Search

US-12621331-B2 - Detection of security risks based on secretless connection data

US12621331B2US 12621331 B2US12621331 B2US 12621331B2US-12621331-B2

Abstract

Disclosed embodiments relate to systems and methods for detecting and addressing security risks in remote native access sessions. Techniques include identifying a remote native access session between a client and a target resource. The techniques may further include identifying connection data associated with the remote native access session obtained by a connection agent, wherein the connection data originates from the client and from a mobile device associated with a user, and comprises data indicative of at least one of: hardware of the client or mobile device, configuration settings of the client or mobile device, and network connection attributes of the client or mobile device. Techniques may further include comparing a first portion of the connection data associated with the client with a second portion of the connection data associated with the mobile device; and determining, based on the comparing, a security risk associated with the remote native access session.

Inventors

  • Arthur Bendersky
  • Tal Zigman
  • Nir Popik
  • Boris Spivak

Assignees

  • CYBERARK SOFTWARE LTD.

Dates

Publication Date
20260505
Application Date
20210706

Claims (19)

  1. 1 . A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for detecting and addressing security risks in remote native access sessions, the operations comprising: identifying a first remote native access session between a user device associated with a user and a target resource; identifying a second remote native access session of a mobile device associated with the user and the target resource, wherein the first remote native access session and the second remote native access session are established using a connection agent associated with the target resource; obtaining, based on the identification of the first remote native access session and the second remote native access session, connection data exchanged during the first remote native access session and the second remote native access session, wherein the connection data includes: first connection data originating from the user device during the first remote native access session, wherein the first connection data comprises data indicative of at least one of a hardware, a configuration setting, or a network connection attribute of the user device, and second connection data originating from the mobile device during the second remote native access session, wherein the second connection data comprises data indicative of at least one of a hardware, a configuration setting, or a network connection attribute of the mobile device; comparing, using the connection agent, the first connection data with the second connection data to identify at least one of a hardware aspect, a configuration setting, or a network connection attribute that is inconsistent between the user device and the mobile device; determining, based on the at least one of the hardware aspect, the configuration setting, or the network connection attribute that is inconsistent between the user device and the mobile device, a security risk associated with at least one of the first remote native access session or the second remote native access session; and performing, based on the determined security risk, a security response operation in at least one of the first remote native access session or the second remote native access session, wherein the security response operation includes suspending or terminating at least one of the first remote native access session or the second remote native access session.
  2. 2 . The non-transitory computer readable medium of claim 1 , wherein the security response operation further includes sending an identification of the security risk to a network security platform.
  3. 3 . The non-transitory computer readable medium of claim 1 , wherein the security response operation further includes at least one of: limiting network rights of the client or limiting local rights of the client.
  4. 4 . The non-transitory computer readable medium of claim 1 , wherein the security response operation further includes at least one of: generating an alert, making an audit record, or generating a report.
  5. 5 . The non-transitory computer readable medium of claim 1 , wherein the security response operation further includes at least one of: requesting authorization from an administrator or requesting authentication from the client.
  6. 6 . The non-transitory computer readable medium of claim 1 , wherein the connection agent is configured to intercept the connection data.
  7. 7 . The non-transitory computer readable medium of claim 1 , wherein the connection agent is configured to transmit the connection data to a security service that performs the comparing.
  8. 8 . The non-transitory computer readable medium of claim 1 , wherein the connection data includes handshake data associated with at least one of the first remote native access session and the second remote native access session.
  9. 9 . The non-transitory computer readable medium of claim 1 , wherein the security response operation further includes at least one of: restricting at least one of first remote native access session or the second remote native access session, limiting access rights, generating a security alert, recording the at least one of first remote native access session or the second remote native access session, or requesting additional authentication.
  10. 10 . A computer-implemented method for detecting and addressing security risks in remote native access sessions, the method comprising: identifying a first remote native access session between a user device associated with a user and a target resource; identifying a second remote native access session of a mobile device associated with the user and the target resource, wherein the first remote native access session and the second remote native access session are established using a connection agent associated with the target resource; obtaining, based on the identification of the first remote native access session and the second remote native access session, connection data exchanged during the first remote native access session and the second remote native access session, wherein the connection data includes: first connection data originating from the user device during the first remote native access session, wherein the first connection data comprises data indicative of at least one of a hardware, a configuration setting, or a network connection attribute of the user device, and second connection data originating from the mobile device during the second remote native access session, wherein the second connection data comprises data indicative of at least one of a hardware, a configuration setting, or a network connection attribute of the mobile device; comparing, using the connection agent, the first connection data with the second connection data to identify at least one of a hardware aspect, a configuration setting, or a network connection attribute that is inconsistent between the user device and the mobile device; determining, based on the at least one of the hardware aspect, the configuration setting, or the network connection attribute that is inconsistent between the user device and the mobile device, a security risk associated with at least one of the first remote native access session or the second remote native access session; and performing, based on the determined security risk, a security response operation in at least one of the first remote native access session or the second remote native access session, wherein the security response operation includes suspending or terminating at least one of the first remote native access session or the second remote native access session.
  11. 11 . The computer-implemented method of claim 10 , wherein the security risk is determined as a probability or score, and wherein the first connection data and the second connection data each have corresponding weights.
  12. 12 . The computer-implemented method of claim 10 , wherein the security risk is determined based on a difference in time zone between the user device and the mobile device.
  13. 13 . The computer-implemented method of claim 10 , wherein the security risk is determined based on a difference in geographic location between the user device and the mobile device.
  14. 14 . The computer-implemented method of claim 10 , wherein the security risk is determined based on a difference in keyboard type between the user device and the mobile device.
  15. 15 . The computer-implemented method of claim 10 , wherein the security risk is determined based on a difference in network address information between the user device and the mobile device.
  16. 16 . The computer-implemented method of claim 10 , wherein the security risk is determined based on a difference in a software setting between the user device and the mobile device.
  17. 17 . The computer-implemented method of claim 10 , wherein the security risk is determined based on a behavioral profile developed for the user device or the mobile device.
  18. 18 . The computer-implemented method of claim 10 , wherein the connection data further comprises sensor data from the user device or the mobile device.
  19. 19 . The computer-implemented method of claim 18 , wherein the sensor data indicates detected motion.

Description

RELATED APPLICATIONS This application is a continuation-in-part of U.S. patent application Ser. No. 17/097,809, filed Nov. 13, 2020. BACKGROUND Organizations and individuals increasingly use remote network connections for accessing secure files and other network resources. For example, many organizations allow individuals to work collaboratively from different offices, from home office locations, or while travelling. As another example, individuals may use cloud-based servers for storing electronic files and may access these files through a remote connection. Thus, these remote connections provide improved flexibility, allowing users to access a network remotely as if their device was connected to the network directly. Although advantageous, these remote connections may present security vulnerabilities and are common targets for malicious actors to gain access to the secure network or user data. Some existing techniques, such as virtual private networks (VPNs), require the installation of VPN clients, which can be cumbersome for users and often lead to increased operating expenditures for organizations. Further, VPNs often do not discriminate among target resources, and instead provide users with full access to the network. For this reason, VPN clients are common attack points for malicious users, who may target security vulnerabilities to gain access to secure networks and harvest user credentials or other sensitive data. Further, such VPN clients often require users to enter passwords specific to the VPN service, which increases the risk of credentials theft and deteriorates the user's experience. Other techniques, such as HTML5 gateway solutions, do not require the installation of VPN clients, but equally provide a poor user experience by requiring a browser-based session, rather than a native desktop client. Some remote desktop gateway techniques allow for passwordless or multi-factor authentication, however, additional passwords may be required to access a particular target resource. Further, these remote desktop gateways often require a user to identify details of a target server (such as IP addresses, or port configurations), a domain username, or other sensitive information, which may create an attack vector for malicious actors. Accordingly, in view of these and other deficiencies in existing techniques, technological solutions are needed for securely establishing passwordless and native remote access sessions. In particular, solutions should advantageously allow for the sessions to be established without requiring separate credentials. Further, technological solutions should allow native access without requiring a dedicated remote access client or other non-native software, such as a web-based interface. Solutions should also be dynamic, allowing secure connections to be established during a connection phase, without potentially exposing sensitive client information, such as usernames or other credentials, or sensitive target details, such as IP addresses or other information for the target host. In addition, once a secure connection is established, a rich set of data from the connection may be gathered. Advantageously, this data can later help in profiling a user's activity in the session and be used to detect potentially malicious or anomalous activity. SUMMARY The disclosed embodiments describe non-transitory computer readable media, systems, and methods for securely establishing secretless and remote native access sessions. For example, in an embodiment, a non-transitory computer readable medium may include instructions that, when executed by at least one processor, cause the at least one processor to perform operations for securely establishing secretless and remote native access sessions. The operations may comprise identifying a client configured to participate in remote native access sessions, wherein the client has a remote access protocol file that has been modified to include an identifier associated with the client; sending a prompt to the client to establish a secure tunnel connection with a connection agent using the identifier associated with the client; authenticating the client; accessing target identity information associated with one or more target resources; receiving from the client a token that identifies a target resource from among the one or more target resources; obtaining, based on the token, a credential required for secure access to the target resource; and initiating, using the credential, a remote native access session between the client and the target resource. According to a disclosed embodiment, the remote access protocol file may be modified by the client. According to a disclosed embodiment, the connection agent may replace a username in a request for the remote native access session with data from the token. According to a disclosed embodiment, the credential may be obtained in a secretless manner from the perspective of the client. According to a disclosed emb