Third-party VPN activity
Description
AlphaSOC detected network traffic associated with third-party Virtual Private Network (VPN) services. This may indicate attempts by threat actors to conceal malicious activity.
Impact
Unauthorized VPN use can compromise network security by creating encrypted tunnels that bypass security controls. This can enable data exfiltration, command and control (C2) communication, and other malicious activities to go undetected. VPNs can also be used to hide the true source of attacks, making incident response and forensic analysis more challenging.
Severity
Severity | Condition |
---|---|
Medium | Third-party VPN traffic |
Investigation and Remediation
Investigate the VPN traffic to determine if it's authorized. Review logs and endpoint data to identify the user or process initiating the VPN connection. If unauthorized activity is confirmed, terminate the VPN session and isolate the affected system. Conduct a thorough analysis of the system for signs of compromise or data exfiltration.
Known False Positives
- Employees may use VPN services for privacy reasons
- Web browsers with built-in VPN or proxy features