As enterprises enforce remote working – at short notice – they face the question of how will their security teams identify bad actors and vulnerabilities in a time of massive user behavior change?
1.Log all remote access events.
Attribute events to the associated user and monitor for anomalies using security monitoring tools such as security information and event management (SIEM) and/or user and entity behavior analytics (UEBA).
2. Monitor your data exfiltration points.
Users will need to download data to their machines in order to work from home. It is critical to monitor, attribute, and analyze logs from key exfiltration points – including VPN session logs, data loss prevention (DLP) solutions, Microsoft Office 365, Box, and other data sharing solutions, as well as email gateways such as Cisco ESA (IronPort) or Proofpoint – in order to detect any malicious exfiltration attempts.
3. Log access events and transactions for your critical applications and analyze them for anomalies.
Typically, the focus of security teams is on protecting the network, they seldom look at applications. However, with application access moving out of the corporate network, application security becomes paramount, even more than network security.
4. Monitor user entitlement (user access) details.
Monitor both Active Directory as well as other critical applications. Analyze for anomalies such as terminated user accounts that may still be active, sudden privilege escalations, and the use of dormant accounts.
5. Monitor for credential sharing.
Employees may be tempted to share credentials in order to get quick access and avoid lengthy access request processes. Monitor specifically for land speed anomalies such as a user simultaneously logging in from multiple locations, or a user badged into an office but logging in remotely.
6. Monitor remote access devices.
In addition to proactively monitoring your internet-facing RDP/VPN infrastructure, we recommend leveraging the NIST guidance regarding securing enterprise and telework access to implement the additional required controls to help further mitigate the risks associated with malicious threat actors possibly obtaining and exploiting RDP shop-based access credentials.
7.Ensure that your internet-facing VPN/RDP servers are up to date.
Also, make sure that they are ready for spikes in remote access activity depending on your current situation.
8. Beware of COVID-19/Coronavirus-related phishing schemes and fake alerts/health advisories.
We’ve been observing malicious phishing implants increasingly evading sandboxing/detonation. Our recommendation is to implement a more in-depth “Assume Breach” approach in your environment. If your IOC (Indicators of Compromise) and sandbox-based checks fail, make sure you have checks and monitoring in place for staging/post-exploitation detection.
9. Enforce multi-factor authentication where possible.
Dictionary attacks is the most common way of compromising credentials on internet facing devices. With the increase in remote access for employees, contractors, and business partners, you should consider enforcing strong authentication and authorization controls to minimize the risk of compromise.
10. Enforce peer based and segregation of duty (SOD) checks.
With a large number of employees requesting remote access, the business is likely to push to allow employees as much access as possible in order to avoid business disruption. However, it is important for security and IT teams to maintain SOD and peer-based checks to ensure that the access granted is aligned to the job role of the employee.