Skip to main content

Free audit program · v0.1.0

Remote Access and Credential Exposure Audit

Threat actors exploit weak VPN configurations and stolen or weakly protected credentials to gain initial access, then deploy ransomware after escalating privileges and moving laterally.

  • Exposed VPN + stolen credentials target area
  • framework
  • 7 controls in this program
  • Mustafa Senior Reviewer
Sign in to run → Back to library

About this program

Threat context: Ransomware Attack via Exposed VPN and Stolen Credentials

This program audits the controls that mitigate the above threat. Each procedure references one mapped control. Run the program to score your exposure.

Risks addressed

Controls (7)

  1. MFA enforced for remote / VPN access

    High

    This control mandates that all users connecting to organizational networks via remote access methods (VPN, remote desktop gateways, or cloud-based remote access solutions) must authenticate using multi-factor authentication (MFA). MFA requires presentation of at least two distinct authentication factors—typically something…

    How to test + evidence

    Testing procedure: Review VPN auth config and conditional-access rule for off-network sign-ins.

    Evidence to collect: VPN auth config screenshot; CA policy export.

  2. PAM in place for privileged accounts

    Privileged Access Management (PAM) solutions centralize authentication, authorization, session monitoring, and auditing of privileged credentials used to administer critical systems, databases, and infrastructure. PAM enforces just-in-time credential provisioning, session recording, multi-factor authentication for elevation, and automated password rotation for privileged…

    How to test + evidence

  3. VPN access restricted to known users + geo-locations

    This control restricts Virtual Private Network (VPN) access to authenticated users whose identities are pre-registered in the organization's identity management system and whose connection originates from approved geographic locations. The VPN concentrator or gateway evaluates each connection attempt against user…

    How to test + evidence

  4. Logging + alerting on failed/unusual logins

    This control requires the organization to configure authentication systems to generate timestamped log entries for both failed login attempts and anomalous successful logins (e.g., unusual geographic location, time of day, or device). Logs must be forwarded to a centralized system…

    How to test + evidence

  5. Network segmentation between user and server tiers

    Network segmentation logically separates the user workstation tier from the server / data tier so that compromise of a single endpoint cannot grant direct lateral movement into critical infrastructure. Effective segmentation uses VLANs, host-based firewalls, identity-aware proxies and explicit east-west…

    How to test + evidence

  6. Account lockout policy on failed logins

    Account lockout policies automatically disable user accounts after a specified number of consecutive failed authentication attempts within a defined time window. This control prevents attackers from conducting unlimited password guessing or brute-force attacks against user accounts by enforcing a temporary…

    How to test + evidence

  7. Incident response playbook for credential compromise

    This control requires a documented, rehearsed playbook specifically addressing credential compromise scenarios including phishing, password spray attacks, stolen API keys, leaked secrets, and unauthorized access token use. The playbook defines detection triggers, containment procedures (credential revocation, session termination, MFA reset),…

    How to test + evidence