More and more organisations across the globe are starting to have their employees and contractors work remotely. The number of people working from home will only increase over the next few weeks as the British government has recommended that people who show “minor” symptoms should self-isolate themselves.
While many enterprises have remote access for their IT support personnel, providing remote access for a large number of employees and contractors across various departments is likely to pose several new challenges for organisations not used to scaling up to these requirements.
Besides preparing your IT support for Reset Password attacks as employees working in new conditions will flood help desk with reset requests, here are some other security related best practices that will help you keep your business secure, whether working from home or the office:
1. Log all remote access events.
Attribute the events to the associated user, and monitor for anomalies using your security monitoring tools (SIEM/UEBA).
2. Monitor your data exfiltration points.
Users may claim that they need data downloaded on their machines/drives to work from home. While this may be true, it is critical to monitor, attribute and analyse logs from key exfiltration points including VPN, DLP, O365, Box to detect any malicious exfiltration attempts. This may become increasingly difficult when the workforce migrates to working from home en masse.
3. Log and monitor access events and transactions on critical applications.
As more and more business applications are being accessed remotely, it is important to monitor any anomalies on critical applications.
4. Monitor user entitlement (user access privileges) on Active Directory and Critical Applications.
Monitor for anomalies such as:
– use of terminated user accounts that are still active
– sudden privilege escalations
– use of dormant accounts
5. Monitor for credential sharing.
A sudden work from home scenario is also likely to encourage employees to share credentials to get quick access, avoiding the long access request process. Monitor specifically for land-speed anomalies such as:
– a user simultaneously logging in from multiple locations
– a user badged in and logging in remotely
6. Monitor remote access devices because malicious threat actors are more likely to target remote access devices.
It is important to factor in such actors purchasing remote access credentials from the remote access creds/”RDP shops” on the dark web that can be used for exploits. They will seek to capitalise on the additional attack surface due to the increase in working from home/teleworking.
In addition to proactively monitoring your internet-facing RDP/VPN infrastructure, we recommend leveraging the NIST guidance regarding securing enterprise and teleworking access to implement the additional required controls to help further mitigate the risks associated with malicious threat actors obtaining and exploiting RDP shop-based access credentials.
7. Ensure that your internet-facing VPN/RDP servers are up-to-date and ready for spikes in remote access/WFH activity in light of the current virus outbreak situation.
8. Beware of the Coronavirus-related phishing schemes and fake alerts/health advisories.
We’ve been observing some of the malicious phishing implants increasingly evading sandboxing/detonation. The recommendation is to implement a more in-depth “assume breach” approach in your environment. By anticipating your IOC and sandbox-based checks to fail, you have checks and monitoring related to the staging/post-exploitation detection.
9. Enforce multi-factor authentication where possible.
Dictionary attacks are most common ways of compromising credentials on internet facing devices. With the increase in remote access to employees, contractors and business partners, you should consider enforcing strong authentication and authorisation controls to minimise the risk of compromise.
10. Enforce peer-based and Separation of Duty (SOD) checks.
With a ton of employees requesting remote access, the business is likely to push to get employees as much access as possible to avoid business disruption. However, it is important for security and IT teams to look for SOD checks, and peer-based checks to ensure the access granted is aligned to the job role of the employee.
With a little preparation and putting security teams on alert, organisations could play a big part in containing both the spread of the coronavirus and any associated security risks.
Sachin Nayyar is Chief Executive Officer at Securonix