Article by Eoin Carroll, Principal Engineer, Sr. Security Researcher, Advanced Threat Research, McAfee
While not a new practice, the sheer volume of people required to adhere to social distancing best practices means we now have a mass workforce working remotely. Most enterprises and SMBs can support working remotely today but many IT departments are not equipped to scale to the numbers currently required. In this blog we discuss the threats to enterprises and SMBs through this increased remote workforce and how to mitigate the risk.
Cybercriminals seek opportunities to achieve their goals and will follow the path of least resistance. The initial access vectors enumerated in MITRE ATT&CK typically used by cybercriminals are phishing or exploitation of vulnerabilities to gain access to an organization, and are used to act on their malicious objectives. Now that employees have migrated to their homes to work remotely, cybercriminals will target the insecurities of consumer systems and networks to gain access to corporations. Targeted ransomware attacks are fueling the increased demand in the underground for compromised corporate networks. If employees access corporate networks from pre-infected unmanaged machines without adequate security measures, it creates a much larger attack surface for cybercriminals. This increases the risk of an organization falling victim to a potential breach and ransomware lockdown.
COVID-19 social distancing restrictions came into effect very rapidly, giving organizations little time to prepare for securely managing their workforce remotely. It is important that organizations continue to do business during this tough time, but they must also do it securely to prevent an attack such as ransomware. To protect organizations in this current climate we must approach this from two perspectives:
- Know your environment and users
- Know your business and real threats
To understand the threats of telecommuting at scale, we must understand the technologies typically used by remote workers to execute their work and access the organization.
Know Your Environment and Users
Per figure 1 below, it is important to understand the architecture and technologies being used by your employees within your business environment. This gives you visibility into your potential exposure based on vulnerabilities being actively exploited by threat actors so that you can protect your remote workers and business infrastructure/assets.
Trust boundaries, common technologies and use cases in telecommuter deployments.
Know Your Business and Real Threats
Adversary Opportunities
Adversaries need an initial access vector to gain a foothold within an organization. They will typically seek out corporate usernames and passwords using techniques enumerated in MITRE ATT&CK, such as phishing or remote exploitation of software vulnerabilities. The telecommuter technology increases the attack surface significantly and is being exploited/researched as evident below:
- In 2019, vulnerabilities in Palo Alto Networks, Fortinet, Pulse Secure, and Citrix VPN servers were targeted
- Proof-of-concept exploits have been developed for Citrix NetScaler/Application Delivery Controller (ADC), Cisco VPN routers and the Zoho ManageEngine Desktop Central
- Fox-IT discovered bypassing of a VPN two-factor authentication
- Proof-of-Concept exploits have been developed for vulnerabilities in Telecommuter Applications such as Zoom, Confluence and Slack
- There have been vulnerabilities recently disclosed in Android and iOS free VPNs
- RDP vulnerabilities have been disclosed over the last year such as Dejablue, Bluegate and a proof-of-concept exploit in the case of Bluekeep (wormable)
Controls
Minimum technical controls for remote worker machines:
- Secure configuration and strong passwords to prevent router compromise
- Keep all software layers patched, VPNs and telecommuter applications
- Do not reuse passwords across personal and work systems
- Robust endpoint security software
Minimum technical controls for enterprise/SMBs:
- Security hygiene best practices
- MFA/2FA and logging for VPN accounts
- VPN patching
- Secure RDP access
- Segmentation of critical business assets
- Data backups
- User and device identity for employees and 3rd parties/suppliers
Policies:
- Data loss prevention
- Strong passwords
- SaaS security
- Managed vs unmanaged device access
Training:
- Phishing and social engineering training based on the current climate context – “verify before trusting”
- Keep employees informed of phishing campaigns relative to your environment and business
Conclusion
Strong technical controls are a must to protect telecommuters in the current climate and there is also no substitute for employee phishing and social engineering training as a successful phish can negate technical controls. Even MFA/2FA can be bypassed in some cases, using advanced phishing techniques, so we must all stay vigilant, starting with ourselves to protect our organizations by adopting a “verify before trusting” approach.