As COVID-19 cases decline and stay-at-home restrictions are loosened, people will begin to venture back to work, school, and their social calendar. As when businesses closed a few months ago and sent their workers to work from home, we expect this transition back to the office will bring an increased threat of criminal and malicious cybersecurity activity. Bad actors will take advantage of the instability and distraction that characterizes change, as they always do. They will also take advantage of technical vulnerabilities that have been opened simply by businesses converting from an office to a work-from-home environment, and then back again.
For example, for the last few months, workers have used their computers on their home networks—often on the same home network that their kids use for gaming and other personal use. To further complicate this situation, there has been a recent spate of malware attacks on home routers. Risks to computers on home networks significantly increase opportunities for lateral movement infection by bad actors. Malware that has infected employees’ corporate computers while at home but has laid dormant may become active once reconnected to the corporate domain. This is particularly true if, during the office closure, a computer connected from home to the corporate domain without adequate protections and without validation that certain security criteria were met for each incoming connection. These criteria could be that a virtual private network (VPN) connection was required, or that the computer received regular operating system patches and has had its virus software updated.
Many organizations may not have managed all employees’ computers adequately while they were working remotely. For many organizations, the remote management of backups, virus updates, patches, and software versioning has been difficult. That means that when employees begin to return to work, the huge volume and complexity of these processes happening all at the same time will undoubtedly cause significant stress on every facet of the corporate IT organization. Companies should have a plan to deal with this pent-up maintenance rush in a way that does not increase the opportunities for hackers to sneak in.
Advanced Persistent Threats (APTs) are another concern as businesses return to the workplace, since they are often deployed using phishing schemes that work best during times when recipients are operating outside of their normal ways of doing things. The APT is a nebulous thing. Generally described as a “stealth by design” computer network threat, APTs gain unauthorized access to a computer network and remain undetected for an extended period for the sole purpose of obfuscation and persistence.
An APT seeks to not only persist, but to inspect its host and move laterally through an organization in order to elevate its privileges, find specific data, and remain obfuscated until some predetermined goal is achieved. Every major business sector has recorded instances of attacks by advanced actors with specific goals seeking to steal, spy, or disrupt.
Most APTs are delivered in the same way ransomware is delivered, via social media and email campaigns such as spear-phishing against certain employees or whaling against executives and other high-value individual targets at a company. APTs can persist for a day or for months before moving laterally or executing another malware package designed to cause harm. Often APTs will establish some form of command and control structure. This, of course, is much easier to accomplish if employees have been working from home without adequate monitoring and protections in place.
It would not be a heroic feat for a hacker to sneak such advance malware right past virus engines by encrypting it or processing it in memory, either of which can be difficult to detect. Although this can happen whether the computer is at home or on the corporate domain, the potential is exacerbated in the work-from-home environment when some companies may not have been able to manage their employees’ computers as avidly. This way, hackers can establish persistence on a corporate computer used from home where it lies in wait until a specific environmental variable is met. For example, it could wait until a specific date when all employees will be back at the office, or until the network gateway IP address reflects that the computer is inside the corporate network. Alternatively, it can wait until certain file types or internet locations are accessed by the computer. In this way, a computer that has only connected to the corporate network using a virtualized computing environment during the office closure will launch its exploit when the office opens again and it connects directly back to the corporate network.
We can predict that cybersecurity criminals will seek to take advantage of cybersecurity vulnerabilities that have been, and will be, introduced by transitions between office and home workplaces. Information security professionals can be proactive by emboldening their security monitoring and detective capabilities prior to shifting back to the workplace. Also, staggering return-to-work schedules can avoid the en masse return of employees to their offices, giving IT professionals, and their tools, the time they need to scan massive amounts of data and to remediate vulnerabilities that are uncovered.
We recommend that companies address how they manage the security of their company computers while in the hands of employees working from home. For example, they should implement good hygienic activities such as virus scans and network traffic monitoring, as well as install network access control platforms to prevent unauthorized computers from achieving access to the company network. These measures should focus not only on VPN connections, but also on network connections to cloud services. Companies should also consider implementing a bastion server, a company-owned, premise-located virtual computer that prevents the direct connection of remote computers to any resource on the company domain.