What is Remote Monitoring and Management Software Security?
Remote monitoring and management (RMM) software is a type of application often used by managed service providers as a tool to help them maintain their clients’ IT systems and infrastructure. A small footprint, often called an “agent,” is installed on client workstations, servers, mobile devices, and other endpoints to deploy remote monitoring management; those agents then feed information about machine health and status back to the managed service provider. By using these agents, the managed service provider can gain insight into client networks, can keep machines maintained and up-to-date, and can monitor the network for any issues that need to be attended to, and they can do all of this remotely.
Security researchers have been warning that RMM software has been targeted as a means for cyberattackers to achieve remote access and control over systems. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate RMM software1. In 2022, CISA identified a widespread cyber campaign where cyberattackers sent phishing emails that led to the download of legitimate RMM software, which the actors used in a refund scam to steal money from victim bank accounts. While these cyberattacks appeared to be financially motivated, attacks such as these could lead to additional types of malicious activity such as selling victim account access. The following mitigations can help your organization to protect itself from RMM cyberattacks:
- Implement best practices to block phishing emails.
- Audit remote access tools on your network to identify currently used and/or authorized RMM software.
- Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.
- Use security software to detect instances of RMM software only being loaded in memory.
- Implement application controls to manage and control execution of software, including whitelisting RMM programs. Application controls should prevent both installation and execution of portable versions of unauthorized RMM software.
- Require authorized RMM solutions only be used from within your network over approved remote access solutions, such as VPNs or virtual desktop interfaces (VDIs).
- Block both inbound and outbound connections on common RMM ports and protocols at the network perimeter.
- Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
1 CISA, 2023, “Protecting Against Malicious Use of Remote Monitoring and Management Software”