I’ve got a significant uptick in my alerts from Huntress of high incident priority for logins from IPs they don’t trust including VPNs and others. I got one today from a little ISP in Wyoming that they classify as suspicious. When I checked:
Not a lot of suspect traffic coming from it according to them.
I’m trying to get them to change these incidents to a low or moderate priority because some customers do have privacy VPNs, and while it’s good to mitigate them as an MSP, these aren’t high priority alerts.
I know it’s a double edged sword, but I think lowering the priority of these incidents is pretty important considering my heart always jumps in my throat when I get an incident alert from Huntress because they used to be very important.
We’ve had some alerts for users accessing over a VPN from Belgium. Was legit too. Told the user he can’t do that after his account was remediated. Happened again two weeks later. Same user. Told his manager. Has not happened since.
I’m glad they’re alerting on it. Tips is off to users doing dumb stuff.
I’ll note that we’ve had the opposite experience; the VPN detections have been a life saver and all of them have been true positives thus far (no customers/staff were using third-party VPNs intentionally).
We’ve had 3 alerts due to VPN use in the past couple weeks… 2 were indeed compromised and 1 was a user that went around IT to install unapproved software on their laptop. I’m a fan.
I’ve seen this a few times with customers and generally advise against it. These consumer level proxy and VPN services are wildly used by attackers as a way to get around conditional access policies and avoid detection. The risk to reward ratio of trusting these services isn’t worth justifying their use. The cost and use of an actual business / corporate VPN is worth it.
To me these are high alerts and in the majority of tenants we have access blocked if it comes from vpn or proxy services.
So, you want to allow list consumer “privacy vpn’s”
Well if you wanted to allow wolves in sheep disguises you are literally doing this.
The exact feature your complaining about, is the exact same feature that just saved one of my clients asses yesterday, and a different client the day before that.
We use the product on about 300 users at the moment. In 6 months we’ve had 2 false positives where they were using VPNs intentionally and 1 time it was actually an indicator of compromise. I don’t know how Huntress is supposed to tell the difference and I’d rather make a quick call to the user to confirm so we’re happy with it. But I agree it should maybe be a medium or low severity alert.
Yeah - we are getting alerts of users using VPN’s to hide their traffic. One of them turned into an investigation of an employee, so I’m pretty happy with them being reported to be honest.
The way this functionality should work is when first deployed there will be a high count since there isn’t any reference. After it’s been in environment for months they have a better history to reference. Then they will know if that vpn is commonly used by said person or IP location and such. This is how it works with blackpoint. We don’t get much from them anymore unless a user uses a new vpn or in a new location they haven’t been before and authenticated.