The rush to have staff working remotely has created numerous opportunities for cybercriminals to infiltrate corporate networks. These opportunities are due to people no longer working within a protected infrastructure, using insecure networks, and connecting through client devices that lack vital security patches.
It’s tempting for organisations to think that, because they have managed to navigate the initial lockdowns without any sign of a cyberattack, they are now in the clear. Unfortunately, this may not be the case.
There could well be attackers who have gained access to corporate infrastructures but have opted to lie low as they prepare their next steps. It’s quite likely that a new wave of attacks will emerge as these criminals make their presence known.
Interestingly, industry studies show that the dwell time - the period that attackers spend inside the network before detection - is now just under 60 days. However, it can extend into months or even years for more advanced attacks. It may currently be the calm before the storm.
The security problems tend to stem from the fact that most businesses were simply not prepared for the volume of employees who would have to work from home. They had a matter of days to equip their workforce to continue operations and not impact customer service.
This lack of time to prepare means that, when it comes to security, they inevitably took shortcuts. As a result, both technology-based and human-based issues have arisen.
For example, network endpoints are more exposed. The staff is pulling data out of the company that may never have been off-premises before, thus creating fresh opportunities for attackers to target less-secure devices.
Phishing and other human-focused scams have also been on the rise during the lockdowns. Through these, cybercriminals prey on employees who are distracted or flustered by the sudden shift in routine.
Also, the number of BYOD devices (laptops, routers, access points, etc.) on the network has increased, making it is much harder to verify that employees are doing things like installing security updates promptly, thus creating potential vulnerabilities. Even employee turnover can create openings for attackers, as it can be harder to verify the full removal of stored credentials and other access from all applications and systems.
While there are tools designed to help protect against these new threats, they require effective security controls at multiple levels of the network. Traditional Endpoint Protection Platforms (EPPs) and Endpoint Detection and Response (EDR) tools try to stop attacks at the initial compromise of the system. Now, in a remote working world, attackers may have an easier time bypassing those tools, highlighting the importance of overlapping security controls and building a safety net to boost in-network detection capabilities.
Addressing new risks
A balance of security controls is necessary to cover everything from initial compromise and lateral movement to privilege escalation and data loss prevention. If cybercriminals have already compromised an internal system, technology like cyber deception plays a valuable role in detecting lateral movement and protecting applications. Additionally, data loss prevention capabilities can stop employees (or attackers) from saving sensitive information to personal devices.
Therefore, it is vital to have visibility into in-network attack paths to essential assets and network activity, including seeing devices joining or leaving the network. This sort of credential tracking is more important than ever, as is having the correct tools in place to stop a successful breach. Decoys can also record and replay attacks to correlate attack activities better and gather company-specific threat intelligence.
The spike in remote employees also means there is likely to be a need to boost VPN security. New traffic patterns amid remote work have shattered traditional activity baselines and made suspicious behaviour much harder to identify. Attention also should be given to cloud security, since much of the remote work uses PaaS, SaaS, and IaaS accounts for various tasks.
Just because one’s organisation has navigated the first few months in this new COVID reality without any significant security problems, it doesn’t mean that one can now take one’s eye off the ball.
Ensure that one’s organisation conducts a thorough review of the new remote-working infrastructure and plug any identified holes in security protection as quickly as possible. The cybercriminals haven’t disappeared, and they could be much closer than one thinks.