itb-nz logo
Story image

Most organisations exhibiting malicious RDP behaviour - report

30 Sep 2019

Network threat detection and response (NDR) solutions provider Vectra has disclosed that the Remote Desktop Protocol (RDP) is a widely exposed and vulnerable attack surface and will likely continue in the near future due to the protocol’s prevalent use.

Cyberattackers characteristically follow the path of least resistance to achieve their objectives.

They will attempt to use existing administrative tools before they introduce new malicious software to perform internal reconnaissance, move laterally and exfiltrate data from a network.

One of the most popular administrative tools is RDP, which is used by IT system administrators to centrally control their remote systems with the same functionality as if they were local.

RDP is an even more vital tool for managed service providers (MSPs) in their management of hundreds of client networks and systems.

According to the Vectra 2019 Spotlight Report on RDP, from January-June 2019, the company’s threat detection platform detected 26,800 suspicious RDP behaviours in more than 350 deployments.

Data from Vectra confirms that RDP remains a very popular technique for cyberattackers, with 90% of these deployments exhibiting RDP attacker behaviour detections

Manufacturing and finance organisations have the highest rate of RDP detections at 10 and eight detections per 10,000 workloads and devices, respectively.

The top five at-risk industries are manufacturing, finance and insurance, retail, government, and healthcare.

The top three industries – manufacturing, finance and insurance, and retail – together account for almost half (49.8%) of all RDP detections.

Within the manufacturing industry, mid-sized organisations had the highest rate of RDP detections at a rate of 20 per 10,000 workloads or devices, which is 82% higher than medium-sized retail, which is the next highest industry subsegment, and 100% higher than small finance and insurance organisations.

Although the manufacturing industry has the highest rate of RDP detections, IT managers in manufacturing organisations are likely to prefer the cost and time savings of centralised management enabled by RDP over the increased potential abstract risk of a cyberattacker exploiting it.

The use of RDP provides significant business value because it enables centralised management of geographically distributed business systems.

“Cybercriminals know that RDP is an easy-to-access administrative tool that allows them to stay hidden while carrying out an attack,” says Vectra security analytics head Chris Morales.

“It’s essential for security teams to understand how RDP is used by attackers because it will continue to be a threat in the near future.”

The ubiquity of RDP on Windows systems and its frequent use by system administrators make RDP the ideal tool for attackers to avoid detection while performing these functions.

Download image
Workforce demographics and culture is changing. Management must too
The way we work is changing, and so is the make-up of the workforce. To get the best results, businesses need to take on dynamic workforce management.More
Story image
The real reason to use risk-based authentication in the enterprise
By analysing what the user knows, has, and does, the risk engine can identify legitimate users while denying access to intruders.More
Story image
HP Inc pledges to eliminate 75% of single-use plastic by 2025
This transition from plastic to molded fibre has already eliminated 933 tonnes of hard-to-recycle expanded plastic foam last year, according to HP.More
Link image
Say goodbye to outages and performance outages with server monitoring
Stop wondering which processes or services are causing a server spike. Analyze the performance of Windows services and Linux processes to understand their load on system resources and perform start, stop, and delete actions while on the go with a dedicated mobile app.More
Story image
Interview: Checkmarx on the state of software security in Asia Pacific
"While the benefits of software are obvious, this proliferation also creates a massive and ever-evolving attack surface,” says Checkmarx A/NZ country manager Raygan Flores.More
Story image
Why DX is not complete without a transformed security architecture
Secure Access Services Edge (SASE) is the process by which core WAN edge capabilities like SD-WAN, routing, and WAN optimisation at branch locations are integrated with cloud-based security services like secure web gateways, firewall-as-a-service, cloud access security brokers, and more.More