Synopsis: Over the last few months, the cybersecurity industry has seen increased Citrix zero-day vulnerabilities leveraged by threat actors to grant them initial access to networks. Attacks on Citrix are frequent due to the kind of access they facilitate for remote work. As threat actors continue their attempts to access and monetize personal information and defenders continually shrink their attack surface, it is imperative that system architects and administrators sufficiently harden their Citrix applications.

Action: Below is a list of practical, actionable steps.

  1. Password policy. At a minimum, domain password standards should be twelve (12) characters long, including all character sets. It’s recommended that your organization increase the possible limit of passwords to 24 characters, allowing users to implement passphrases. An example of a good passphrase would be “1993toyotacamry!” or “Workingfortheweekend!”.
  2. Multi-Factor Authentication (MFA). It is imperative that all remote access be contingent on multi-factor authentication. Ensure that remote access users must enroll in your MFA solution via an internal invitation only (i.e., enrollment is NOT prompted on the next login).
  3. Remote access audit. Users should only be granted remote access capability permissions on an “as needed” basis, or based on the principle of least privilege. Fortified recommends that an audit of all users with remote access be reviewed, and any users who have not used their remote access within thirty (30) days should have their access revoked.
  4. Citrix application hardening. Citrix applications must be hardened so that a threat actor cannot “break out” of the application and access unpublished applications or the underlying system. Browser-based applications should be stripped down to bare functionalities (i.e., no printing, saving, access to settings, etc.).
  5. Underlying system/server hardening. Privileged utilities, such as CMD and PowerShell, should be severely limited and tightly controlled on these systems. PowerShell should be forced into constrained language mode (CLM), with robust execution policies in place. Additionally, if PowerShell scripts are needed, ensure that only signed scripts can be run.

These recommendations serve as a good starting point on the cyclical path of network defenses and attack-surface management.

 

Email Team