State Police Department Reduces Remote Attack Surface With Cortex Xpanse

Due to the COVID-19 pandemic, organizations large and small, government and commercial, have seen a rise in their remote attack surfaces. For one large state police department, the pandemic and subsequent rise in remote work led to more than 75 servers running Microsoft RDP being left exposed on the public internet.

RDP servers provide remote access to a computer over the internet as though you were physically sitting in front of the computer and logging in through a graphical user interface. RDP is a useful protocol, but it was never intended to be exposed on the internet. Externally accessible RDP servers pose a significant security risk and are a frequent target for attackers using a variety of documented exploits. The rise of rapid, internet-wide scanning and machine-speed attacks makes it easier for bad actors to find and take advantage of exposed assets like RDP. Remote access exposures and attempts at compromise have only increased since the onset of the coronavirus crisis, and state-sponsored advanced persistent threat (APT) groups are known to target them. Left unmitigated, each of those RDP servers would have presented an opportunity for a malicious actor to compromise the state police network.

The state police department first began working with Expanse (now Palo Alto Networks Cortex Xpanse) when Expanse discovered an exposed RDP server and proactively reached out to the state chief information security officer (CISO) with the associated certificate, IP address, and other information to flag the risky asset and support remediation.

After receiving the information, the CISO immediately initiated an internal investigation. The following day, Expanse discovered more than 75 additional examples of publicly accessible RDP servers following the same naming convention; most of these corresponded with state police cruiser laptops. The state agency was only able to find 36 of the 75 RDP servers Expanse had surfaced with an internet scanning tool it had used previously. In addition to surfacing the exposures for the state police department, Expanse alerted the state’s CISO to seven additional exposed RDP servers belonging to the state’s health department, the state legislature, the Environmental Protection Agency, and other state agencies. In less than a day, Expanse had reported the IP address, port, and certificate signature for each exposure to the CISO to inform and drive remediation efforts.

“RDPs are very concerning exposures, and we really appreciate the information Expanse provided to us,” said the State CISO. “After Expanse’s initial tip, we tried to find all additional exposures using publicly available tools, and we weren’t able to do so. The data Expanse provided aided our investigation and helped us rapidly address a serious issue that could have had significant consequences for the operations of the state.”

With the help of Expanse in identifying all exposed RDP services, the state government was able to remove each of these RDP servers from being publicly accessible. With a significantly reduced attack surface, the state government and police department are more secure and better able to focus on their mandate of serving the people of their state.

To learn more about Cortex® Xpanse™, visit paloaltonetworks.com/cortex/cortex-xpanse.