The challenges of securing a remote workforce [Q&A]

The current coronavirus crisis has led to a massive surge in numbers of people working from home. But that raises a whole raft of problems in keeping people and data secure.

We spoke to Nitin Agale, SVP, product and strategy at security automation specialist Securonix, to find out more about the challenges and how organizations can address them.

BN: How prepared are organizations to secure a remote workforce?

NA: Globally, the vast majority of businesses have enforced work-from-home policies for their employees and contractors. Opening up this kind of remote access for workers across all departments is a new experience for many organizations. While a lot of them already have remote access for their IT support personnel, allowing access for all major departments and a number of outside contractors -- including access to core business processes -- poses a new set of challenges.

For companies that have not historically allowed people to work from home, this has forced a rapid change in business culture. The shift is exacerbated by the existing trend toward using cloud applications in the enterprise. It introduces new requirements for dealing with security risks as well as compliance. Organizations must continue to make adjustments so they can effectively monitor and respond to threats.

BN: What logging and monitoring challenges does a remote workforce present, and what steps should be taken in securing this environment?

NA: The main challenges are that a lot more users will suddenly be logging in from remote locations, using a variety of devices. Companies can take a number of steps to secure this environment:

• Log all remote access events. Attribute the events to the associated user, and monitor for anomalies using security monitoring tools (SIEM/UEBA).
• Monitor data exfiltration points. Several users will claim they need data downloaded on their machines/drives to work from home. It is critical to monitor, attribute, and analyze logs from key exfiltration points, including VPN, DLP, O365 and Box, to detect any malicious exfiltration attempts.
• Log and monitor access events and transactions. As more and more business applications are being accessed remotely, it is important to monitor any anomalies on critical applications.
• Monitor user entitlement (user access privileges) on Active Directory and Critical Applications. Monitor for anomalies such as the use of terminated user accounts that are still active, sudden privilege escalations, and the use of dormant accounts.
• Monitor for credential sharing. Enforcing sudden work from home policies is likely to encourage employees to share credentials to get quick access to avoid the long access request process. Monitor specifically for anomalies such as users simultaneously logging in from multiple locations.

BN: What unique malware campaigns are accompanying COVID-19?

NA: With the notable increase in the number of domains created using the words 'corona' or 'covid19', the Securonix Threat Research Team has confirmed a number of malicious domains:

insiderppe[.]cloudapp[.]net, coronavirusstatus[.]space, coronavirus-map[.]com, blogcoronacl.canalcero[.]digital, coronavirus[.]zone, coronavirus-realtime[.]com, coronavirus[.]app, bgvfr.coronavirusaware[.]xyz, coronavirusaware[.]xyz, corona-virus[.]healthcare, survivecoronavirus[.]org, vaccine-coronavirus[.]com, coronavirus[.]cc, bestcoronavirusprotect[.]tk, coronavirusupdate[.]tk, Coronavirusapp[.]site, Gulf-builders[.]com, marchadvertisingnetwork*[.]com

The team has observed traffic on a subset of these domains at a few customer organizations. Upon further research and collaborated investigations with some of our customers, we have noticed attempts at accessing the registry settings for applications installed on the endpoints, with an intention of stealing credentials and other information stored in the user browsers.

Recommended actions for stopping malware include: enable proactive block rules on firewalls, proxy devices, and other in-line security tools to stop communication with these domains; reset passwords for the users who have visited such domains.

BN: How are cyber criminals leveraging COVID-19 for phishing attacks and what approach should organizations take to prevent this?

NA: We've been observing some of the malicious phishing implants increasingly evading sandboxing/detonation. Our recommendation is to implement a more in-depth, 'assume breach,' approach in your environment, expecting that if your IOC and sandbox-based checks fail, you have checks and monitoring related to the staging/post-exploitation detection.

Our Threat Research Team has observed more than 5,000 unique domains created recently with the words 'corona' or 'covid' in them, and organizations get an average of 350 emails each day from external senders about the topic. This illustrates the importance of having advanced phishing detection behavior indicators enabled in your environment.

Among other tactics, attackers are using specially crafted weaponized documents or links with the theme of exploiting the public’s fears and concerns about coronavirus by impersonating the Centers for Disease Control and Prevention (CDC), disguising as internal employees.

BN: What challenges does remote access present in both security and employee productivity, and how should organizations address them?

NA: Malicious threat actors are more likely to target remote access devices. It's important to factor in the risk of such actors purchasing remote access credentials on the dark web that can be used to exploit the additional attack surface.

While proactively monitoring your Internet-facing RDP/VPN infrastructure, we recommend leveraging the NIST guidance regarding securing enterprise and telework access to implement the additional required controls. This will help further mitigate the risks associated with malicious threat actors.

Furthermore, dictionary attacks are one of the most common ways to compromise credentials on Internet-facing devices. With an increase in remote access for employees, contractors, and business partners, companies should consider enforcing strong (multi-factor) authentication and authorization controls to minimize risk of compromise.

And with so many more employees requesting remote access, businesses are likely to push to get them as much access as possible to avoid business disruption. However, it’s important for security and IT teams to look for separation of duties (SOD) checks and peer-based checks, to ensure the access granted is aligned to the job role of the employee.

Finally, companies need to conduct productivity monitoring to ensure the change in work environments does not have a negative impact. Working remotely comes with its own sets of distractions, and the primary goal with productivity monitoring is to ensure that business continuity is not impacted with a decline in employee output.

Image credit: londondeposit/depositphotos.com