April 3, 2020
Yotam Ben Ezra, VP Products
In the past two weeks, millions of companies sent their employees home to prevent the spread of the Coronavirus. All those employees are now working from home. This is causing major headaches for IT and security teams around the globe. Few CIOs and CISOs had planned for such a rapid switchover to a 100% remote workforce. Network topologies radically shifted, adding home broadband access points and routers that were never designed for enterprise-grade security and management. Many employees have had to use their own laptops and PCs to keep working. Those machines generally lack the types of security controls that IT teams always place on company-issued devices.
This also creates an environment where a number of attack types could be easier to execute including driveby downloads, phishing, exploits of VPN vulnerabilities, malware propagation, and exploits of home network routing equipment or connected unsecured IoT devices on home WiFi. Attackers could use these methods and others to exfiltrate sensitive information, infiltrate corporate networks, mount lateral movement attacks within the corporate networks, and leave behind backdoors and Trojan Horses for future remote exploitation, exfiltration and communication with external unauthorized command-and-control networks.
So in this chaotic environment, what can IT and security teams do to safeguard their employees and their company’s network? Here are the four top steps to take to improve the security stance of companies that had to go remote in a hurry.
This is the most important step for employees working from home. They will be accessing the Internet and their corporate networks via their own home broadband network. Their network is far less likely to be well protected. Security protocols used to protect home routers are significantly weaker than corporate protocols. Many home broadband users have left the factory-default passwords in place for their routers’ admin accounts. The users also may use cellular data hotspots, or tether to their phones.
Most of these employees will be accessing their corporate networks via VPN, often using their home PCs. Hackers may also have compromised their modems or other IoT devices in their homes. If these employees are fortunate enough to be using work laptops, then you can and must validate that their endpoint controls are up and running. Otherwise, you will need to be hyper vigilant for a variety of attack types like phishing and drive-by downloads to infiltrate devices that can connect into corporate networks.
First, admit that your VPN connections will likely be overwhelmed. It’s widely reported that VPN traffic and usage is surging. So you will need to purchase more VPN licenses, install more VPN clients on endpoints, and rapidly expand your VPN capacity. You may also need to ship wireless access points to your users if they do not have good home broadband and 4G is a better option. Once you have stepped up your VPN capacity and licenses to meet demand, you need to prioritize making sure your VPN is patched and configured against already emerging exploits.
Now, you need to be prepared to manage a much “noisier” VPN environment with so many more users connecting. As more and more employees have begun working remotely, we have seen an increase in exploits against VPN software. This is logical: the cybercriminals are just following the money and their targets. To their credit, VPN companies are releasing patches quickly. Security teams need to make sure patching is on hyper-drive to keep their users safe. In addition, security teams need to prepare for a wave of phishing and spear phishing attacks against their users targeting VPN access. Attackers know that connections coming in via VPN tend to attract less scrutiny and may be able to move horizontally within a network or set of user applications more easily. Another area that maybe wasn’t a high priority before but must be now - checking segmentation controls on your VPN gateways - which I’ll address in the next section.
To start with, you will likely need to create more VPN segments to accommodate many of the new users who may have different privileges and different application needs. VPN connections are usually assigned to different segments when they are on-boarded onto the network. With the expected increase in VPN connectivity, misconfiguration of segmentation controls may result in unauthorized access and propagation of malware. You also should monitor for attempts at privilege escalation by rogue users or via hacked VPNs.
Because segmentation requires a lot of manual labor to configure and set up, this can be an area with a high likelihood of human error. Pay close attention and run lateral movement attack simulations via VPN, if you have the capability, to look for misconfigurations or conflicts between security controls. As well, watch logs closely for evidence of brute force attack across all protocols. This would be repeated log-in attempts or anomalous spikes of access requests. It’s tricky because these spikes could also be new users confused by the process who are simply trying to log-in and making mistakes.
A work-from-home environment is like a gold mine for attackers seeking to exfiltrate data. These attackers can range from criminal hacker gangs looking to gain access to sensitive databases at financial companies to Advanced Persistent Threat (APT) teams pursuing state-sponsored industrial espionage. The chaos of a pandemic is viewed as an opportunity for APTs to grab valuable information while security teams are struggling to cope with the new circumstances.
Hackers understand that not everyone logging in from home has EDR/DLP agents running on their machines. In addition, they know that a home network is a much softer target for data leaks; as we mentioned above, home network routers lack the types of security and controls that enterprise-grade routers have and traffic on home networks over WiFi are easy to intercept with drive-by WiFi hacking. As well, we mentioned that the combination of widespread VPN access - often to highly sensitive data and parts of the network - means exfiltration of data via home networks will be a juicy target.
To address these challenges and risks, IT and security teams should consider backhauling all remote employee Internet traffic while connected to a VPN. This may strain capacity and might be overkill for employees with few privileges. There are scalable VPN solutions out there which are able to handle higher capacity requirements. To take this protection to a more robust level, IT teams should consider distributing Virtual Desktop Infrastructure (VDI) or Remote Desktop (RDP) functionality widely to team members. This box-within-a-box architecture can limit exfiltration risks, although it can slow down employee workflows. To be clear, there have been numerous exploits against VDI and RDP. So we recommend that the roll-out not be a one-off process and that it must include some sort of security validation components such as integrating breach-and-attack simulation coverage into the distributed VDI images.
For monitoring, you should pay close attention to connections to public cloud storage systems (Amazon S3, DropBox, Box, etc) as hackers like to use these systems to hide exfiltration efforts among already approved services inside of organizations. In addition, you should watch for outbound connections to command-and-control servers showing up either as blacklisted or unknown / unauthorized IP addresses. While connections over all protocol types can be risky, the worst indicators of risk are likely seen in unknown DNS, HTTP and FTP connections.
We all are operating in uncharted waters - a giant experiment of working from home. We should expect bad actors to adjust to this reality and seek to exploit the new IT environment and exploit the holes they can find. These four validations are a good start to improving your security stance. Beyond just the steps we outline here, your security team should be simulating attacks to ensure that the new security validations and configurations are delivering as promised. Rest assured - the ATPs and criminal hacking gangs are already testing your network, too.