Even after a few months, it’s become clear that few organizations were prepared to pivot overnight to supporting an entirely remote workforce. As organizations still seek to remedy this situation, cyber criminals have taken advantage of the vulnerabilities created by the unprecedented move to transition a large percentage of the workforce almost overnight. The Fidelis Threat Research team identified many threat actors capitalizing on the current situation in a recent advisory. For that reason, it’s more imperative than ever that organizations ensure cybersecurity is a core focus of business continuity operations.
Virtual Private Networks (VPNs)
There are many ways to provide remote access for your work at home employees. Many organizations right now are implementing Virtual Private Network (VPN) based solution where employees are accessing corporate resources through a corporately provided laptop. Choosing how to set up your VPN is a balancing act between performance, security, and reliability. The biggest consideration is whether or not to route all traffic from your remote endpoints back to the organization’s infrastructure, or use split tunneling to route some traffic to the corporate infrastructure while other traffic bypasses the VPN and connects directly to the Internet. Routing all endpoint traffic back to the corporate infrastructure would be the ideal scenario, offering more robust security benefits and baking in existing organizational protocols and compliance obligations. However, this may not be possible for many organizations because it essentially doubles the traffic flowing through your corporate network boundaries requiring end user activity to cross over the VPN, send Internet traffic back over the boundary, and then once again send return traffic back to the corporate network and out through the VPN.
Split tunneling is an alternative that frees bandwidth by diverting some Internet traffic; however, this comes with a significant downside of exposing endpoints directly to the Internet. With many corporate services hosted through cloud-based applications, split tunneling offers performance and availability upsides, but comes with a significant degree of added risk. If you choose to split tunnel, examine the VPN policy to check what traffic is safe to divert away from the corporate security architecture and connect directly to the Internet. Steps should also be taken to fortify your endpoints with Endpoint Detection and Response capabilities. Zero Trust postures can work well for these types of set ups, but are notoriously complex to stand up, and that is only amplified when immediate time concerns are factored in.
As detailed in the previously referenced Threat Research Report, Fidelis Cybersecurity has seen opportunistic phishing activity seeking to take advantage of the current global crisis. While Phishing is already a tried and true method for attackers, the remote workforce has only increased the opportunity for Phishing attacks and disinformation campaigns. This poses another potential downside for split tunneling approaches, which may not have the capability to as effectively filter or detect Phishing attacks. This would require extra precautions, such as deploying EDR capabilities to remote devices, giving them protection against malicious activity, such as Phishing attacks. EDR also helps with Incident Response should a device become infected (see incident response below). Organizations should also take this time to update their employees on how to recognize and report phishing attempts to ensure that any attempts are properly reported, documented and protected against.
Even the best security postures are ultimately vulnerable to end user behavior. If an employee’s laptop does become compromised and is connected through your VPN, it becomes an avenue for attackers to gain lateral or escalating access and compromise more assets. EDR is also useful in this scenario for incident response. Deploying agents to your remote worker devices will enable security teams to remotely determine the extent of the infection, quarantine and clean-up infected machines, and get them back up and operating. EDR solutions should also provide automation features to enable your security operations team to remotely and globally change device configurations and deploy updated cybersecurity detection and response rules to your EDR agents, allowing you to deploy synchronized changes across your distributed assets in response to an intrusion and/or emerging cyber threats. If you are interested in seeing a demo of these incident response capabilities in action, I encourage you to watch our recent on-demand webinar, Speed Your Incident Response Capability.
If one thing is certain it is that threats do not remain static. Threats are and will continue to rapidly adapt and evolve, and so must your defenses against them evolve as well. Having a good source of both internal and external threat intelligence is vital for organizations to adapt their defenses to stay one step ahead of attackers. Most threat intelligence also includes updated detection rules (STIX, TAXII, YARA, etc.) for emerging and evolving threats that can be automatically deployed within your network and to your EDR agents to keep defenses for your remote employees up to date.
Stay on Top of the Best Practices
In this vein, it is also crucial that organizations observe basic security best practices, including staying up to date with updates and patching. Once again, EDR can assist by generating an inventory of software loaded on your endpoints, comparing that against CVEs, and reporting the update and patch status of each endpoint. In addition, EDR can be used to report other threat indicators such as reading and writing to USB devices and excessive processor and disk utilization. This reporting enables your security operations team to track your exposure to threats in real time and coordinate remediation of unpatched devices. Though I’ve focused primarily on addressing challenges related to work at home; however, the same cybersecurity hygiene guidance applies to our business-critical systems, websites, VPNs, and supporting infrastructures that enable us to continue to support our customers throughout the quarantine.
Compliance, Protection of PII, and Data Management
If I could summarize everything just discussed it would be in terms of protecting your data through its entire lifecycle. You need to think through how your sensitive data and your customer’s sensitive data is protected from a confidentiality and integrity sense as you move to remote operations. That data is now created, copied, and maintained on mobile endpoints scattered across your employee’s homes and is a prime target for cyber criminals. As more and more businesses begin to open again, those mobile devices will become mobile again, potentially exposing that sensitive data to loss or theft. Some things to consider: Is the data encrypted at rest (or preferably encrypted at the individual data record level) on your remote employee’s device(s), is the data automatically backed up to your corporate servers or to the cloud so that you can maintain a corporate record of all critical data, do you have adequate monitoring on your endpoints to detect misuse by your employees or data exfiltration by an attacker? Not to sound like a broken record, but once again, an EDR solution can help by flagging/alerting your security operations team to anomalous activity occurring on your endpoints and allowing your security operations team to investigate before it’s too late. Many EDR solutions include behavioral analytics backed by Machine Learning, which can significantly increase your ability to detect employee misuse (e.g., unusual employee work patterns) and/or exfiltration of sensitive data. A suggestion would be to review your business workflows (particularly those related to work at home employee accessing sensitive data) and validate that the workflows continue to meet your compliance and data protection rules/regulations.
Security of Home Networks
Last but not least, your work at home employees will likely be getting their Internet access via a home network, so it certainly helps to ensure your remote workers are securing those networks with best practices. If you need a refresher, our CISO, Chris Kubic published best practices for end user cybersecurity here.