Is Your SOC Ready to Secure a Remote Workforce?

As many enterprises grapple with the sudden shift to an entirely remote workforce.  The security operations center now faces the challenge of securing a vastly greater share of devices outside of the traditional on-premise network. Bad actors are looking to take advantage of users’ unfamiliarity of their new working conditions. The types, volumes, and sources of threats have evolved rapidly in recent weeks as a result. Hackers often use current events and fear to create a sense of urgency, eliciting users into opening attachments and clicking links.

Common Hacker Tactics in a Remote Workforce

Phishing

One method hackers are using is sending phishing emails seemingly with relevant information regarding Coronavirus.  Phishing campaigns entice recipients with information regarding how to protect from the coronavirus with an attachment, such as Microsoft Office documents, or link to malware.  Variants such as Emotet or Lokibot can be the final delivered payload, but other ransomware, trojan, or bot variants are common.  Successful execution can result in a disruption of business critical systems, credential theft, or crypto mining.

Browser Exploits

In the last couple weeks, the number of domains registered with Coronavirus related terms has spiked with ~1000 registrations a week since Early Feb, according to Check Point Research.  Hackers use fake information sites, including fake coronavirus maps, to solicit for personal information and use browser exploits to inject malware directly to users’ systems.  One common malware seen with fake coronavirus maps is AZORult, a family of spyware that steels data like login credentials and banking information, and acts as a command-and-control to download additional malware.

Protecting Newly Remote Users

During the webinar, we discussed the SOC’s detection methods for recognizing these types of tactics with the added challenge of gaining visibility to remote systems.  With many enterprises leveraging SAAS solutions, often remote users will not be on a VPN accessing corporate applications or data.  This also means their traffic is not passing through traditional preventative security solutions such as NGFW/IPS nor leveraging internal DNS.

While some enterprises may elect to push all users into a full VPN to regain elements of visibility and control, the additional capacity and expense will not be a common option.

The webinar covered different solution types around areas such as:

User Awareness

What types of communications provide optimal cyber security awareness and education? While many users may have temporarily worked at home previously, they will be unfamiliar and perhaps initially uncomfortable working from home fulltime.  Security is in an ideal role to provide guidance, set expectations, and create awareness for the threats they may encounter.

Endpoint Agents

How can existing technology be utilized more optimally with your remote users?  How can Endpoint Protection Platforms (EPP) or Endpoint Detection and Response (EDR) be fully leveraged for host intrusion prevention, threat detection, and forensic investigation?

Vulnerability Management

How can vulnerabilities be recognized and managed across remote systems?

Additional Monitoring

Unfortunately, the baselines either gathered through machine learning or from manual daily analysis are no longer valid.  How can new norms be established?

More resources for your SOC: