By: Kevin O’Connor / Director of Threat Research at Adlumin, Inc.
An increasingly remote workforce spurred by the COVID-19 pandemic has brought changes to the information security landscape. Users have shifted from working in carefully constructed walled gardens to café hotspots and home networks with no security assurances. Adlumin’s Threat Research group outlines some of the new and rising challenges of increased Remote Work adoption in the security landscape.
Increased Attack Surface
Every additional web application or service introduced to an environment increases businesses’ risk and attack surface. The increased risk and potential threat of any added service should be tied to the service’s permissions and role in the network. Many applications introduced to support remote work requirements would be categorized as high-risk introductions to a typical network. Virtual Desktop Interface (VDI) solutions, Remote Desktops, Virtual Private Networks (VPNs), and other remote access solutions are critical to many Remote Work architectures. Typically, they are associated as high risk due to their attractive accesses, permissions, and location in data’s lifecycle.
Administrators and security staff must ensure that all internet-facing devices are patched promptly. They should regularly monitor the systems logs, accesses, connections, and behavior to ensure its security. Additionally, it is essential to continually monitor the organization’s web exposure to ensure that only documented and secured services, not malicious backdoors, or outdated products, are associated. (Note: Adlumin offers Adlumin Perimeter Defense, which gives you insight into your network from an attacker’s perspective.)
User Origin Tracking
Gone are the days of employees working out of a single central office with a sprinkling of branch offices and remote sites diversifying the network’s architecture. Modern remote work requirements include supporting remote employees on a state, country, or globally diverse level.
The mentioned techniques are the processes of monitoring for suspicious traffic by geolocating access and login requests. Requests are compared to a baseline or set of rules which can alert to potentially malicious access indicated by a remote endpoint connecting or acting from outside the business’s pre-defined operating area. The expansion of the security domain complicates but does not prohibit user origination tracking and access origination monitoring and alerting.
To overcome the challenge of manually creating alerting mechanisms for logins outside a central office or branch location, more complex machine learning algorithms are required to learn about a user’s access behavior over time. This includes continually analyzing a user’s current and historical access location, behavior, and relationships in the network to draw conclusions beyond an endpoint’s origination. (Note: Adlumin User & Entity Behavior Analytics (UEBA) – Adlumin uses proprietary UEBA data science to identify, detect, analyze, and prioritize anomalous behavior—without any input from your cybersecurity team—that will likely present a risk to your network’s security in real-time)
Crossing Security Domains – Split Tunneling and Introduction of Remote Endpoints
Removing endpoints into your business network can bring additional risk through added surface area and exposure. The usage of split tunneling in Virtual Private Networks (VPNs) and the abstracted idea of letting a device live in two security domains or jump between them is an added risk. Split tunneling is an example concerning just network traffic related to VPN access, whereby some traffic is routed securely to the business network. In contrast, other traffic routes to the local network or internet. This creates a potential vulnerability where a device is bridging a trusted and untrusted network, potentially linking the security domains. This same potential vulnerability can be abstracted to any device or user access to a business application from networks or sources that cannot always be trusted.
Administrators and security staff must ensure that any systems matching this pattern, such as business-owned and issued laptops used in remote work situations by connecting to the business through an employee’s local home intranet, are secured. This involves strong log management and analysis, aggressive patching, endpoint protection products, and security-oriented architectures.
Data in Transit
With a partially or fully remote workforce accessing business assets from locations distant to hosted infrastructure, businesses are forced to send data that was once transiting dedicated ethernet connects and leased fiber MPLS circuits over untrusted infrastructure. From coffee shops or home wireless networks to cellular-based-access and remote data centers, modern remote access requirements are diverse and may change for users regularly.
Nearly all remote services supporting remote work require sending sensitive data across unmonitored, unmanaged, and potentially hostile networks. Rooted in applications requiring high reliability, network routes that traffic takes from the remote user to the business are dynamic, difficult, or impossible to predict or manage. They are often subject to interception by arbitrary service providers and attackers.
In a recent February 2022 attack suspected to be of Chinese origin, the routing protocol used to direct traffic over the internet was abused. As a result, traffic was validly routed to transit locations thought friendly to attacker intercept and inspection1. This technique isn’t new and has been used by multiple nation-state attackers and e-crime organizations alike since at least 2004.2 In addition to threats from APTs and eCrime actors, ISPs along the transit route, which can’t be controlled, also can inspect, or inject network traffic.3
To help mitigate the risks of sending business data over untrusted infrastructure, a business should consider at least one layer of encryption mandatory for all business traffic. This can be provided at the application level, commonly through TLS/SSL, or at the transport layer through IPsec and TLS VPNs. Businesses should also consider layering encryption to provide a double-wrapping of sensitive traffic. Such as requiring remote web applications to only be accessible over an IPsec-backed VPN connection layered with an HTTPS TLS/SSL back connection to the remote resource. When possible, businesses should diversify the encryption algorithms and supporting libraries and implementations to ensure that a single vulnerability or compromise does not expose data. (Note: Adlumin supports ingestion of security logs from VPN appliances and firewalls)
Data At Rest
Even when paying careful attention to implementing secure remote access, some critical business data related to IT or other sensitive operations is left locally stored on the device. Outside of the most stringent thin-client solutions and implementations, users will typically have locally stored data on their business device and, at a minimum, will typically have some sensitive data stored in its internet, application, and memory caches. Data could include sensitive business information, customer, or employee PII, chats, emails, credentials, and accounts.
To ensure data at rest remains protected, organizations should adopt Full Disk Encryption (FDE) policies backed by secure implementations and encryption algorithms. Most operating systems now support native full disk encryption solutions, including Windows through BitLocker, MacOS through FileVault 2, and Linux through dm-crypt with LUKS (Note: Adlumin supports ingestion and alerting of logs related to FDE features)
Example of an Attack Enabled by Remote Work
Bob is an employee of Business Bank who recently shifted many of its onsite staff to a work-from-home setup with a company-owned laptop. Bob has a home computer with an out-of-date antivirus and several update cycles behind.
His home computer gets infected with malware, and an attacker leverages his home machine to stage an attack against the Business Bank laptop over an SMB vulnerability. The next time he connects his laptop to Business Bank’s internal network through the VPN connection, a ransomware attack is launched against the domain.
Future Prevention Method
In this case, Business Bank could have saved itself by implementing tighter security controls and monitoring. In addition to modifying its host-based access policies to restrict inbound traffic not required to establish the VPN connection, it should have implemented a monitoring solution and SIEM to identify the abnormal connection from Bob’s home computer.
Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.