Globally, more and more organizations are beginning to enforce work from home policies for employees and contractors. Opening up this kind of remote access for employees and contractors across all departments is new for many organizations. While several organizations have remote access for their IT support personnel, allowing access for all major departments, including core business, in addition to contractors, poses a new set of challenges. Here are some ideas on keeping your organization secure in this new environment:
- Log all remote access events: Attribute the events to the associated user, and monitor for anomalies using your security monitoring tools (SIEM/UEBA).
- Monitor your data exfiltration points: Several users will claim they need data downloaded on their machines/drives to work from home. It is critical to monitor, attribute, and analyze logs from key exfiltration points, including VPN, DLP, O365 and Box, to detect any malicious exfiltration attempts.
- Log and monitor access events and transactions: As more and more business applications are being accessed remotely, it is important to monitor any anomalies on critical applications.
- Monitor user entitlement (user access privileges) on Active Directory and Critical Applications: Monitor for anomalies such as the use of terminated user accounts that are still active, sudden privilege escalations and the use of dormant accounts.
- Monitor for credential sharing: Enforcing sudden work from home policies is likely to encourage employees to share credentials to get quick access to avoid the long access request process. Monitor specifically for landspeed anomalies such as users simultaneously logging in from multiple locations and users badged in and logging in remotely.
- Monitor remote access devices: Malicious threat actors are more likely to target remote access devices. It is important to factor in the risk of such actors purchasing remote access credentials from the remote access creds/"RDP shops" on the dark web that can be used to exploit the additional attack surface in the context of the increase in working from home/teleworking.
While proactively monitoring your internet-facing RDP/VPN infrastructure, we recommend leveraging the NIST guidance regarding securing enterprise and telework access to implement the additional required controls to help further mitigate the risks associated with malicious threat actors obtaining and exploiting RDP shop-based access credentials.
- Ensure that your internet-facing VPN/RDP servers are up-to-date and ready for spikes in remote access/WFH activity in light of the current virus outbreak situation.
- Beware of the Coronavirus-related phishing schemes and fake alerts/health advisories: We've been observing some of the malicious phishing implants increasingly evading sandboxing/detonation. Our recommendation is to implement a more in-depth, "assume breach," approach in your environment, expecting that if your IOC and sandbox-based checks fail, you have checks and monitoring related to the staging/post-exploitation detection.
- Enforce multi-factor authentication where possible: Dictionary attacks are one of the most common ways to compromise credentials on internet-facing devices. With an increase in remote access to employees, contractors and business partners, you should consider enforcing strong authentication and authorization controls to minimize risk of compromise
- Enforce peer-based and SOD checks: With a ton of employees requesting remote access, businesses are likely to push to get employees as much access as possible to avoid business disruption. However, it is important for security and IT teams to look for SOD checks, and peer-based checks to ensure the access granted is aligned to the job role of the employee.
SachinNayyar, Securonix, CEO,