Report: Digital Espionage and Innovation: Unpacking AgentTesla

Search
Close this search box.

Remote Workforce Security: EDR and Threat Intelligence

Table of Contents

Even after a few months, it’s become clear that few organizations were prepared to pivot overnight to supporting an entirely remote workforce. As organizations still seek to remedy this situation, cyber criminals have taken advantage of the vulnerabilities created by the unprecedented move to transition a large percentage of the workforce almost overnight. The Fidelis Threat Research team identified many threat actors capitalizing on the current situation in a recent advisory. For that reason, it’s more imperative than ever that organizations ensure cybersecurity is a core focus of business continuity operations.

Virtual Private Networks (VPNs)

There are many ways to provide remote access for your work at home employees. Many organizations right now are implementing Virtual Private Network (VPN) based solution where employees are accessing corporate resources through a corporately provided laptop. Choosing how to set up your VPN is a balancing act between performance, security, and reliability.

The biggest consideration is whether or not to route all traffic from your remote endpoints back to the organization’s infrastructure, or use split tunneling to route some traffic to the corporate infrastructure while other traffic bypasses the VPN and connects directly to the Internet. Routing all endpoint traffic back to the corporate infrastructure would be the ideal scenario, offering more robust security benefits and baking in existing organizational protocols and compliance obligations.

However, this may not be possible for many organizations because it essentially doubles the traffic flowing through your corporate network boundaries requiring end user activity to cross over the VPN, send Internet traffic back over the boundary, and then once again send return traffic back to the corporate network and out through the VPN.

Split tunneling is an alternative that frees bandwidth by diverting some Internet traffic; however, this comes with a significant downside of exposing endpoints directly to the Internet.

With many corporate services hosted through cloud-based applications, split tunneling offers performance and availability upsides, but comes with a significant degree of added risk. If you choose to split tunnel, examine the VPN policy to check what traffic is safe to divert away from the corporate security architecture and connect directly to the Internet. Steps should also be taken to fortify your endpoints with Endpoint Detection and Response capabilities.

Zero Trust postures can work well for these types of set ups, but are notoriously complex to stand up, and that is only amplified when immediate time concerns are factored in.

Fidelis Endpoint® : Prevent, Detect, and Respond

Read this paper to find out how to:

Phishing Vulnerabilities

As detailed in the previously referenced Threat Research Report, Fidelis Security has seen opportunistic phishing activity seeking to take advantage of the current global crisis. While Phishing is already a tried and true method for attackers, the remote workforce has only increased the opportunity for Phishing attacks and disinformation campaigns. This poses another potential downside for split tunneling approaches, which may not have the capability to as effectively filter or detect Phishing attacks.

This would require extra precautions, such as deploying EDR capabilities to remote devices, giving them protection against malicious activity, such as Phishing attacks. EDR also helps with Incident Response should a device become infected (see incident response below). Organizations should also take this time to update their employees on how to recognize and report phishing attempts to ensure that any attempts are properly reported, documented and protected against.

Incident Response

Even the best security postures are ultimately vulnerable to end user behavior. If an employee’s laptop does become compromised and is connected through your VPN, it becomes an avenue for attackers to gain lateral or escalating access and compromise more assets. EDR is also useful in this scenario for incident response. Deploying agents to your remote worker devices will enable security teams to remotely determine the extent of the infection, quarantine and clean-up infected machines, and get them back up and operating.

EDR solutions should also provide automation features to enable your security operations team to remotely and globally change device configurations and deploy updated cybersecurity detection and response rules to your EDR agents, allowing you to deploy synchronized changes across your distributed assets in response to an intrusion and/or emerging cyber threats.

Case Study

Global Bank Leaders Reduces Incident Response Time from 10 Days to 5 Hours

Threat Intelligence

If one thing is certain it is that threats do not remain static. Threats are and will continue to rapidly adapt and evolve, and so must your defenses against them evolve as well. Having a good source of both internal and external threat intelligence is vital for organizations to adapt their defenses to stay one step ahead of attackers. Most threat intelligence also includes updated detection rules (STIX, TAXII, YARA, etc.) for emerging and evolving threats that can be automatically deployed within your network and to your EDR agents to keep defenses for your remote employees up to date.

Stay on Top of the Best Practices

In this vein, it is also crucial that organizations observe basic security best practices, including staying up to date with updates and patching. Once again, EDR can assist by generating an inventory of software loaded on your endpoints, comparing that against CVEs, and reporting the update and patch status of each endpoint. In addition, EDR can be used to report other threat indicators such as reading and writing to USB devices and excessive processor and disk utilization. This reporting enables your security operations team to track your exposure to threats in real time and coordinate remediation of unpatched devices.

Though we’ve focused primarily on addressing challenges related to work at home; however, the same cybersecurity hygiene guidance applies to our business-critical systems, websites, VPNs, and supporting infrastructures that enable us to continue to support our customers throughout the quarantine.

Compliance, Protection of PII, and Data Management

If I could summarize everything just discussed it would be in terms of protecting your data through its entire lifecycle. You need to think through how your sensitive data and your customer’s sensitive data is protected from a confidentiality and integrity sense as you move to remote operations. That data is now created, copied, and maintained on mobile endpoints scattered across your employee’s homes and is a prime target for cyber criminals. As more and more businesses begin to open again, those mobile devices will become mobile again, potentially exposing that sensitive data to loss or theft.

Some things to consider:

  • Is the data encrypted at rest (or preferably encrypted at the individual data record level) on your remote employee’s device(s),
  • Is the data automatically backed up to your corporate servers or to the cloud so that you can maintain a corporate record of all critical data,
  • Do you have adequate monitoring on your endpoints to detect misuse by your employees or data exfiltration by an attacker?

Not to sound like a broken record, but once again, an EDR solution can help by flagging/alerting your security operations team to anomalous activity occurring on your endpoints and allowing your security operations team to investigate before it’s too late. 

Many EDR solutions include behavioral analytics backed by Machine Learning, which can significantly increase your ability to detect employee misuse (e.g., unusual employee work patterns) and/or exfiltration of sensitive data.

A suggestion would be to review your business workflows (particularly those related to work at home employee accessing sensitive data) and validate that the workflows continue to meet your compliance and data protection rules/regulations.

Last but not least, your work at home employees will likely be getting their Internet access via a home network, so it certainly helps to ensure your remote workers are securing those networks with best practices.

About Author

Joe Kattner

Joe has over 35 years of experience working as a systems, network, and security engineer. He is a US Navy veteran who has worked at leading communications, network, and technology companies. As a cybersecurity research and development engineer, he guided product selection and network security architecture for some of the largest programs in the US Navy. Joe has written many papers, articles, and frequently speaks on cybersecurity topics at security conferences and customer events.

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.