First published on CloudBlogs on Jan 04, 2018 by Microsoft Advanced Threat Analytics Team
A majority of IT teams use Virtual Private Network (VPN) connections as a method to grant remote users access to corporate resources from outside the company’s network. A VPN connection provides employees flexibility by allowing them to work on the go and helps to increase productivity. Since VPN connections are fully encrypted, they are secure and therefore their content is not always inspected. However, VPN offers an entry point for attackers to use existing credentials and remotely connect into a corporate network. With the release of version 1.8, Advanced Threat Analytics (ATA) now detects when and where credentials are being used via VPN and integrates that data into your investigation. Capturing and analyzing the origin of VPN connections increases your chances of identifying where and how attackers are leveraging stolen credentials in your network. With this release, the network user's profile page now includes information from VPN connections, such as the IP addresses and locations from where these connections originate: To do this, ATA listens to the Remote Authentication Dial-In User Service (RADIUS) accounting events forwarded by your VPN solution. This mechanism is based on standard RADIUS Accounting protocols ( RFC 2866 ), and we support the following VPN vendors:
- Microsoft
- F5
- Cisco Adaptive Security Appliance (ASA)
Check out the simple step-by-step technical guide on how to add VPN data into ATA . Following the simple configuration, you’d see VPN activity in the users' profile page, as shown below: This information can be used to complement the alert data you already have when investigating a potential compromise, as you will quickly be able to identify any user that’s connected from a suspicious location. We encourage all companies to add this capability to their existing deployment. Haven’t tried or deployed ATA yet? Get a 90-day evaluation copy. Have a question? You can ask questions and join the discussion with our team at the Microsoft Advanced Threat Analytics TechCommunity site ! All the best, Hayden Hainsworth ( @cyberhayden ) Customer & Partner Experience Program Leader, Cybersecurity Engineering Microsoft Cloud + Enterprise Division