As the world grapples with the spread of novel coronavirus (COVID-19), organizations are letting employees and contractors who can work remotely stay home. While taking this step protects people from infection and slows the spread of the disease, the rapid shift to remote work has made the security defender’s job of keeping people, systems, networks, and data safe much more difficult.
Over the past few weeks, IT teams have had the thankless task of rapidly ramping up a large number of users to be able to work remotely: issuing new equipment for those not already set up, rolling out necessary software to make sure everyone has the tools to keep working, and ensuring that appropriate security controls are in place. Not everyone has the right devices, processes, and infrastructure in place to support a fully remote workforce, said Craig LaCava, executive services director at Optiv Security. Organizations could potentially expand the attack surface if the proper security measures are missing. Defenders also need to recalibrate how they look for and identify potential attacks.
“The SIEM [security information and event management] might be seeing all sorts of things,” LaCava said. “What is the odd behavior when nothing is normal?”
Norms Out The Window
Detecting and investigating anomalous behavior in this “new remote world order” becomes more difficult because there is no “normal,” said Bob Rudis, chief data scientist at Rapid7. A typical organization under normal circumstances may have had between 5 percent to 10 percent of the workforce remote. Now that figure may be 50 percent to 65 percent, or even higher. Many of the rules about what constitute suspicious behavior and malicious activity will trigger more alerts because of increased usage volume.
The increased number of remote users have “thrown off your remote access and internal application usage models out the window,” Rudis said.
Defenders rely on a whole range of usage factors such as time of login, what device is being used, IP address, and which resources are being requested to determine whether an event is malicious or falls within the range of “normal” behavior. With people adjusting their schedules to accommodate caring for children or the elderly, defenders have to redefine work hours and non-work hours.
“Your ‘Steve doesn't normally work at 22:37 on Tuesdays’ alerts will all need to be re-thought and re-implemented,” Rudis said.
Security teams also regularly check the events log for failed login attempts, as they usually indicate credentials have been compromised. However, many users may be unused to logging in with multi-factor authentication or turning on the VPN before trying to access corporate resources. It will be difficult to differentiate between these multiple login attempts and those that indicate a brute-force attack or password-spraying attempts in progress. Users may not realize that sessions may timeout after a period of inactivity, and have to keep logging back in. The logs will show re-authentication events at much higher levels than what used to be considered normal.
“Existing checks for events such as failed logins will be all askew,” Rudis said.
Security teams must develop new baselines and user-access profiles that reflect current norms, and be able to adapt them regularly as the situation evolves, Rudis said. Also important—there has to be a way to quickly put the old models back in place when things go back to normal.
Ramping Up Defenses
Overall, it will be harder to spot attacks. If an employee loses credentials—because someone on the same unsecured Wi-Fi network was able to sniff out the login and password information, or the employer fell for one of the many COVID-19-related phishing campaigns currently proliferating—it will be harder for the defender to spot the malicious login in the middle of all the remote traffic, LaCava said.
Security teams need to continue monitoring incoming messages to watch for increased phishing messages, and use whatever communications tool everyone is using to keep them informed about phishing and credential-stuffing campaigns, Rudis said. It has to be “super easy” for employees to report suspicious events.
Having employees use personal devices may be easier because IT may not have the time to provision devices for everyone, but it means security teams don’t know if the devices are properly updated or if they are already infected with malware. Some VPN tools can be configured to check the device to make sure they meet certain standard of security, and block access if the checks fail. But that makes it harder for users to get their work done in an already challenging time. This is why company-issued devices are preferable as the company knows how they are protected, LaCava said.
IT teams have a long list of things they need to support an expanded remote workforce, such as ensuring there is sufficient processing and network capacity in VPN concentrators, setting up Citrix clusters and Microsoft Remote Desktop systems, making sure SIP/VoIP gateways (including applications such as Skype) and conferencing platforms can accommodate increased demand. Many IT teams will wind up doubling the number of VPN concentrators, triple the number of Citrix and RDP gateways, and double the number of SIP gateways, Rudis said.
Each new remote access technology should be configured and deployed to the hardened baseline standards of the existing setup. Attackers can easily find an organization’s remote access technology and RDP is a common target. At a minimum, Rudis recommended enabling multi-factor authentication, updating the operating system and all applications with the latest security patches, and turning on centralized logging for performance monitoring and security checks. There should also be a way to quickly disconnect the system from the corporate network or enterprise application if the security team detects a compromise.
“Get those [configuration] checks in place and cut off systems that fall out of compliance,” Rudis recommended. “Resist the urge to use split tunnelling in your VPN configs as your workers are going to be under increased attack and—despite your best efforts—your endpoints are still very weak links.”