By Ross McKerchar, Chief Information Security Officer (CISO), Sophos
Cyberattackers are resourceful and opportunistic. They will move quickly to take advantage of a situation. COVID-19 is no different. There is a huge amount of global uncertainty and change right now which criminals are seeking to capitalize on. The risks are amplified by the immediate and unforeseen IT challenges that companies are having ensuring their staff can work from home.
There are two areas which are most likely to result in a cybersecurity incident due to the ongoing crisis: remote access and phishing. We’ll cover both in this article and provide a set of prioritized recommendations to expeditiously prevent, or at least mitigate, these critical issues.
By remote access I’m referring to the myriad ways organizations are allowing their employees to work from home. These range from the obvious “traditional” remote access services, such as VPN and terminal service gateways, as well as cloud-native conferencing and other collaboration tools that organizations everywhere are adopting in a hurry.
The key risk is weak authentication of your remote access services. Organizations have been battling for years to ensure services (particularly when internet-facing) are protected by multi-factor authentication (MFA) and only accessible with centrally-managed corporate accounts (typically held in Active Directory, Azure or Okta). Doing this well is a real challenge at the best of times and requires IT staff to have intricate knowledge of SAML, OpenID and various other technologies and standards that support our modern identity management. This is, of course, on top of all the legacy technologies (LDAP, RADIUS, Kerberos, etc…) that are still in place to support authentication in traditional architectures. Throw in a global crisis with IT teams worldwide scrambling to keep services accessible and it’s obvious the complexity of identity federation and MFA claims will not be top of mind. This is perfectly understandable and, in most cases, taking risk to get services online is absolutely the right decision.
With business fighting to survive, business continuity and availability should take precedence. The security problems occur for a couple of reasons. Firstly changes being made quickly on the front line may not been seen or understood by leaders in the organization better placed to evaluate the resultant risk. Secondly, even when risk assessments were made, the original premises are probably no longer correct.
Only a few weeks ago we were expecting everything to be back to normal in a month or so. It’s now becoming very clear that this new reality may be long term and the window of exposure resulting from poorly protected services could extend months, or even years. Furthermore, it’s going to be very hard for organization to go back to previous working models once employees realise you can work from home very effectively.
In short, organizations must not assume they will quickly be able to remove all these risky internet-facing services. They instead need to figure out how to secure them.
What should IT and security leaders do?
There are long term and short term fixes. Long terms fixes boil down to a zero trust approach. There is no doubt this crisis will accelerate the shift towards zero trust architectures. Unfortunately organizations cannot and should not rush in this direction as it requires large IT infrastructure investment and changes to organisational mindset to be executed successfully.
Organizations should thus focus their efforts on tactically reducing risk as quickly as possible. Primarily this means ensuring key services as protected with MFA by any means possible. This is best tackled per service. Organizations need to identify which services are most at risk and most valuable to their adversaries. For organizations with on premise infrastructure and traditional perimeter-based security these are likely to be VPNs and other remote access gateways.
For organizations with cloud infrastructure, the focus should be their identity provider (most commonly Azure or Okta). As the central point for authentication, simply enabling MFA here will get you the biggest and quickest win, especially as both Azure and Okta have integrated MFA capabilities and integrations with popular 3rd party providers such as Duo. Organizations that haven’t managed to centralise cloud identities will need to look at specific applications and see if they offer their own MFA capabilities. Mail, collaboration, CRM and ERP systems are the obvious places to start. Also consider highly-critical but less widely accessed services such as your security management tools.
Making tough trade-offs
Even these tactical options are not easy and compromises will need to be made. The exact balance of trade-offs will be different for every organisation but here are some considerations:
If you’re backhauling client traffic to scrub, allowing “Split VPNs” (where clients go direct to the internet) is the quickest way to gain capacity and likely less risky than exposing squishy, insecure internal services directly online. However this does depend on your clients having well-patched browsers and, ideally, endpoint based web-protection. Also be aware that if you have SaaS services relying on clients coming from known corporate IP addresses don’t simply turn off that control – replace it with MFA!
Centralized vs de-centralized MFA
Attaching MFA to your identity provider allows for a common experience across all applications. This is undoubtably less confusing for staff and easier to rollout. It’s also a much longer route if you don’t have a centralized identity service. Retrofitting federated identity to an existing production app can be really hard so, tactically, it may be easier to enable MFA capabilities from the service provider. This does mean staff will likely have multiple different authentication mechanisms to navigate. Not ideal but don’t forget they are used to handling this when logging on to non-work applications (internet banking, personal email, etc). Everyone is handling a lot of change right now so they may be more accommodating and resilient than you might expect!
There’s a lot of very valid concerns about SMS-based MFA. It’s also the simplest and quickest way to get MFA enabled, particularly as staff will likely be familiar with it. SMS-based MFA is still immeasurably better than no MFA. If it’s the fastest route to protecting your business, it’s very likely the right place to start. Just make sure you have a migration plan to something more secure.
If you’re spinning up new services (e.g. video-conferencing) and are unable to setup federated identity, employees are going to need to remember even more passwords. The biggest risk with this is password reuse. You can’t reasonably expect employees to remember dozens of unique passwords.
A password manager is the best tool to get around this problem. Unfortunately password managers do take some getting used to and the UX can be very confusing for non-technical staff. In a pickle, writing passwords physically down in a notebook is not the worst thing right now. It may fly in-the-face of conventional wisdom but with everyone at home, the chances of that notebook falling into the hands of an adversary is slim right now.
Just try and find a better solution – and change the passwords – before staff start travelling again!
Beyond MFA there are a couple other related remote-access risks to consider:
VPN and Remote access gateway vulnerabilities
Patching critical infrastructure probably feels risky right now. Unfortunately in the past few months there have been some very serious vulnerabilities in common remote access equipment. These vulnerabilities are being actively exploited by multiple criminal groups right now. If you have a vulnerable service you need to patch immediately. Just have a backup plan in-case the device fails to patch (especially if you’re unable to get physical access).
Endpoint security updates
Check your infrastructure to make sure that you are still receiving updates from your endpoint security provider. If you have a cloud-based management (such as Sophos Central) you’re probably ok but if not, it’s essential that your clients can reach updating services. This requires checking that your VPN allows access to your update server(s) (and that you have capacity). Don’t forget to consider clients that may not regularly connect to the VPN.
Phishing attacks using COVID-19 as a lure are the most visible and immediate cybersecurity risk in the ongoing crisis. This isn’t surprising as we’ve seen attackers use current events as a lure for many years. Unfortunately the risks this time are higher. Firstly everyone is worried and handling an unprecedented change to their daily lives. High stress situations make everyone hungry for information and less likely to objectively evaluate any message they receive.
Secondly, IT departments and service providers are bombarding us all with legitimate messages about changes to services. Combine these issues and it’s unrealistic to expect employees to accurately identify and report all attacks. You need to assume that some will get through and some staff will be duped. Accepting this allows you to focus on being resilient to attacks rather than hoping to avoid them. There’s already a lot of advice on this so I’ll briefly cover the basics:
Good news is that we’ve already covered the most important defence! Credential phishing, whereby the attackers put up a fake login page to trick staff into entering their credentials, is the most common form of phishing. MFA is a great (albeit not always perfect) form of defense against this.
This is still important. By encouraging phishing reports from staff you can warn others, and if you have a security operations team (or service), even analyse the attack to identify indicators or compromise to feed into threat hunting processes.
Endpoint and email defenses
Your security software has multiple chances at catching a phishing attack. The more chances you give it the better the overall protection:
· It can refuse to even receive the email as it knows it’s coming from spammer.
· It can scan the email and all the attachments and URLs in order to block it.
· Web filtering can block connections to malicious websites or spot a malicious payload on the site.
· Endpoint software can spot malicious files and behavior should all the previous defenses fail and the employee ends up running something malicious on their system.
The better-configured and effective all these defenses are the less likely an attacker will manage to evade everything.
Drive-by-downloads are less common nowadays but still a real risk. Patching browsers, mail clients and applications (such as Microsoft Office) which are regularly used to open attachments will limit the really nasty attacks that rely on minimal user-interaction. Lastly, there are few reasons to be running browser plugins such as Flash, Java, etc. nowadays – disable them if you possibly can, it’s much easier and safer than trying to keep them update.
Criminals are already taking advantage of COVID-19 in their cyberattacks, and remote access and phishing are the two areas most likely to result in a cybersecurity incident. We’ve covered a number of steps you can take to mitigate this risk. We also realize that time is in short supply so have compiled a list of the top seven steps we recommend all organizations take.
They are listed in priority order, so start at the top and work down.
1. Ensure all internet facing services are protected with MFA (SMS-based MFA is better than no MFA)
2. Patch remote access services – particularly VPN and terminal service gateways.
3. Monitor phishing reports and get your operations team or MTR service to hunt for associated IOCs.
4. Check remote clients are still receiving their endpoint security updates.
5. Ensure your OS, browser, email client and software commonly used to open attachments is set to update automatically.
6. Disable browser plugins such as Java, Flash and Acrobat.
7. Use identity federation to ensure all cloud services are accessed with corporate credentials.
Stay vigilant. Coronavirus-related attacks will likely ramp-up over the coming weeks and months.
If you have an interesting article / experience / case study to share, please get in touch with us at firstname.lastname@example.org