.
Great. Thanks, Matthias. See you all at cyberevolution.
Absolutely. See you.
