Threat actors and early adopters use these legitimate technologies to obtain unauthorized access or to stay in place. The past has seen a notable increase in the utilization of these technologies by acquaintances. In our incident response reports, we have observed that, for instance, malevolent purposes are being served via tools such as AnyDeck, VNC, and/or ScreenConnect.
Organizations have generally made significant progress in terms of their cybersecurity efforts, which means that attackers must now become more resourceful in figuring out how to get past installed security products and implemented rules (such as an EDR tool, in most cases). These RMM programs are signed as "trusted binaries," which usually go unnoticed or unalerted by any EDR tool, making them an excellent backdoor into your system.
Therefore, it's critical to:
• Limit the number of authorized RMM tools you use in your environment
• Regularly check your environment for the presence of RMM tools
• Ensure visibility and auditability when using
RMM tools and PSA software.
• Monitor an incident to ensure that only trusted and known RMM tools are used in your environment.
To facilitate appropriate follow-up, we may resort to threat hunting.
Also Read:
What is a Metered Connection?
