The present invention, in some embodiments thereof, relates to remote desktop access to a target machine and, more particularly, but not exclusively, to generating an assessment of a remote desktop access connection session.
Network communication solutions that facilitate communication between remote networked machines can be an effective disruptive tool used by attackers for malicious purposes from halfway around the world.
One such tool is Microsoft's Remote Desktop Connection (RDC) user application. RDC enables a user to remotely log into a networked computer and interactively use the desktop interface as if they were sitting in front of the local machine. RDC uses the Microsoft service Remote Desktop Protocol (RDP) to facilitate communication between the remote client and the local machine being accessed.
However, findings show that gaining unauthorized access to RDP-enabled machines has been and continues to be an effective attacker technique. For example, when the credentials used by the attackers are stolen without the user's knowledge, attackers can pretend to be a remote user without raising suspicion.
Existing approaches deal with analyzing network traffic by observing the raw packet capture on a network. In other words, existing solutions look for anomalies in the network data traffic. Typical forensics-based solutions include packet inspection, such as deep packet inspection (DPI) techniques, selective packet inspection methods and the like. These solutions generally observe and parse out data from the packet capture on the network in order to detect the presence of network anomalies. An example is Novetta sensor software, which reviews the captured packets to extract IP address, cookies and other data attributes that characterize what is happening within the network traffic.
Typically, forensics-based solutions operate with the extremely limited information that is present in the data packet and which may not be sufficient to detect sophisticated attacks. Furthermore, RDP operates with a known protocol which allows the attacker to take active steps to prevent anomalous data from being detectable in by packet inspection methods. Thus attacks using remote access tools can be disguised and go undetected.
Additional background art includes:    [1] The “APT1 Exposing One of China's Cyber Espionage Units”, Mandiant, 18 Feb. 2013; and    [2] “Architecture Overview Technical Brief”, Novetta Cyber Analytics, May 2016.