Reference: Remote authenticated scanning security best practices

While performing remote authenticated scans (RAS), it is necessary for IT and security organizations to maintain the necessary level of visibility and control as these scans carry more risk than local scans.

When a new, unmanaged endpoint is detected on a network, there is currently no way for a program to determine whether this endpoint is legitimate or belongs to an attacker. If a tool attempts to perform an authenticated scan against an attacker-controlled endpoint, the attacker could potentially learn credentials that are valid on other endpoints and use them to pivot from a network-based position to gain unauthorized access to endpoints targeted by the scanner. See https://www.atredis.com/blog/2020/1/26/flamingo-captures-credentials for information on how IT/Security products spray credentials.

Tanium has implemented several mitigating controls within Comply to enable customers to use this feature while limiting the risk they are exposed to. The following section documents the security best practices when using remote authenticated scans and how users may configure RAS to best mitigate risk.

  1. First and foremost, Tanium recommends that customers prefer local scans over remote scans. If an endpoint can be managed by the Tanium Client, installing the Tanium Client on this endpoint is the preferred and most secure way.

  2. When setting up credentials for RAS assessments, it is recommended you select SSH Key as opposed to Password when possible. The risk associated with a malicious actor stealing a public key is negligible compared to stealing a password. Currently, SSH authentication is only available for non-Windows endpoints.

  3. You should regularly rotate passwords used for remote authenticated scans, but do not reuse those credentials for endpoints that are not targeted by RAS to limit the extent of horizontal pivot.

  4. Avoid attempting a large number of authentications against individual endpoints (the kitchen sink approach). If there is one malicious endpoint on your network, and you have an assessment that contains 100 password credentials, the scan could potentially try all those credentials against the malicious endpoint and then all 100 of those credentials are compromised. This approach could also have performance implications. Instead, plan your assessments in a logical, purposeful way that uses a targeted, limited number of credentials for each scan. For example, you could group routers together in one assessment, configure one credential list for the group, and not use this list for other assessments.

  5. Avoid usage of the Include newly discovered endpoints on recurring scans option when feasible. By default, if scans are recurring, Comply only scans endpoints that were reachable during the initial scan. If new endpoints come online, they are not scanned unless you change the assessment's targeting or select to automatically include new endpoints. This means that even if an attacker gains unauthorized network access, Comply scans will not automatically send credentials to the attacker controlled endpoint unless a Tanium user instructs it to do so. While this option has the benefit of not having to change the configuration if a new endpoint comes online, it introduces a significant risk as you are going to authenticate against an attacker’s endpoint and compromise your credentials.