Skip to main content

Third-party VPN activity

ID:vpn_activity
Data type:DNS,IP,HTTP
Severity:
Medium
MITRE ATT&CK:TA0010:T1048

Description

AlphaSOC detected network traffic associated with third-party Virtual Private Network (VPN) services. This may indicate attempts by threat actors to conceal malicious activity.

Impact

Unauthorized VPN use can compromise network security by creating encrypted tunnels that bypass security controls. This can enable data exfiltration, command and control (C2) communication, and other malicious activities to go undetected. VPNs can also be used to hide the true source of attacks, making incident response and forensic analysis more challenging.

Severity

SeverityCondition
Medium
Third-party VPN traffic

Investigation and Remediation

Investigate the VPN traffic to determine if it's authorized. Review logs and endpoint data to identify the user or process initiating the VPN connection. If unauthorized activity is confirmed, terminate the VPN session and isolate the affected system. Conduct a thorough analysis of the system for signs of compromise or data exfiltration.

Known False Positives

  • Employees may use VPN services for privacy reasons
  • Web browsers with built-in VPN or proxy features