The COVID-19 crisis was an unprecedented opportunity for attackers. Now, many may be ready to strike.
By Carolyn Crandall, Chief Deception Officer, Attivo Networks
The COVID-19 pandemic has forced countless millions of people to work remotely, and the rush to enable that remote work created opportunities for attackers to infiltrate corporate networks due to new devices, unmanaged endpoints, security gaps, and other issues. Now that the initial adjustment period is over, some businesses believe that the imminent danger has passed because they have yet to experience an attack. Unfortunately, this may not be the case. There is reason to believe that attackers may be hiding under the surface, lurking in corporate networks, and preparing to emerge and do damage. We will likely soon see new attacks as attackers begin to make their demands known.
Recent studies show that dwell time—the period that attackers spend inside the network before detection—is now just under 60 days for incidents discovered externally, though this can expand into months or even years for more advanced attacks. As the COVID-19 lockdown pushes past its third month, that 60-day threshold has begun to pass. Attackers who have been biding their time may soon be ready to strike.
Today’s ransomware attackers don’t operate like they used to. While older ransomware attacks tended to be “smash and grab” operations stealing and encrypting any data they could, human-operated Ransomware 2.0 involves attackers spreading throughout the network to identify and target the most valuable information for the highest financial gain. For the largest possible payout, attackers want to take down a whole organization, not just one machine. Quickly spreading throughout the network to establish a stronger foothold is the smartest move, and given that the average ransomware payout was over $111,000 in Q1 2020 (up 33% from the previous quarter), the strategy appears to be working.
The COVID-19 Lockdown Has Created New Opportunities
The extensive remote work necessitated by COVID-19 has, unfortunately, exacerbated the issue. Most businesses simply were not prepared for this volume of employees working from home, and the sudden onset of the crisis meant that they had to make security compromises in the spirit of achieving service availability. Naturally, both technology-based and human-based security issues have arisen as a result.
Network endpoints are more exposed, as employees access the network from the outside rather than from within. Employees are pulling data out of the company that may never have been off-premises before, creating opportunities for attackers to target less secure machines. Similarly, attackers are entering the network via split-tunneling VPNs, which separates personal employee traffic from company networks but doesn’t have all the traditional security controls needed to protect the remote systems from attacks. Multi-factor authentication can help verify identity as employees work remotely, but some organizations still do not mandate its use, and it is not always effective against targeted attacks.
Phishing and other scams have also noticeably increased during the lockdown, preying on employees that are distracted or flustered by the sudden shift in routine, underscoring the fact that organizations have less control over employees working remotely. The number of BYOD devices (laptops, routers, access points, etc.) on the network has increased, and it is harder to verify that employees are doing things like installing security updates promptly, creating potential vulnerabilities. Even employee turnover can create openings for attackers, as it can be harder to verify the full removal of stored credentials and other attack paths from all applications and systems. Given that misused or stolen credentials continue to be at the center of countless breaches, this poses a significant threat.
There are tools designed to help protect against these new threats, but they require effective security controls at multiple levels of the network. Traditional Endpoint Protection Platforms (EPPs) and Endpoint Detection and Response (EDR) tools try to stop attacks at the initial compromise of the system. Still, given the potential new vulnerabilities created by extensive remote work, attackers may have an easier time bypassing those tools during the current crisis, highlighting the importance of overlapping security controls and building in a safety net to boost detection capabilities.
Assessing and Addressing These New Risks
A balance of security controls is necessary for initial compromise, lateral movement, privilege escalation, and data loss prevention. If the attackers have already evaded EPP and EDR tools and compromised an internal system, technology like cyber deception plays a valuable role in detecting lateral movement and protecting applications from unauthorized access. Additionally, data loss prevention capabilities can stop employees (or attackers) from saving sensitive information to personal devices.
Improving lateral movement detection is vital. After the initial compromise of a network, there is a dark period of lateral movement and privilege escalation before the data protection tools detect anything. This lack of visibility means that there is no detection mechanism present until the tail end of the attack, which may be too late. Most security controls will also have challenges pinpointing attack path vulnerabilities, and tactics, techniques, and procedures (TTPs). Unless the organization has a mechanism to record an attacker’s activity during a live attack (like a decoy or engagement environment), it can be difficult for security teams to understand the attack methods, their objectives, and how broad of a footprint the attacker has established.
To this end, it is vital to have visibility into attack paths to essential assets and network activity that includes seeing devices coming on or off the network, and can they find shadow admin accounts? This sort of credential tracking is more important than ever and having the correct tools in place can stop the execution of a successful breach. Decoys can also record and replay attacks for a better correlation of attack activities and gathering company-specific threat intelligence.
The spike in remote employees underscores the need to boost VPN security, as new traffic patterns amid remote work have shattered traditional activity baselines and made suspicious behavior harder to identify. This need also applies to cloud security as well, since much of the remote work uses PaaS, SaaS, and IaaS accounts to collaborate between sites. Decoys systems and accounts can also identify unauthorized attempts to gain credential or administrative access to the VPN network segment or cloud service, giving organizations visibility into suspicious activity in those areas.
Active Directory is also a prime target, and the ability to track unauthorized AD queries from endpoints is critical. Attackers target AD because it contains all the information, objects, and accounts they need to compromise an enterprise network, and such activity is difficult to detect. Detection capabilities that alert on unauthorized queries and misinform attackers can be instrumental in derailing this form of attack.
Layered Defenses Secure the Present and the Future
To invoke a sports analogy, you can’t spike the football before you get to the end zone. There remains a legitimate likelihood that attackers are actively lurking in networks. The situation underscores the importance of layered defenses that forces attackers to jump as many hurdles as possible to conduct their attacks. Attackers have taken advantage of the unfamiliar remote working situation to enter corporate networks, so it is vital to have protections in place to detect their lateral movement within those networks and stop them before harm can be done.
About the Author
Carolyn holds the roles of Chief Deception Officer and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of effectively taking companies from pre-IPO through to multi-billion-dollar sales and has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Carolyn is recognized as a global thought leader in technology trends and for building strategies that connect technology with customers to solve difficult operations, digitalization, and security challenges. Her current focus is on breach risk mitigation by teaching organizations how to shift from a prevention-based cybersecurity infrastructure to one of an active security defense based on the adoption of deception technology.