As our customer base has grown, the variety of opinions about what constitutes a threat has grown with it. This variety creates challenges for products like ours, which strive to supply the right epiphanies with little or no configuration required by our customers.
One example of this comes up when we’ve detected what we call “external remote access” behavior in the network. This detection algorithm basically detects remote control of a host inside an organization’s network by an entity outside (in this context, “outside” means not connected via VPN) the network on a connection that has been initiated by the internal host.
An example of this would be a desktop sharing application such as GoToMyPC where an employee decides to make her desktop accessible via her smartphone while she is out of the office. Scarier examples include Remote Access Tools (RATs) such as Poison Ivy, DarkComet or Blackshades that provide the same functionality, but are more highly correlated with targeted attacks.
The presence of external remote access detections in a customer’s networks usually leads to a discussion that places the customer in one of the following two categories:
- The customer considers commercial remote desktop services and RATs as functionally equivalent. Both provide a means for an external entity to exert control over a machine on the inside of the network. RATs are more highly correlated with targeted attacks and commercial remote desktop services are more correlated with uninformed employees who don’t understand the security implications of using such services. But a targeted attack could just as easily make use of a commercial remote desktop service and an employee might use a RAT.
These customers typically have a policy against any form of remote access that does not involve use of the company-approved VPN technology and will terminate all such connections and sometimes even the employee.
- The customer considers commercial remote desktop services and RATs as very different. They want to see RAT detection accompanied by a high threat score and still want visibility to the commercial remote desktop sessions, but don’t want them to drive our conception of threat when there’s no other reason to view the host suspiciously.
These customers typically have no explicit policy against the use of commercial remote desktop services. They want to see detection of this behavior, but will only treat it as a piece of information that helps form their view of the risk profile of an employee.
Threat scoring is an extremely malleable idea. When rational customers don’t agree on the importance of detecting something as potentially dangerous as allowing a connection from the outside into the core of their campus networks, it’s clear that the threat is in the eye of the beholder.