COVID-19 pandemic has pushed the concept of remote working beyond any preconceived growth expectations. It doesn’t appear a short-term situation as many organizations and their employees benefit from this new business structure. Rightfully so, IT and security teams should be “virtual” fist-bumping to celebrate rapidly transitioning operations and, in most cases, avoiding any extensive downtime or security breach. After a momentary breath, businesses must now look to long term operational sustainability and security. Organizations must soon revisit and reassess the security gaps or corners cut in haste to deliver services so as not to leave convenient doors open for attacker exploitation. We’ve seen before that attackers seek to capitalize on times of disruption like these both for quick wins and establishing a foothold for a more sophisticated attack.
By Carolyn Crandall, Chief Deception Officer and CMO at Attivo Networks
An Uptick in Cyberattack Frequency
According to the FBI, cybercrime has increased 300% since the start of the COVID-19 pandemic. If there was ever a time for attackers to open their crime toolboxes, it is now. We also may not have seen the worst of things. Dwell time – the time to detect attackers within the network – currently averages months. With this in mind, advanced attackers may not have come forward yet to reveal their inside presence or to present their demands. During this next phase of supporting remote workers, organizations must have robust detection capabilities that can not only alert security teams promptly when an adversary evades prevention defenses but also deliver company-centric threat intelligence on attacker methods and targets.
Altered Employee Behavior = Unpredictable Attack Surface
With an increase in the number of remote workers and changing behavioral patterns, traditional security controls can’t reliably protect an organization’s network infrastructure or remote employees. Many organizations dramatically increased their company bandwidth to support remote operations and split-tunneled VPNs to separate work from personal traffic. Unfortunately, this created new risks as security tools like network firewalls, Intrusion Prevention Systems, web gateways, and others don’t operate well for such VPNs. With split- tunneling, employee traffic doesn’t always traverse the company network, and under these circumstances lacks the same protections as onsite employees. Security teams also see increased risks as they may not gain access to monitoring and incident response systems without creating gaps in perimeter firewalls. Additionally, detection technologies that rely on network behavior anomalies will be inaccurate, as employees connect from different networks and systems, and change baseline behaviors.
Organizations must also prepare for the risks of distracted employees working remotely on personal or unpatched home computers, which may use less-secure emails. System hygiene may also be harder to monitor as employees may not stay updated on patching or may load unauthorized software, creating risk. Many security teams fear that attackers are hiding silently within these systems, awaiting the day they connect directly to the company network.
System compromises are virtually inevitable, and organizations must prepare with a safety net that detects when systems connect, and the attacker attempts to swim upstream to find their target. Many organizations have learned first-hand the value of cyber deception, which provides efficient and non-disruptive “eyes inside the network” visibility to attackers across all attack surfaces and threat vectors. The concept is to create a detection net over the endpoint and a deception fabric throughout the network to discover attackers regardless of how they attack. An effective way to look at this is through the MITRE ATT&CK framework. There are 12 consolidated steps an attacker will take, from initial compromise, lateral movement, privilege escalation, to data exfiltration. Deception works to derail the attacker in 11 out of 12 of these steps. However, many find the most value in detecting lateral movement activity and closing gaps that Endpoint Detection and Response (EDR) solutions don’t cover. Network decoys project throughout along with endpoint credentials, mapped shares, deception data, or applications that breadcrumb attackers to an engagement server, away from production assets, and alert on their presence. Notably, using the MITRE ATT&CK testing methodology, Attivo demonstrated a 42% improvement in detection rates over EDR solutions alone.
Insider Threats, Former Employees, and Third Parties
With the advent of remote working, data may also be leaving the organization in ways not accessed or stored before. Additionally, there have also been unprecedented levels of employee turnover, which challenges security teams to keep up with employee or supplier access rights. It can also make using traditional data loss prevention tools less effective as behaviors, systems, and locations of access have changed.
Deception presents a unique way to detect exposed credentials as well as policy violations associated with the unauthorized use of employee, cloud, or VPN credentials or prohibited attempts to access systems. For example, since a deception asset has no employee production value, any attempt to scan, access, or exploit a decoy automatically triggers an alert, as will using legitimate credentials on a decoy application. Advanced deception can also go so far as to hide and deny access to threat actors attempting to enumerate AD, access files, folders, network or cloud mapped drives, or that may try to fingerprint servers. Collectively, these tools arm the defender in ways that they simply can’t with other security controls.
Implement Tools That Enable SOCs to Do More with Less and Reduce Alert Fatigue
Simply put, we know that the new volume of security alerts are taxing security departments that are not used to the load of so many employees working remotely. Traditional prevention devices and behavior-based detection tools may not accurately do the job at the required scale.
Defenders need a new tool for their toolbox that covers the gaps, delivers actionable alerts, and augments existing controls, not more of the same. Here are some of the things that Attivo Network does specifically to secure VPN access to corporate networks and ensure the delivery of prompt and accurate alerts.
- Provides deceptive credentials for VPN accounts on remote worker endpoints and accurately notifies of attempted
- Projects decoys into the VPN subnets for internal connections. This method provides an extremely effective tool for detecting and alerting unauthorized scanning behavior. It is also essential to consider that most VPN deployments are in bridged mode, resulting in all connections existing on the same broadcast domain. Anyone who gains unauthorized access via VPN can take advantage of this while running network scans, ping sweeps, etc. because it would be difficult for security teams to identify the activity
- Protects Active Directory (AD) by alerting on any attacker seeking to enumerate AD. The solution goes beyond merely alerting and responds to the unauthorized query with fake data that leads the adversary into a decoy that records telemetry
- Delivers company-centric threat intelligence on indicators of compromise (IOC) and tactics, techniques, and procedures (TTPs) and can automate isolation, blocking, and threat hunting through native integrations with existing security infrastructure.
While it is impossible to prevent adversaries from attacking a company, using deception technologies will provide early and accurate detection of threats, visibility to attacker lateral movement, and the opportunity to pre-emptively derail attackers from establishing a foothold or conducting their exploit. Now more than ever, security teams need to know what is lurking in their networks, and as such, need the proper tools in place to do so accurately.
About the Author
Carolyn Crandall holds the roles of Chief Deception Officer and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Crandall has received many industry recognitions including Top 25 Women in Cybersecurity 2019 by Cyber Defense Magazine, Reboot Leadership Honoree (CIO/C-Suite) 2018 by SC Media, Marketing Hall of Femme Honoree 2018 by DMN, Business Woman of the Year 2018 by CEO Today Magazine, Cyber Security Marketer of the Year 2020 by CyberDojo (RSA), and for 9 years a Power Woman by Everything Channel (CRN).
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.