New VPN Insights package shines the light on a growing blindspot
VPN tunnels are like shipping containers in that they are widely used (especially as the pandemic has moved more of the workforce to remote work), and they can be used to carry traffic for legitimate as well as malicious purposes. Establishing a tunnel between corporate offices, remote workers, or partners to transfer data is a legitimate and common use for VPNs. But attackers can use VPN tunnels to establish a backdoor into your network or even allow malicious insiders to exfiltrate data through an unprotected channel. Given their ubiquity and encrypted nature VPNs can be a challenge for network defenders.
Like most network monitoring, it all starts with visibility. How are you currently getting visibility into the VPN traffic on your network? Maybe it’s logs from your own VPN services (concentrators, NGFWs, wireless controllers, authentication providers) which are great, but those can only tell you about legitimate usage. Maybe you’re able to get some data from your EDR platforms, seeing what’s installed or used on managed endpoints, but still you’re left with a sizable gap. What about unmanaged devices, IoT, shadow IT, and BYOD?
Anyone who is on your network may be able to connect to an external VPN service and create a tunnel into and out of your network, perhaps without your knowledge at all. VPNs use many unique (and mostly encrypted) protocols which work in very different ways and can be pretty complex to parse. Even if you’re able to analyze some of those protocols, attributing specific providers to generic types of traffic on the network can be a challenge.
Corelight just shipped our latest software release (v24) which includes a brand new addition to our Encrypted Traffic Collection: VPN Insights. With a suite of new protocol analysis, Corelight’s new VPN Insights package delivers unparalleled visibility into VPN traffic on your network, with the capabilities to analyze and identify more than 350 unique VPN providers and write information about those VPN connections to a new log. The log allows our customers to identify all VPN connectivity to and from the corporate networks, label what VPN provider is being used, and provide detailed metadata about the connection including duration, volume, and geolocation information. The log also includes a set of inferences to help identify behavioral patterns (was the VPN likely remote access, was it used on a port which could evade filtering, was it a commercial VPN, and was it using a non-standard port).
Part of the strength of Corelight’s OpenNDR approach is that our Zeek engine can be quickly adapted to discover and analyze new network protocols. The latest approach which facilitates this is the Spicy framework, which allows rapid development of new analyzers which can be run directly in Zeek. As part of the research into this VPN content, Corelight Labs developed and released a series of VPN protocol analyzers to the open-source community. These new analyzers are the basis for the VPN Insights package which distills the VPN connection information into a succinct log that includes the provider names and metadata. While the analyzers are open-source and available for any Zeek user, the VPN Insights package is for Corelight customers only.
Now you can go from limited or partial visibility into VPN traffic to a complete accounting of what VPNs are being used on your network. The data is great for responding to specific incidents, but it’s also invaluable for threat hunting and compliance. You can answer questions like:
- How many endpoints are using non-corporate VPN providers/protocols?
- What endpoints are connecting to specific countries where we don’t have business interests?
- What times of the day or week are VPN tunnels connecting to our network?
One of our customers reports that the new VPN log is their “new favorite log,” and we understand why. The VPN Insights package helps network defenders get a better understanding of what’s going on inside all of those shipping containers (or should I say VPN connections) criss-crossing your information highways.
But that’s not all that’s in this latest software release. Corelight v24 also includes:
- Built-in detection for the log4shell vulnerability
- Backup and restore functionality for Corelight Fleet Manager
- Additional options for shunting on our largest AP 5000 hardware sensor.
This new release also contains bug fixes and other enhancements, please visit the Corelight support portal for more information including release notes and user documentation.
We hope that the VPN Insights package is helpful to you, and we always love to hear feedback on what we’re producing. Drop us an email, connect with your support contact and follow our blog for the latest updates from Corelight.
By Vince Stoffer, Senior Director of Product Management, Corelight
