Prevent Malicious VPN Connection

Hi All,

How can we use Zscaler to prevent the below scenario:

A malicious software is already installed on user’s machine, located on a trusted network, which initiates an encrypted VPN connection to the attacker.
The Trusted Network traffic is forwarded to Zscaler via GRE tunnel.

How to prevent/detect the software initiating an encrypted VPN connection to the attacker and prevent the attacker access to the internal network.

Hi @Omar, some great questions here…


How to prevent/detect the software initiating an encrypted VPN connection to the attacker

This is handled by Zscaler’s deep security stack, in particular preventing connections to Command and Control systems via multiple methods (Signaure detections. URL/IP blocks, blocking undecrytable traffic etc)


How to prevent the attacker access to the internal network

This is actually a great use-case for Zscaler Private Access and ZTNA in general.

Instead of the user connecting to the network, the user will have access to only specific applications, many of which may not be vulnerable to whatever malicious software is running on the affected endpoint. This prevents malicious software from being able to easily move laterally.

Further, if there was an incident/breakout on the private network, the Malware wound not be able to initiate connections to the external client and worm in the reverse direction.


Hope that helps. Do let us know of you need to dig into this further.

3 Likes

Thanks for the reply, provided me the answer I was looking for.

Happy New Year :slight_smile:

Just to piggyback on what @skottieb said – you can test this for yourself. Assuming you’ve configured it, you can test fairly easily whether outbound connections via VPN are allowed. Download and install the Opera browser (opera . com) and use the in-browser VPN to test. It should never connect.

Thanks for piggybacking, didn’t think of that.
Will try it and reply to this thread.

There are several ways which can potentially lower the risk of such attack:

  1. Access control and threat prevention- we assumed the malware has been downloaded, but access control policy can actually help to lower the chance for the successful download, such as blocking executable file download, and use quarantine for any new unknown file to ZScaler for sandbox scanning

  2. C&C and other tunnel traffic can be blocked if the malware has been downloaded and installed somehow by:

  • blocking C&C servers and traffic from advanced threat prevention

  • blocking http tunnel and undecryptable ssl traffic for web channel

  • blocking VPN and similar traffic from advanced cloud firewall

Best Regards,

Jones Leung

2 Likes

I would also suggest blocking the “Miscellaneous” URL category.

Well sometimes misc may need to be allowed due to some new pages not categorized by Zscaler yet- and it will happen to any other URL filtering DB in reality, so probably using caution for mis will be a better alternative as it will stop a lot of web access not from any browsers. Browser isolation will be perfectly helpful to manage all the access to misc as well.

Best Regards,

Jones Leung

Indeed, I would advise against blocking Misc. Our Advanced Threat Protection and Tunnel control options should already cover this, and blocking Misc Categories is likely to have a negative impact on the user experience.

Instead (if you must), block the Newly Registered Domains category and/or start using Z-Tunnel 2 with Advanced Firewall features enabled (to protect against non-web communication channels like DNS)