Protecting VDI against known malicious actors

June 9, 2020

Keep VDI use safe by protecting users from visiting known malicious sites and domains.

 

By now we are tired of hearing about remote work or working from home thanks to COVID-19. Like it or not, it is the only way to work for many across the globe.

Enabling such a huge workforce with the necessary tools became an overnight challenge for companies. One such tool which saw a huge spike in demand is VDI or virtual desktop infrastructure. Instead of offering employees their own laptop, employees can use their own device and gain the same computing power with VDI, often referred to as desktop-as-a-service. They can be configured and provisioned remotely by the IT team as per each user's profile. Due to this, the end user gets the same experience as if they were working from a corporate laptop. Scaling up or down can be conveniently scheduled if the underlying environment is hosted on scalable infrastructure.

VDI has a lot of advantages and is widely used - but anything that suddenly garners massive popularity is going to be a prime target for attackers. With a sudden shift to remote work, many companies have done their best to enable workforce productivity with VDI while trying to make sure the necessary security controls are in place.  Not every organization has gotten this right, making life easier for an attacker. 

Since the employee needs to access a lot of different websites or domains for varied purposes, IT teams cannot restrict outbound access from VDI, employees could go to malicious sites, leading to a potential infection of the shared VDI cloud instance. Since, IT teams cannot restrict outbound access, they can at least control and block users from visiting known malicious sites and domains by calling on well-known threat feeds for malware and ransomware domains and command and control (C2) servers.

Visiting a malicious domain will infect the VDI and visiting a command control domain will allow that server to take control of the VDI which is a breach of the corporate network. Let's take a look at what can we do with Illumio in co-ordination with these threat feeds to protect the VDI. 

Why?

IP Reputation is important to protect users from connecting to any IP address with a negative reputation for it’s association with spam or ransomware and malware.  We are going to use two such public IP Threat List feeds and ingest the feeds into the IP List in Illumio PCE, so that the workloads can be automatically protected from connecting to these IP address. It is as simple as it looks, but the question which we still haven't answered is how can we be sure? These IP threat lists are very dynamic, some are updated daily while some are even updated hourly, given that the bad actors are dynamic as well. Thus we use this opportunity here to ingest the IP threat list on the specific cadence of the threat list feed.

Architecture

The architecture is very simple and can be explained in 3 steps:

  1. We fetch the IP threat list from the URLs provided in the config file. We have pre-defined malware domain list and C2 IP threat feed. The users can configure their own feeds by adding them to the config file.
  2. We then get the current PCE IP threat list and append the new IP addresses to it. The IP threat list will be incorporated in the ruleset for the VDI instances so that these instances do not communicate to these IPs inadvertently.
  3. Finally, Illumio PCE will update all the workloads which utilize the IP Threat List.

The diagram for it looks as follows.

Protecting VDI

Screencast

Let's see this in action in the following screencast: 

Protecting VDI against known malicious actors the Illumio way - Illumio

Conclusion

IP Threat list ingestion with Illumio ASP is a simple and effective way to prevent workloads from communicating with known malicious IP addresses. 

If you haven't got a chance to try out Illumio, please sign up for our month-long free Test Drive to gain full visibility into all your workloads in all environments. For our customers, you’ll see your Illumination map reflect all workloads and also the ruleset for segmenting the workloads from the malicious actors.

We would love to hear how you heard about this project and how it helped you, so please send us a note to our Slack channel, http://slack.illumiolabs.com and for future updates, do subscribe to Illumio Labs.