VPN Compromise Detected via SIEM: End-to-End Intrusion Analysis
This case study dissects a concise, real-world VPN compromise caught early through high-fidelity SIEM detections. It underscores how SIEM and EDR complement each other—SIEM surfacing identity and authentication anomalies, EDR covering host-level activity—to stop intrusions before hands-on-keyboard actions begin.
High-Fidelity SIEM Signal at the Edge
The intrusion began with a SIEM alert flagging an authentication from a workstation name previously tied to ransomware and extortion. Because the signal appeared at the start of the intrusion, the team isolated the host immediately, effectively containing the threat after a single authentication event. This demonstrates the value of curating high-confidence indicators (e.g., hostile workstation names) and codifying them into alerting rules.
Subsequent SIEM searches traced the source IP to the organization’s VPN address space and reviewed the authentication package types. Kerberos typically indicates domain-based logons, while NTLM is common for non-domain endpoints authenticating over VPN. The pattern supported a VPN-origin compromise.
Weak Link: Non-MFA Guest and Utility Accounts
Partner VPN logs confirmed a compromised guest account lacking MFA. This is a recurring risk pattern: guest, temporary, service, scanning/printing, and conference room accounts often bypass MFA for convenience, leaving a gap despite strong controls on named user accounts. The team enriched the source IP with ASN data, noting it belonged to a “privacy” provider—suggesting a VPN-to-VPN chain. Additional reconnaissance via Censys revealed RDP exposure that leaked a hostname matching the SIEM’s malicious workstation name, correlating identity, IP, and infrastructure.
SIEM + EDR: Complementary Coverage
EDR excels at process, command-line, and host telemetry; SIEM captures identity, Active Directory, and authentication context across infrastructure. Together, they deliver holistic visibility—enabling early detection from identity signals and swift containment before endpoint activity escalates.
Key Points
- Codify high-confidence identifiers (e.g., known malicious workstation names) into SIEM rules for early, actionable alerts.
- Treat VPN address space authentication anomalies and NTLM from non-domain devices as compromise clues.
- Enforce MFA on all VPN-eligible accounts, including guest, temporary, and service identities.
- Use ASN enrichment and internet scanning data (e.g., Censys) to corroborate threat infrastructure and strengthen attribution.
Proactive identity monitoring and strict MFA on all VPN-accessible accounts are critical controls for IT and security teams to prevent and rapidly contain VPN-driven intrusions.
