Ransomware has evolved into a model known as Double Extortion. Before encrypting your data and holding it ransom, the criminals copy the data off your computers to their own, where they keep it as a hostage. If you choose to not pay the ransom they will expose the hostage copy of your data publicly on the internet. They use reputation risk and confidentiality requirements (either regulation or contractual) as a way to force the payment. Further, while they have a copy of your data, they are able to read your financials and insurance contracts so that they can set the maximum ransom. While there is a negotiation to determine the ransom, it is very one-sided.

Background In Heavy Strategy EP. 010 - Budgeting for Cybersecurity Greg Ferro & Johna Till Johnson agree that “Detection is better than Prevention”, in that same episode Greg said that he recommended SDP (Software-Defined Perimeter), Asset Inventory and EPP (Endpoint Protection Platform) for all devices. SDP, Asset Inventory and EPP are protection technologies, so this could be seen as conflicting with “detection is better…”. However, I think what Greg is getting at is that there needs to be a minimum level of protection and that further spending on additional protection technologies is likely to be wasteful. Nearly all organizations are going to have already spent some money on “prevention tech”, it’s probably built into the network design.

The Symptoms A client was having an issue with IPsec VPN connections to their FortiGate. Users were getting non-descriptive error messages and not able to connect. The issue was affecting all users. We couldn’t find anything in the FortiClient or FortiGate logs to indicate what the problem was. As far as we could see, the FortiClient connection was simply timing out. The FortiGate Web GUI showed us LDAP was working. Looking at packet traces on the FortiGate we could see the IPsec traffic come in, but we weren’t seeing any traffic going back to the source.

Things weren’t working as expected I had recently enabled the SSL Deep Inspection policy on some of my web traffic - in part to try to block ads, maybe I’ll write a blog post about that another time - and I was noticing odd behaviour. A few of the odd things were around VPN connections and Citrix sessions. FortiClient VPN wasn’t able to connect - it was getting to 80% then throwing an error saying there was something wrong w/ my credentials or my account wasn’t setup for VPN access. With Citrix, apps would look like they were launching from the StoreFront, but they wouldn’t load - they wouldn’t even briefly show up in the connection manager. Launching a published desktop it would load the app’s borders, but then throw an error.

High Level Overview To explain ADVPN it is useful to contrast it with the two main alternatives - Hub & Spoke and Full Mesh. In a Hub & Spoke network one site is deemed the Hub, with all other sites - Spokes - connecting directly to the Hub. In a Full Mesh all sites connect to all other sites. ADVPN starts as Hub & Spoke, with one site deemed the Hub - but all Spokes can directly connect by getting connection details from the Hub.