VPN Services
Overview
Implementing use cases for VPN services to monitor and secure remote access, detect unauthorized connections, and respond to potential threats.
Sample products
- Cisco AnyConnect
- OpenVPN
- Palo Alto Networks GlobalProtect
- Check Point Endpoint Security VPN
Use Case Categories
| Category | Description |
|---|---|
| VPN Connection Monitoring | Monitor VPN server logs and network traffic to track VPN connection events, including successful connections, failed login attempts, and disconnections. Detect unauthorized access attempts, brute-force attacks, or suspicious VPN connections that may indicate security threats. |
| Threat Intelligence Integration | Integrate threat intelligence feeds and indicators of compromise (IOCs) with VPN monitoring systems to detect known malware, malicious IP addresses, or malicious domains associated with cyber threats. Use threat intelligence to enhance VPN security controls and threat detection capabilities. |
| VPN Traffic Analysis | Analyze VPN traffic patterns, data flows, and network protocols to detect anomalous or suspicious behavior. Monitor VPN traffic for signs of data exfiltration, lateral movement, or command-and-control (C2) communications associated with malware or cyber attacks. |
| User Authentication and Access Control | Monitor VPN authentication logs and access control mechanisms to ensure that only authorized users and devices can establish VPN connections. Detect anomalous login patterns, account compromises, or credential theft attempts targeting VPN authentication systems. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Abnormal VPN Disconnections | Detects frequent disconnections that could indicate network issues or evasion attempts. |
| Geographically Improbable Access | Identifies logins from geographically distant locations within a short period. |
| Unusual After-Hours VPN Activity | Monitors for VPN connections outside standard business hours, which could indicate unauthorized access. |
| Access from Known Malicious IPs | Detects VPN logins from IPs flagged as malicious by threat intelligence feeds. |
| Unusual VPN Traffic Patterns | Identifies the use of non-standard or insecure VPN protocols, potentially indicating an attempt to bypass security controls or use outdated, vulnerable VPN connections. |
| VPN Access with Known Malware Signatures | Detects when devices connected to the VPN are reported to have communicated with known malware command and control servers. |
| Anomalous Data Transfer Volumes | Identifies significant deviations from typical data transfer volumes. |
| VPN Tunneling Protocol Anomalies | Monitors for anomalies in VPN tunneling protocol usage. |
| Use of Unauthorized VPN Services | Detects attempts to establish VPN connections using unauthorized VPN services or applications. |
| Repeated Authentication Failures | Monitors for repeated authentication failures. |
| Access from Unauthorized Devices | Identifies VPN access attempts from devices not registered or authorized for VPN use. |
| Elevation of Privilege Attempts | Detects attempts to gain higher access levels than assigned through the VPN. |
| Suspicious Concurrent Sessions | Monitors for multiple concurrent sessions by the same user credentials. |
MITRE ATT&CK
T1090, T1196, T1078, T1082, T1132, T1043, T1065, T1204, T1041, T1071, T1110, T1068