Cybersecurity is a constant game of cat and mouse, with attackers and defenders locked in a perpetual race for finding, exploiting and patching vulnerabilities. With most of the world still working remotely, and by all indications looking to stay that way for the foreseeable future, it’s no surprise that attackers have locked onto compromising remote access tools. Based on what we’ve learned from our threat intel analysts, incident response teams and customers, we’ve compiled several findings, as well as best practice recommendations for securing remote user access.
Credentials are the holy grail for attackers – achieve legitimate user access, and you’re free to move about a corporate network undetected. Then, any activity the attacker performs is cloaked under the guise of legitimate user behavior. This is made worse by traffic encryption, which shields the attacker from inspection by most network security tools. If the headlines are any indication, it’s clear that attacks leveraging VPNs and remote access tools are on the rise. This year’s Oldsmar Florida water plant hack was the result of a lack of cybersecurity precautions and best practices being in place. SolarWinds, in part, leveraged stolen passwords and two-factor authentication (2FA) bypass. Then there are compromises of the VPNs themselves, including recent disclosures about zero-days in Fortinet and Pulse Secure. According to the Department of Homeland Security, the DarkSide ransomware group, responsible for the Colonial Pipeline attack, has been leveraging vulnerable remote access infrastructure to compromise organizations. Among the recommendations DHS makes are limiting user access to remote desktop software and implementing strong authentication.
The challenge for today’s defenders is that they have data everywhere and much of it is in third-party software-as-a-service (SaaS) applications outside of corporate-owned data centers. Employees connect directly to SaaS applications, bypassing any sort of security inspection done at corporate headquarters. Even for those organizations that connect back to headquarters, most traffic is encrypted and uninspected. Microsoft Remote Desktop Protocol (RDP), Secure Shell (SSH) and Virtual Network Computing (VNC) remain popular, along with a host of open source VPNs. Most organizations rely heavily on personally owned devices, leveraging a combination of these remote access methods together.
With devices and applications which you don’t own managing the data that you do own, it’s easy to see how security becomes problematic. The explosion in the use of personally owned devices during COVID expanded the attack surface for every organization almost overnight. But, performing incident response is difficult, especially if the point of origin of the attack was an unmanaged, employee-owned device. Forensic data can only be obtained from the internet service provider or with the user’s consent. Attacks that leverage multiple, chained exploits can require retrieving logs from the cloud provider, the endpoint owner, the ISP – and then correlating all of that with any data the organization actually owns. When you factor in the number of ways an unmanaged device can access corporate networks – direct to application, tunneling protocols and VPN – you can see how attacker dwell time can easily swell into the better part of a year undetected.
Most personally owned devices have lax or nonexistent security controls compared to corporate devices. The barrier to entry for attackers is consequently much lower. Spear phishing, hacked home routers (which may be unpatched or using weak security controls), or unpatched, vulnerable applications on the endpoints themselves are all routinely seen by our incident response teams. Small and medium sized businesses often leverage BYOD at scale, finding it cost prohibitive to issue managed devices; compromised remote access is particularly damaging for them.
Although some organizations have implemented deny and allow lists, Web Application Firewalls (WAFs) and Cloud Access Security Brokers (CASBs) to secure SaaS apps, synchronizing policies across these tools is a manual effort that remains inconsistent. It’s not uncommon for security teams to be completely unaware of which users have credentialed access to third-party applications or those with super-user privileges. While many organizations have begun implementing 2FA, they often fail to implement the practice for corporate email, such as Microsoft Exchange or Gmail. This oversight offers an easy entry point for attackers. Others fail to implement uniform authentication or security controls on their SaaS applications, like GSuite or Office 365.
If there’s a lesson to be learned from a year of remote access abuse, it’s that visibility remains the single biggest challenge. Although the ideal solution is to manage all remote access through a single, global service edge that combines networking and security, there are some steps organizations should take immediately to secure themselves. Like defense in depth, a multi-layered, remote-access, security approach that provides redundant layers of inspection and enforcement.
We recommend the following:
- Centralized Visibility and Control: Know who’s accessing your data; where it’s stored; its level of sensitivity – and log network traffic where you can. When was the last conversation your network architects had with security teams? How are users connecting to your data? Can you see and log that traffic? If you use multiple point security products, how are you correlating data?
- Identity-Based Authentication: 2FA/MFA is a start, and it can’t be overstated how few organizations implement this consistently. Provision and control access to resources based on what a user needs to know and the level of sensitivity of the data. For organizations leveraging unmanaged devices, have the ability to quickly cut remote access to users if malicious activity is discovered.
- Uniform Security Policies: Enforce security policies on all corporate-owned, and third-party applications regardless of where the data resides. You might not own the infrastructure, but you own the data. If a user leaves the company, what’s your process for removing remote access? Can they still access any SaaS applications? Can they still connect to your network?
- Granular, Role-Based Access: Only give a user access to the data they absolutely need for their job. When the worst occurs, you can limit the blast radius to just a handful of applications rather than an entire network. Restrict access based on the type of device (patched, AV running) and location (public WiFi) they are connecting from.
- Post-Connect Threat Monitoring: When all else fails, if an attacker is able to bypass MFA and identity-based access control, you can detect an attacker based on the activity they perform on their objective. You can’t control what zero-day exploits will emerge, but you can quickly identify and minimize their impact.