You’re probably reading this from your laptop, likely from home, while connected over WiFi to your corporate VPN and waiting for a remote meeting that’s about to start in 30 minutes. Welcome to the new normal. More than a billion people today are, like you and me, working from home – and chances are that this remote setup is somewhat of a slapdash arrangement, because COVID-19 (or to be more accurate SARS-CoV-2) has turned our lives upside down.
But the pandemic is not just a health threat and an economic threat. While companies struggle to find ways to survive, cyber crime and threat actors are presented with the opportunity of a lifetime amidst the chaos and confusion: high-profile individuals, system administrators and general users are now working outside the corporate firewall, many of them on an unsecured laptop using a network that, in all likelihood, is more family-friendly than enterprise-secure.
New Environment, New Challenges
When intellectual property and sensitive or personal information is handled, the measures adopted within a company’s network can’t easily be translated to a home environment. Attackers will concentrate on this aspect to try and breach hard targets from a different angle. When a network is shared, every user is a viable candidate and for some targets, it will be easier to first attack a family member and then move laterally to the intended victim.
Access to the corporate network and locally stored documents changed completely as countries went in lockdown or quarantine. Access to a resource is designed around a need to access paradigm. For example, payroll data might not be designed to be accessed from outside the payroll office. So what happens when the payroll office goes remote? That inaccessible data now has to become accessible from a point that was not thought to be remote. All these issues can be solved, but in time of emergency business continuity becomes a priority, and security inevitably lacks behind.
Let’s Start with Ransomware
This is the low hanging fruit for attackers. There is a convenient access point – remote employees – to the corporate network that can be used to launch highly successful attacks. We have seen the Ryuk and Sodinokibi ransomware gangs exploit corporate networks to launch crippling attacks against large infrastructures. The Maze ransomware gang, known to leak victims’ data when the ransom goes unpaid, allegedly managed to compromise Chubb. Even – perhaps especially – hospitals, now our first and best line of defense against COVID-19, are being heavily targeted by unscrupulous organizations looking to make a profit.
We will see more ransomware – and wiper – cases like this, simply because it’s easier to access the corporate network from unsecured devices. And what about more sophisticated threat actors?
High-profile attackers are those that will benefit the most from a remote workforce. Security teams now have slower reaction times and different response capabilities. Executives are now working in very different environments. It will become much easier for high-profile attackers to get a foothold within a target infrastructure and to maintain persistence, taking advantage of security teams that are now under (even) more stress than usual, having to maintain a large remote user base. Individuals working for high-profile organizations will be targeted even more in their personal capacity and used as a bridge into the corporate network.
Remediation and eradication activities will also have to adapt: it is now harder than usual to take a laptop, reimage it and give it back to the owner when physical access is not even possible. It’s hard to block unwanted traffic at the network level when users are mostly outside the corporate firewall and it’s not possible to properly inspect traffic when the company proxy is out of reach. All these elements play a huge role in favour of attackers, reducing the chance of spotting an attack early, missing out completely on exfiltration attempts and making threat hunting and remediation even harder than usual. So the question becomes: how do we secure a fleet of endpoints that is barely under the company’s control?
Securing the Endpoints
Firewall and proxies are out of the game, network analysis is limited and critical data is now on a remote device. It’s time to secure the endpoints. It’s reasonable to think that most of the malicious activity will shift to the endpoints in various forms, either via malware taking advantage of our thirst of information about the pandemic or via phishing. Zoom – under community’s scrutiny for the company’s approach to privacy – is an obvious target, as attackers are already preparing phishing campaigns targeting their user base, but the same goes for other productivity tools such as Slack or Microsoft Teams. If visibility is key to detecting attackers, endpoints are now more than ever were attention should be focused. Working remotely doesn’t have to mean losing visibility and response capabilities. Today platforms like ReaQta-Hive help to save time, reduce the attack surface and maintain complete visibility even with a completely remote workforce.
Threat hunting capabilities remain unaltered when endpoints are monitored and remote response capabilities enable security teams to stop attacks on the onset. Remediating a compromised endpoint doesn’t require physical access as it becomes a routine operation that can be carried out anywhere, in real-time, automatically.
A Completely Free BCP Initiative
We understand that companies are under unusual stress, or better, they’re all facing a situation that has literally no precedents in the modern world, but this doesn’t mean giving way to attackers. Accumulating security debt in favor of remote work is the type of tradeoff that has a terrible return in both the short and the long term.
At ReaQta we have activated a BCP (Business Continuity Plan) to help organizations keep their infrastructures secure at no cost. Our team of volunteer offers business hours monitoring and response via ReaQta-Hive MDR, entirely for free and with no strings attached.
If you think security is something you can’t compromise on and you have no time to waste, just apply and we’ll be happy to help you: ReaQta BCP has been thought to help you, when you need it the most. It’s a difficult time and we are all in it together, if we stick together we’ll make it and hopefully the old normal will be closer than we expect.