A discussion was had about the possibility of using SecureDX to kill Citrix sessions that showed indicators of being accessed through stolen Netscaler cookies. The group explored different potential solutions, including Citrix Security Analytics and potential AI-based solutions being looked into by ControlUp in the future. They also discussed the potential of using the ControlUp client to detect and flag unauthorized access. No clear solution was found, but the potential for future developments in this area was identified.
Read the entire ‘SecureDX and the Detection of Stolen Citrix Session Cookies’ thread below:
would it be possible to use SecureDX to kill citrix sessions that showed indicators they were accessed using a stolen netscaler cookie?
like when the device ID and location significantly change, or if it’s launched from a device without the edgedx client running?
You can’t with secure dx but wonder if it’s possible with VDI… not sure how though
Citrix Security Analytics had something that could kill a session based on detected behavior, but with the changes in licensing it’s not something we can recommend to everyone anymore
Do you have remote dx as well?
I don’t have anything yet, need to build my lab again
this is just something I’ve been thinking about as I’m giving a talk on netscaler cookie theft and what tools can detect and potentially kill sessions
Other people may have better ideas than me. But if you had remote dx on every workstation and set branches. You could essentially say if branch = empty then kill session
Definitely not a Secure DX use case (at least not today)
I have seen an Edge DX script at some point that did something with device location change
Need to check
But if someone is hacking the netscaler then they wouldn’t have edge dx
And we are looking into more anomaly detection feature in the future (using AI of course! 😬). Also no remote DX
But it would/could be IP based
If it doesn’t have remote dx then they wouldn’t be in a branch.. well actually you could use branches without remote dx as well
the danger of just having it be IP based is it kills session roaming, AI based would be neat
it’s not an easy problem to solve, I’ve been looking at it for weeks trying to see if anything tackles it
@member first question is how could you detect is there somethong in the users profile or registry?
the client registry? You could do it with EPA scans, but nobody wants to implement them 😛
but if you have the cookie you bypass all that anyway…
If you want to allow session roaming between different devices then all that needs to be allowed to change anyway
maybe later with new uberagent stuff it might be able to be pulled direct from the HDX data
yes, you can pull it once the session is established, but what would you flag? That’s where the AI part comes in, it would just flag anything it hadn’t seen before
but if it client related than hard for ControlUp or any other solution if they don’t have a client on the machine
yes, you might want use that as an indicator in itself. If no controlup client is seen on the endpoint, flag or terminate the session
also hard when doing byod
but even byod devices will need the citrix workspace app, and i think later the uberagent will be builted in to that
and then controlup and others will have access to that data via api
can can in theory build in detectors like u want
you can aready do similar with citrix security so no reason going forward that data will not be avalible to monitoring solutions like controlup
thats what i think and hear suggested
I would check Citrix Analytics for Security. Not sure if uberAgent brings the desired enhancement bc it will be Not possible to use custom scripts…
Can you See on NetScaler Site something you can pull via nitro-api?
Then you can Fire a trigger in CU if a user is connecting and flag the session
We started developing a feature for that. It will include IDP authentication. So if you integrate your netscaler with IDP you will have alerts.
“yes, you might want use that as an indicator in itself. If no controlup client is seen on the endpoint, flag or terminate the session“
thats great news
Continue reading and comment on the thread ‘SecureDX and the Detection of Stolen Citrix Session Cookies’. Not a member? Join Here!
Categories: All Archives, ControlUp for Compliance, ControlUp for Desktops, ControlUp for VDI, ControlUp Scripts & Triggers