Due to the communicability of COVID-19, organizations are having to rapidly adapt to limit contact and the risk of person-to-person contamination. Over the past several weeks, organizations around the world have instituted or enhanced their work-from-home policies.VIEW THE WEBINAR >
Business units and functions that have never operated remotely before are now required to run in a fully remote mode. It is no surprise, then, that there are security concerns about the risks involved in granting remote access to many more workers so quickly.
As their remote workforce grows, organizations may opt to modify their remote access standards such as removing IP address whitelists, allowing unmanaged devices and moving to a split tunneling solution. Any of these configuration changes should be weighed against new organizational threats and risk appetite.
To help organizations through this decision-making process, FireEye experts have modeled some of the most common approaches to remote access for analysis and review.
The simplest and least secure remote access method, direct access exposes networking protocols such as Microsoft Remote Desktop Protocol (RDP) to the Internet. This is the highest risk method of providing remote access. Most mature organizations prohibit direct access through firewall configurations and restrictions, but even so, security teams must be cognizant of shadow IT operations on third party services and unmanaged cloud platforms.
Traditional threat mechanisms used to gain access to externally facing services include network scanning of external ports and exploitation through brute forcing, credential spraying and spear phishing. They will continue to require monitoring, and their risk is heightened when organizations allow unmanaged devices to have direct access to the network.
Given the lack of controls and risk of the direct access model in exposing RDP and other remote protocols to the Internet, enterprise organizations have centralized remote access to a few technologies. This implementation enables improved access management, logging and security controls. It is most commonly implemented through a VPN solution or a virtualized desktop interface. VPN solutions can be operationalized as a full tunnel solution or split tunnel. With the significant increase in remote connectivity, many organizations that were full tunnel may migrate to split tunnel to reduce bandwidth.
Risks posed to both VPN and virtualized access include unauthenticated attacks, compromised credentials and compromised systems. Attackers often chain control deficiencies together, which allows them to exploit initial access to a VPN or virtualized desktop to gain further access.
Employees will continue to be targeted in phishing emails on a regular basis. In the current climate, security teams should validate that endpoint visibility (of new users and third parties) remains consistent for remote users.
Once an attacker gains access to a remote access solution, be it VPN or a virtualized desktop solution, they will likely attempt to gather credentials and move laterally. To counter them, organizations should ideally restrict network access resources to those that are necessary to perform duties specific to assigned roles.
Fortunately, many organizations have implemented MFA to reduce the success of brute forcing and credential spraying attacks. However, employees should be trained to identify and report unauthorized push notifications.
Organizations often conduct limited validation checks to identify unmanaged devices, including attacker systems connecting to remote access solutions. These ”posture checks” performed by VPN solutions may be bypassed by modifying VPN software responses or registry key settings. In addition to attacker systems connecting to the network, security teams should also consider that users may be connecting from unauthorized systems which leave security teams with limited visibility and controls.
To handle the increase in remote workers, organizations may be moving from full tunnel to split tunnel VPN configuration. Split tunneling may reduce visibility of unauthorized activity unless appropriate endpoint agents are installed and provide sufficient visibility and controls.
With entire organizations moving to a remote access model, an attacker may be able to generate multiple failed password attempts on an account and lock the user out. If the attacker scripts this action across a significant number of users, they may be able to cause a widespread account lockout.
An emerging model of remote access is the Zero Trust model, which uses an identity provider to grant access to applications and determines authorization rights based on both the user and device. While FireEye experts have seen organizations move toward this model, legacy challenges and exceptions result in either half-implemented solutions or traditional VPN access still provisioned as a backup.
The threats posed to VPN and virtualized models also apply in a Zero Trust model. Endpoint visibility and hardening, MFA bypass techniques and denial of service are amongst the most notable threats. In the Zero Trust model, device trust is a component of authentication and authorization. Therefore, organizations should also consider:
Device trust may be established by using a certificate to validate the device that is managed by the organization. If an attacker gains access to a user’s system, they should not be able to export and reuse the certificate. Solutions should include limited user rights to export a certificate and placement within the Trusted Platform Module (TPM).
Unmanaged devices should be granted limited access to data and resources. To implement a true Zero Trust environment, such restrictions should be validated.
The acceleration of a work-from-home culture introduces new risks to organizations of all sizes. While each organization needs to take their own unique circumstances into account, the sample implementations and remote access considerations identified offer a step in the right direction to keeping operations both secured and productive.
Organizations must focus on creating a strong set of protections on the edge of their networks, that secure identities and applications regardless of whether they are in the corporate network or the cloud.
For more on how to reduce the ability of unauthorized access in remote working environments, access our latest webinar.VIEW THE WEBINAR >