There's suspicious activity in your network. Now what?

| By:
Anna Morgan

You simply don’t know what you don’t know—that’s why there’s such an emphasis on the importance of threat detection and regularly monitoring networks for abnormal activity. The actions taken by your organization after detecting a threat or anomaly can make or break an organization. Tools like ConnectWise Control® are often exploited and used against you or your customers.

Security is the top priority for ConnectWise Control. We offer many security features our partners can implement to secure their installations. If suspicious behavior is detected, there are some suggested steps you can take immediately to secure your instance. 

Conducting regular account audits  

One of the best ways to protect your account is to conduct regular account audits to look for abnormal behavior, such as connections during odd times of the day or unusual command runs on machines. ConnectWise Control simplifies this process by offering a number of options to audit your instance. 

  • Use the timeline to monitor session activity, such as what hosts have connected to a machine, or view session events.  
  • Regularly review the Audit page to see all connection and event data. You can filter it by session name, session event types, and security events. Security events are a quick way to monitor log-in or log-out attempts and changes to passwords.  
  • You can enable extended auditing, which automatically records every remote session and stores it on your instance. The videos are stored in a proprietary format on your server to keep the file sizes small. You can download your encoded files in AVI format. 
Monitoring session activity with extensions 

Running reports and monitoring makes it easier to define patterns and spot abnormal behavior, and a great way to do this is by using extensions to monitor session activity. ConnectWise Control extensions allow you to customize your remote access and support with additional features and functionality.  

  • With Report Manager, you can construct queries and generate reports based on session activity. This includes three built-in reports that can help determine if some malicious action has been taken on your machines, including host session connections, queued commands, and queued toolbox items.  
  • Partners with the ConnectWise Control Access license can use the Reports page to construct queries and generate reports based on session activities. The Report Generator has 14 pre-configured reports, including Host Connections and Transferred files. You can also create a custom report or clone an existing one. 
  • The Reporting Dashboard gives you a quick visual of connections, session events, and recently active technicians. From here, you can also generate and download reports. 
  • With the Session Capture Processor, you can queue raw session capture files and collectively download and transcode to AVI videos.  
  • Triggers are a handy monitoring tool as well. Triggers fire off actions, such as sending an email, when a defined event has occurred. Examples include creating a trigger to notify you if a command is run on an access machine. You can also create a trigger to notify when a host connects to an access session.  
Taking action with remediation steps  

So, you’ve spotted suspicious activity—now what? If you suspect an unauthorized user has breached your instance, you should highly consider some of these remediation steps.  

  • On the security page, there are three options that you can use to immediately revoke user access and enforce: 

1. All host passes to expire 

2. All technicians disconnect from their sessions 

3. All technicians log out of the instance 

  • Force internal users to reset their passwords 
  • Reset your cloud administrator password 
  • Enable two-factor authentication for all accounts  
  • The Security Toolkit extension contains additional security tools that allow you to: 

1. Delete all queued commands and toolbox items

2. Enable an HTTP-to-HTTPS redirect for on-premises installations

3. Help to prevent search indexing of your ConnectWise Control site 

If your network has been accessed without authorization, it can be daunting to take remediation steps on your own. You may wonder if you are doing the right thing and if you are doing enough. But with a tool like ConnectWise Control to guide you, remediation can happen quickly and painlessly. After all, the goal is to get back online and get back to your clients securely without missing a beat.