Legitimate sessions, real intrusions: the new risk map in the Zero Trust era

Perimetral security has long ceased to be the only barrier between our companies and the attackers, but what is changing with force is the way these actors get in: they no longer depend so much on exploiting new technical failures as on taking advantage of access and tools that the organizations themselves consider legitimate. This shift, documented in the annual report of an incident response firm, forces us to rethink how we measure the risk and what we control within the network.

Remote access points and reliable administrative utilities have become the main vector of intrusion. In many examples analyzed by response teams, the attackers obtained valid sessions - often through VPNs or remote management agents - and moved laterally as if they were legitimate administrators. This strategy explores precisely the confidence surrounding these tools: an active VPN session or RMM connection often seems normal for controls and operators, allowing intruders to achieve critical systems without generating immediate alarms.

The abuse of remote management tools is not an isolated anecdote. There are many public investigations and guides that warn about how malicious actors install or reuse monitoring and management solutions to maintain persistence and operate with legitimate appearance. This reality underlines the need to have a clear inventory of which agents are authorized and to subject these instruments to strict monitoring and policies, as recommended by public security agencies and good practice frameworks.

Social engineering remains the most effective way to open doors. Far from searching for code vulnerabilities, many groups get a user to perform an apparently harmless action: follow a link, run a command or paste an instruction into a system execution box. Some campaigns are disguised as visual verification steps - clocks or "click to check" controls - and end up instructing the victim to enter commands in Windows or other consoles, allowing the attacker to use the same system tools to run its attack chain.

This approach is based on what the security community calls "living off the land" - using binary and default utilities in systems - and is especially difficult to detect if the organization does not adequately monitor the legitimate use versus the malicious use of these utilities. Microsoft maintains documentation and alerts about these binaries and scripts that are often used in intrusions, and therefore visibility about their execution is key to distinguishing an administrative process from a malicious maneuver: Microsoft - Living off the land binaries.

In the cloud environment, multifactor authentication stopped many attempts at direct access, but did not end the intrusions. The attackers have managed to capture and reuse already authenticated sessions, a method that from the perspective of the cloud platform seems a legitimate session. This technique shows that, in addition to requiring multiple factors, organizations should monitor active sessions and implement controls that assess the risk of the current session, not just the success of the initial authentication.

The defence must move from absolute prevention to the detection and management of contextual risk. Protecting remote access means more than closing ports: it requires policies that weigh the sensitivity of the session, the status of the device from which it is accessed and the geographical or network context. The principles of zero-confidence architecture and conditional controls are relevant tools for this, and the technical reference documents provide frameworks for the implementation of these ideas in heterogeneous environments: NIST SP 800-207 - Zero Trust.

There are no magic solutions, but measures that significantly reduce the risk area. These include the strict management of which RMM solutions are authorized and the removal of obsolete agents, the limitation of execution from directories with user permits, and the implementation of conditional access controls that consider the position of the device and the risk of the session. Official guides and public cybersecurity agencies identify these approaches as best practices to protect remote access: CISA - Securing Remote Access and CISA - Multi-Factor Authentication.

In addition, it is essential to increase telemetry and correlation between layers. A detection system that only looks at attempts at technical exploitation can ignore an attacker that moves with valid credentials; that's why security teams must integrate authentication, VPN and RMM-based tools and information about endpoints and network traffic. This combined vision makes it easier to see traces that reveal side movements or reuse of sessions.

The training and training of staff remains a pillar: when the vector is social, reducing the likelihood of someone performing suspicious instructions makes a big difference. But training must be accompanied by processes that make it difficult for daily action to become a disaster, for example by limiting default privileges and validating sensitive administrative requests through secondary channels.

Another point to consider is the adoption of phishing-resistant authentication mechanisms. Organizations that migrate to key-based solutions or authentication standards that are not likely to be replicated on false pages (e.g. FIDO / WebAuthn) raise the barrier for campaigns that capture credentials or tokens: FIDO Alliance.

Finally, recent incidents show that attackers seek to mix with the noise of the network: they use communication channels that resemble legitimate traffic and develop implants that pivote with modern methods like WebSockets to remain active without drawing attention. This sophistication requires that response teams update their detection rules and expand their analysis scenarios, and also that organizations share information on emerging techniques in professional forums and with security providers.

If you want to review concrete examples and aggregated data on these trends, the firm that has analysed thousands of investigations holds a session that will break down practical cases and recommendations; the call and the associated report are available on the organizer's page: Blackpoint Cyber - Inside the SOC (registration).

In short, the current threat landscape forces us to look with suspicion at what we always considered good: remote access tools and the routine actions of users. Modern defence combines policies that limit risk, technical controls that increase abuse difficulty and integrated visibility that allow for the detection of abnormal behaviour before a legitimate session becomes a starting point for a greater commitment.