The recent revelations that Russian hackers have been kicking up ransomware attacks to exploit new work habits leaves many companies needing to rethink how they approach security. Attackers have been identifying employees of companies that normally rely on traditional networking models of strong controls at the border to ensure protection. The dissolution of the border with fulltime work from home, many of these protections have been rendered ineffective.
Employees are being identified and infected when they are not connected to their corporate networks, however, the exploits lie dormant until they reconnect via VPN to go about their work lives as normal, only to have the exploit come to life. If this style of attack sounds familiar, that’s because it is; it’s a variant on Stuxnet, which relied on wide proliferation but would only activate when a set of criteria was satisfied (over 200,000 infections but only 1,000 activations). New attacks are relying on infection through unsecured Wi-Fi.
We previously witnessed a high level of sophisticated reconnaissance from Russian IP address space shortly after the announcement of BlueKeep in May of 2019. After an initial flurry of contacts from Russian addresses looking for vulnerable computers, the scanning activity dropped off significantly. Whether the attackers had the data they needed, or they pivoted to infrastructure in other countries, it painted a very clear picture; they did not wish to be observed over a longer term. As the Russian traffic subsided, we saw a steady state begin to emerge, with several spikes over time, sophistication that points to a high level of organization and possibly even state sponsorship.
Employees that have access to company resources via VPN may feel that since there is a secure method of entry to company assets, they are inherently safe when connected to that network. What they probably don’t know is that they’ve imported all of their behaviors and activities while not connected to the VPN when they do connect.
Security teams have had to deal with BYOD since the advent of the smartphone, which runs on many networks outside the control of security teams. During the pandemic, company assets have moved away from the known networks, and despite being owned by the corporation, suffer all of the same issues of BYOD. The targeting of employees while they are not on the VPN, for later entry into well protected networks, reveals that some traditional trust models are outdated and ripe for exploitation.
Tools that were designed to make remote work easier have been vetted quickly, with ease of use and efficiency being a top priority rather than their security. We may be working remotely efficiently but we’ve accepted the security practices of other companies as our own. When dealing with many technologies, a company’s security posture is only as effective as the posture of its lowest rated supplier, which can have dire consequences.
In discussions with CISOs, a recurring theme is having a more complete list of pre-vetted as well as alternate suppliers in cases where an existing supplier may suffer catastrophic failure. Many companies have business continuity plans, but most focus around issues with computer systems, not a societal shift to working from home. This has highlighted huge areas of weakness in the ability of companies to continue operations as normal.
The dissolving of the corporate network into many networks with a connection back to headquarters via VPN means that corporate assets are now living alongside other devices that are riddled with adware and malware. Some of these infected devices may simply be infected and performing unintended actions; however, they may also be trying to spread laterally on the network. Computers that previously resided inside of well-managed networks, with staff dedicated to making sure that software is kept up to date and threats effectively managed, are now on the same network as devices that may not have been updated since the day that they were taken out of the box.
As we work our way through these times, workers need to remember that all of their activities, whether connected to a VPN or not, have the potential to impact the business in negative ways. It is the responsibility of all employees to keep a company safe, and the responsibility of the company to give the employees the tools to do so.
From a security perspective, using a VPN is no longer enough, we need to move toward a “zero trust security” model. This means that systems and people can’t be trusted due to their position or location, but they must continue to seek authentication and authorization as they carry out tasks to prevent attackers from gaining footholds that may take a very long time to discover and repair.