Today, let’s dive into getting an understanding of how a virtual private network (VPN) works in a business setup and the indicators of compromise (IOCs) to look for during monitoring.
First, there are different types of VPNs in a business setup.
Site-to-site VPN: This is a type of VPN that is used in large organizations. It helps to connect to company resources in a secure way and allows a secure connection between two private networks. For example, connecting from a branch office to headquarters or two different companies accessing the same resources
Remote Access VPN: This is a type of VPN that is used to access resources by connecting remotely, for example, by someone working from home.
Indicators of compromise in VPN traffic logs
VPN user accounts in organizations are created by the administrators and mostly have a consistent name; hence, an account that is not consistent should raise concerns. Other indicators of compromise include:
Detection of user account/ group modifications
Successful logon between non-business hours
Outbound access to invalid destination Ips
Access attempts on unidentified protocols & port
Successful connection from the internet IP including VPN after repetitive blocks in firewall
Brute force with successful configuration changes
Successful connection from the internet IP including VPN after repetitive blocks in firewall
Administrator login failure
High number of denied events
Detection of any kind of failure related to Standby
I hope this article will be of help to those who are venturing into SOC analyst field.
