NetWitness Community

INTRODUCTION

By now, you may have already started to work from home instead of your usual workplace, like many of your co-workers and peers. As the situation continues to evolve, there is a rapidly increasing trend for organisations to shift their employees from office to work from home. In addition to the recommendations provided in the following RSA blogs: Cyber Resiliency Begins at Home, RSA IR - Best Practices for Organizations (A Starting Point), and RSA IR - Recommendations for Users Working from Home, in this post, we will be going into further details to examine the potential challenges that cybersecurity professionals are contending with as organizations around the globe start to transit more employees from offices to work-from-home arrangements and conducting meetings through virtual means; this transformation in how we work and conduct our businesses will inevitably have an impact on our threat environment. We will discuss in the subsequent paragraphs on what is the paradigm shift in our threat landscape and what should we do to continue to stay effective in safeguarding our assets from the emerging cyber threats.

THE PROBLEM

There are 2 key problems that we see here which we will break it down in the following paragraphs:

Problem #1

The cyber defense architecture for many of the organizations today are designed based on the assumption that most of the daily BAU activities are performed on-premise. With the sudden need to allow a good number of employees to work-from-home, it means that many of the activities would now have to be performed remotely. The challenges in provisioning or scaling of the necessary IT infrastructure to support these sudden changes aside, this also gives rise to a shift in the threat landscape, where the existing cyber defense measures that have been working in the past, may no longer be effective now.

Problem #2

There is an increasing trend that attackers are preying on the psychology of human beings by coming up with new attacks related to the latest trending news topic or specifically targeting work-from-home employees through the remote meeting applications that they use, for example:

• Phishing Emails and Malware Attachments disguised as legitimate meeting invites and installers from popular remote meeting applications.
• Malicious mobile applications promising to be the most up-to-date outlet for tracking the latest breaking news and developments.
• Domain names that are similar to popular remote meeting platforms.

Combining both the above-mentioned problems and coupled with the tendency that as humans we naturally feel more comfortable in our home setting as compared to offices, there is an increased likelihood where some of us may be letting our guards down when it comes to spotting Phishing Emails, Malicious attachments and applications, as well as malicious websites that come knocking on our door at the least expected timing. All these can lead to an exponential increase in the level of cybersecurity risks faced by your organization and when there is a sudden surge in the number of cybersecurity breaches, does your organization have the capacity to handle them?   

WHAT CAN YOU DO?

Here, we look at what you can possibly explore as part of the Cybersecurity Team in your organization from the perspectives of People, Process and Technology to address the above mentioned issues.

People

Virtual Cyber Awareness Briefings. With increasingly more employees working from home, you can no longer conduct the usual quarterly cyber awareness briefings in traditional classroom settings. Instead of halting these briefings, why not take them virtual in the form of webinars for all employees who are working remotely. There are many platforms which can allow you to do so, such as WebEx, Zoom, Adobe Connect etc. You can also record the sessions and make them available offline for employees who are not able to join the live sessions.

EDMs. Apart from virtual awareness briefings, you should also look to increase the frequency of Electronic Direct Mails (EDMs) to remind the employees on the necessary cyber hygiene that they should continue to practice even when working from home.

Reward-based Quizzes. Besides briefings and EDMs, you can also take one step further to implement regular reward-based quizzes related to different cyber hygiene topics, in order to encourage and engage your employees in an interactive manner.  

Phishing Tests. Lastly, to assess if the above initiatives are effective, the best way is to test it out by implementing a Phishing Campaign on your internal employees. This could include regular phishing tests to your employees to assess their alertness in spotting such threats. You should also look to send out such emails in batches and in a random manner across different departments and regions such that the employees are not able to “cheat” the test by sharing information with their peers on such ongoing tests.

For the above initiatives, you could potentially include phishing topics that are related to the latest trending news or emails disguised as coming from legitimate remote meeting applications (e.g. meeting invites) in order to mimic the latest threats that the organization is facing.

Process

There are a couple of key processes which would require review and revision, to ensure that they are relevant to the work-from-home model. For example: 

Access Control. With the increasing number of employees working from home, you need to review the existing access control related processes, such as the requirements for an employee to qualify for remote access. For example, your Access Control List (ACL) for remote access could be previously role-based, but this may no longer applies if you are in the situation where practically most of the employees across different roles may require remote access. With this sudden growth of remote access employees, are the existing access control provisioning and review processes still practical and relevant? Of course, there are many other issues to consider in this area, which will be too long to be discussed in this post.    

Incident Reporting. With the work-from-home model, you need to ensure that all employees working remotely are familiar with the incident reporting mechanisms in the event of any suspicious happenings. For example, they need to know what is the reporting hotline and email address which they can reach out to on a 24/7 basis, as well as other automated reporting mechanisms such as having a tool to report on phishing emails in their outlook application.

Cybersecurity Champions. Apart from the regular Incident Reporting mechanisms, you should also consider appointing representatives across different departments or teams as “Cybersecurity Champions”, who are basically regular employees (i.e. not part of the Cybersecurity Team) but are more proficient in the area of the relevant security processes in the organization. This initiative will allow employees to reach out to someone whom they are familiar with if they are unsure of any suspicious happenings or if they would like to have a quick refresher on what are the best practices in cyber hygiene.  

Incident Response (IR). Are your existing IR processes robust enough and tailored to include the remote working model practiced by most of your employees right now? You should look to review your existing processes covering the following phases and ensure that they remain relevant to the latest Business and Operating models of your organization:

• Triage
• Investigation
• Containment
• Eradication
• Remediation
• After Action Review

Technology

Access Control. In terms of access control provisioning for remote working, you should consider what is the best approach to implement multi-factor authentication in a manner where you can scale up/ down the infrastructure quickly in a cost-effective manner. The options could include the following, depending on your existing set-up, requirements and budget:

• Hardware token
• Software token
• SMS/ Email OTP

For operations on critical servers that need to be performed remotely, there may be a need to differentiate them from the regular 2FA that is provisioned for normal remote access, by having a further step-up in the authentication process.

Monitoring and Detection. With the shift to the remote working model, there is a need to put more focus on the SIEM Use Cases related to VPN and remote access so that you can pick up such threats early. These are some examples of the Use Cases that may be relevant to the remote working model:

• Detecting VPN access from suspicious locations
• Simultaneous VPN Geo login from a single user
• Suspicious remote logon hours from critical admin accounts
• Remote admin session reconnected from a different workstation
• Mass phishing attempts targeting your organization
• and many more..

Endpoint. There are many different layers of endpoint controls which become especially important for the work-from-home model, such as the following:

• Hard Disk Encryption for all PCs, so that the corporate data remains protected even if they are misplaced
• Mobile Device Management which allows IT Department to manage the corporate information stored in mobile devices and allow the corporate information to be securely removed remotely if they are misplaced.
• Endpoint Detection and Response to detect advanced threats in your endpoint devices, which may not have been picked up by traditional Anti-Malware solutions.
• Data Labelling Enforcement and Data Loss Prevention (DLP) – Enforce data labeling for all documents and emails created or modified, and implement DLP to detect or prevent unauthorized movement of sensitive data.
• Application Whitelisting as a second layer of defense against unauthorized installation of malicious applications masqueraded as genuine ones into the corporate PC.  

Network and Servers. To ensure that you are not opening up the attack surface of your network and assets given the increased number of remote connections, you should consider the following:

• VPN provisioning for all remote connections.
• Network Access Control to disallow remote connections from PCs to the corporate network if the Anti-Virus definitions or patching status of the PCs are not up-to-date.
• Jump Server. Consider placing a Jump Server in front of critical servers to serve as an added layer of defense. This is especially important if the servers are critical but need to be accessed remotely.

Email. For corporate emailing, you could look to implement a Phishing Email Reporting Tool which your employees could easily report a phishing email to the Cybersecurity Team without having to manually write an email or call the reporting hotline. Also, you should look to implement a Labelling mechanism to automatically label all emails received from external Domains as “External”, as this has been proven to be effective in raising the alertness of employees when they receive any external emails, which could potentially be a phishing email or contain malicious artefacts.

Threat Intel and Hunting. A common saying goes “Know thyself and thy adversary to win a hundred battles”, this is very true and applies in the realm of Cyber Defense as well. By having timely intel that are relevant to your threat landscape, it helps you perform sense making and correlation of threats in your environment more effectively and allows you to put in the necessary measures early to look out for such threats. You should also look to conduct regular pro-active threat hunting sessions by trained specialists (i.e. Threat Hunters) to discover low-lying and advanced attacks which could otherwise may not have been picked up by your regular controls.

THE NEED FOR SPEED

Given the need to transition quickly,  securely and efficiently to a remote working model for your organization, you will need to be able to make the relevant changes to your existing Cyber Defense Architecture (in the areas of People, Process and Technology) within a short amount of time, in order to ensure that the level of cybersecurity risk which your organization could be potentially exposed to, continues to remain within an acceptable level. As such, it may be worthwhile to consider engaging external professionals for tasks which could be performed remotely, for example:

• Perform a gap analysis on your existing processes (e.g. Incident Response and Reporting Processes, Access Provisioning Processes) through documents review and remote workshops that are focused on the remote working model and provide practical recommendations on what you can quickly implement to close the gaps.
• Develop Use Cases that are tailored to the remote working model to ensure that the detection remains effective against the latest threat landscape.
• Subscribe to a temporary Managed Security Service to outsource your Level 1 monitoring to an external party if you anticipate a surge in the number of alerts in the SOC during a particular period, so that you can free up the time of your internal SOC team to focus on investigation and incident response.
• Subscribe to an IR Retainer service to implement a surge resourcing model, ensuring that you have sufficiently trained expert resources when needed most, to assist the internal IR Team in times of complex incidents which may require highly complex work such as malware analysis and digital forensics.
• Conduct threat hunting sessions to discover any low-lying threats which may have been present for some time in your environment.

CONCLUSION

To conclude, there is no one-size-fit-all solution but we hope that the above will provide you with some useful insights in planning for your Cyber Defense Architecture.