Remote monitoring and management tools are increasingly used by enterprises and/or their managed service provider to remotely manage endpoints including laptops and servers. For many they are an essential tool for connecting remotely, monitoring performance, performing software updates, resets, or recovery, identifying newly joined devices, and running diagnostic tests.
The ideal attack surface
As with most tools, as they become increasingly popular with businesses, they also gain the attention of those adversaries looking to disrupt the business. So, What makes RMM so appealing? It is their reach within the organization. Firstly, RMMs are connected to mostly every device and person in the organization. They're ubiquitous and are able to install programs on large numbers of machines by design. From a security standpoint, they are rarely limited in their privileges on devices, are sometimes from antivirus scans, usually have protections turned off during updates, and are generally overlooked by security administrators. This is an ideal playing field for those looking to deploy ransomware, living off the land attacks, or more.
Through 2020 and 2021, we’ve seen a number of remote monitoring and management tools fall victim to cyber-attacks. Kaseya and SolarWinds were two of the most notable solutions breached - not only affecting them but their clients and supply chain as well. So how do these attacks occur, and what can you do about them?
For more information on how attacks on RMMs work and how to mitigate this cyber risk, read our Threat Insight piece.