Preventions
- ID: PV072
- Created: 20th October 2025
- Updated: 20th October 2025
- Platforms: Windows, Linux, MacOS,
- Contributor: Ryan Bellows
Endpoint Network Access Agent Enforcement
Deploy and enforce the use of Endpoint Network Access Agents (such as Zscaler Client Connector, Cisco AnyConnect Secure Mobility Client, or similar tools) to ensure continuous network policy enforcement, traffic inspection, and behavioral visibility across all user environments, including remote, hybrid, and guest networks.
Key Prevention Measures:
- Mandatory Agent Deployment: Require persistent agent installation across all managed endpoints, using device posture checks to validate status and prevent circumvention.
- Controlled Network Access: Prevent outbound traffic unless routed through approved inspection points—eliminating unmonitored internet connectivity and forcing adherence to network governance policies.
- VPN Configuration Lockdown: Restrict VPN usage to sanctioned clients and configurations. Enforce full-tunnel routing, disable split-tunneling, and block execution of unauthorized VPN applications or browser-based VPN extensions.
- Policy-Based Access Control: Apply conditional access rules based on endpoint compliance, user identity, and network context—ensuring secure posture is maintained regardless of location.
- Tamper Protection and Lockout: Detect and respond to agent disablement, configuration drift, or telemetry loss through auto-remediation or access revocation mechanisms.
- Cross-Network Consistency: Extend enforcement capabilities to unmanaged and public networks, reducing blind spots introduced by subjects switching to guest Wi-Fi, personal hotspots, or external connectivity paths.
This control directly mitigates multiple behaviors associated with Network Obfuscation, including the use of unauthorized VPNs, evasive browser extensions, and transitions to unmonitored networks.
Sections
| ID | Name | Description |
|---|---|---|
| AF029.004 | Switching to Unmonitored Networks | The subject intentionally disconnects from monitored corporate networks (such as managed Ethernet, enterprise Wi-Fi, or secure VPN tunnels) and reconnects using alternative, unmonitored connectivity options. This may include switching to a guest Wi-Fi network, tethering through a personal mobile hotspot, or leveraging an unmanaged residential or public access point.
By exiting the boundaries of controlled infrastructure, the subject avoids endpoint-level inspection, network logging, and identity-based access enforcement. This maneuver is particularly effective in environments where endpoint telemetry is only collected while connected to corporate networks or VPN channels. In such cases, activity conducted over unmonitored networks leaves no observable trace in central logging systems, severely degrading investigative visibility.
This behavior is commonly paired with additional anti-forensics techniques (such as unauthorized VPN use, encrypted transfer protocols, or private browsing) to further frustrate detection. The deliberate choice to operate from unmonitored networks signals a clear intent to conceal operational activity and evade forensic scrutiny. |
| AF029.002 | Unauthorized VPN Usage | The subject deliberately uses Virtual Private Network (VPN) technology in a manner that circumvents organizational oversight, masking the nature, destination, or content of network activity. This includes installing unapproved VPN clients, as well as reconfiguring sanctioned VPN software to route traffic through unauthorized exit nodes, personal infrastructure, or third-party services not governed by corporate policy.
By diverting traffic away from monitored pathways, the subject obstructs standard telemetry collection - evading logging of session destinations, data transfers, or identity-bound usage. This behavior frustrates forensic reconstruction, hinders real-time monitoring, and degrades the reliability of investigative artifacts. Unauthorized VPN usage is an intentional anti-forensics measure aimed at concealing potentially harmful activity behind layers of encrypted and unsanctioned transit. |
| AF029.001 | Browser or System Proxy Configuration | A subject configures either their web browser or operating system to route HTTP and HTTPS traffic through a manually defined outbound proxy server. This action enables them to redirect web activity through an external node, effectively masking the true destination of network traffic and undermining key layers of enterprise monitoring and control.
By placing a proxy between their endpoint and the internet, the subject can obscure final destinations, bypass domain-based filtering, evade SSL inspection, and suppress logging artifacts that would otherwise be available to investigative teams. This behavior, when unsanctioned, is a hallmark of anti-forensic preparation—often signaling an intent to conceal exfiltration, contact unmonitored services, or test visibility boundaries. While proxies are sometimes used for legitimate troubleshooting, research, or sandboxing purposes, their use outside approved configurations or infrastructure should be treated as an investigatory lead.
Technical MethodBoth browsers and operating systems offer mechanisms to define proxy behavior. These configurations typically involve:
Once defined, the behavior is as follows:
Proxy settings may be configured through user interfaces, system preferences, environment variables, or policy files—none of which necessarily require administrative privileges unless endpoint controls are in place.
This technique is especially potent in organizations with reliance on DNS logs, web filtering, or SSL interception as primary visibility mechanisms. It fractures investigative fidelity and should be escalated when observed in unauthorized contexts. |