The "External Remote Access" detection identifies attempts by external entities to establish remote connections to internal systems. This type of activity is often associated with malicious actors seeking unauthorized access to internal networks and resources, using tools and protocols like Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), SSH, and remote administration tools.
Scenario 1: An internal server receives multiple remote access attempts via RDP from an external IP address. Investigation reveals that an attacker used stolen credentials to attempt unauthorized access during off-hours.
Scenario 2: A sudden increase in SSH connection attempts from an external IP is detected. Further analysis indicates that a legitimate third-party vendor was performing scheduled maintenance, causing the detection to trigger.
If this detection indicates a genuine threat, the organization faces significant risks:
Successful external remote access by malicious actors can lead to unauthorized access to sensitive data and critical systems.
Attackers can exfiltrate data, leading to potential financial and reputational damage.
Unauthorized remote access can be used as a foothold to launch further attacks, including lateral movement, privilege escalation, and deployment of malware.
Examine logs for remote access attempts, focusing on the frequency, source IP addresses, and times of the attempts.
Determine if the source of the remote access attempts is known and authorized. Check if the IP address belongs to a trusted entity.
Look for other signs of compromise or related suspicious behavior, such as failed login attempts, unusual network traffic, or malware alerts.
Confirm if any authorized remote access activities were scheduled or performed by IT administrators, remote workers, or third-party vendors.