It’s fair to say that 2020 dramatically changed the workplace. Globally, governments mandated citizens to work from home, where possible. Large office blocks emptied as IT teams scrambled to implement technology and systems to support a predominantly remote workforce. As we start to look beyond COVID, organisations plan to permanently adopt these long-term hybrid and remote work models.
As organisations and employees adapt to new working practices, cyber criminals are looking to capitalise on the changes, says David Cummins, VP of EMEA, Tenable.
According to the World Economic Forum’s Global Risks Report 2021, the failure of cybersecurity measures is highlighted as a key short-term risk facing organisations today. Last year there was a dramatic increase in cyber-attacks on government agencies and companies globally many leveraged the COVID-19 crisis to infiltrate networks.
According to the study, the attack volume doubled from the second half of 2019 to the first half of 2020. This year that trend has continued including a number of large scale cyber attacks that have crippled organisations. In January, attackers targeted Microsoft Exchange Servers of organisations globally, in July MSP Kaseya was breached with some reports estimating hundreds of thousands of its customers were caught up in the attack. Headlines are dominated by similar successful threats and breaches.
Organisations must address the new and unmanaged cyber risks introduced from the new world of work to prevent further successful attacks.
How hybrid work introduces risks
Employees en masse are now accessing sensitive intellectual property and data outside the confines of the office. In addition, a hybrid worker could be in the corporate office one day and the next they’re connecting remotely via home routers, or even WiFi hotspots (referred to as the third workspace).
To enable this move to a hybrid work model requires three significant shifts, all of which serve to atomise the attack surface:
- Dissolving traditional workplace perimeters and providing technology that enables employees to work from anywhere
- Moving business-critical functions to the cloud
- Rapidly expanding the software supply chain with new tools for collaboration, communication and productivity.
Given the challenges last year, many organisations were forced to adapt their working practices in a much shorter time frame than would be ideal, including the accelerated migration towards cloud-based applications and Software-as-a-Service (SaaS) models. These changes caused the corporate attack surface to explode.
When forced to choose between operability and security, prioritising usability of IT was often the main driver. However, this rush to support the new work environment may have introduced new critical security risks, with many organisations struggling to understand and address the risks introduced. Given these moves are now permanent, the band-aid security solutions many organisations put in place last year now need to be replaced with scalable, long-term, security strategies.
Anatomy of an attack
The first step to address the new risks introduced, is to understand what we’re facing.
When we look at how attacks play out, in the vast majority of cases, bad actors typically go after the low hanging fruit in networks known but unpatched vulnerabilities. This is a view echoed by the NCSC, alongside a number of international allies, that confirms malicious cyber actors continue to target known vulnerabilities in perimeter-type devices.
Having exploited a vulnerability to gain a toe-hold into the organisation, attackers will pivot focus to Active Directory and the identity infrastructure to escalate privileges, and move laterally, with an aim to target further vulnerabilities, install malware and exfiltrate data.
Once an attacker gains control of Active Directory, they effectively have the “keys to the kingdom” which they can use to access any device or system connected to the network. In addition, if Active Directory serves as the Identity Provider (IdP), a compromise of it could impact your single sign-on (SSO) solution, giving attackers even more access to additional accounts which a user might be configured with access to.
To combat this, organisations must take a multi-layered approach to cybersecurity one that looks to prevent criminals gaining that toe-hold, locks them down if they do get inside, and looks for indicators of compromise to shut down attempts to exfiltrate data and eliminate bad actors from the infrastructure:
Prevent the toe-hold: While it might seem simplistic, basic cyber hygiene plays a critical role and acts as the first line of defence. Organisations need a modern, comprehensive strategy to quickly and accurately identify vulnerabilities and misconfigurations in their dynamic infrastructures, that delivers clear guidance and recommendations on how to prioritise and remediate any risks. Here are some steps to help:
- Actively detect all assets and identify key processes across the entire attack surface wherever it resides including any assets in the cloud and container environments.
- Identify all business-critical assets, applications, and services including who within the organisation ‘owns’ them
- Having identified what is critical to the business, focus efforts here first to find and fix known flaws. This prevents attackers daisy-chaining vulnerabilities which enables further exploitation.
Prevent the Pivot: The dissolution of traditional perimeters makes the configuration and management of user privileges and access more critical than ever before. However, when it comes to Active Directory and identity access management, this is where most organisations struggle. Here is a best practices checklist to help:
- Make sure only authorised users are accessing data and only the data they are authorised to access. Require the use of multi-factor authentication and strong passwords (25 characters) on service accounts and actively manage the groups they are in. Enforce the principle of least privilege across all endpoints, blocking default administration, denying access from a built-in local administrator account and avoiding built-in groups, which have too many permissions.
- Clean up the domains in your network and limit the number of privileged users, administrative accounts and permissions in the network.
- Use technology that continuously scans directories for security vulnerabilities and weak configurations. Monitor events in Active Directory for unauthorised behaviours that could indicate signs of attack. And finally, deploy software updates as soon as possible.
Monitor for deviations: While keeping bad actors out of the environment is the primary focus, it’s also important to plan how to identify and prevent anyone that does. Here are some basic steps to consider:
- Adaptive user risk profiles based on changing conditions, behaviours or locations allows the organisation to continuously monitor and verify every attempt to access corporate data before granting or revoking the request. For example, someone using a corporate-owned device within the office perimeter during working hours may be deemed a lower risk than someone connecting using their own device over an insecure WiFi hotspot at 2:00 am.
- Employ network segmentation to prevent uncontrolled lateral movement.
- Continuously monitor for indicators of compromise. As illustration, a server in the basement used to control the air conditioning if it suddenly starts trying to connect to an external source out of hours then this might warrant immediate investigation.
The new world of work has shattered the corporate network, forcing a move away from perimeter-based security architectures. Organisations need the ability to see into the entirety of the attack surface on-premises and in the cloud. In tandem, they need to determine where vulnerabilities exist and the impact if exploited.
Improving cyber hygiene, having regular patching cycles, developing plans to address out-of-band patches and performing regular backups can all help to prepare your organisation for the next vulnerability that could impact your Active Directory environment. Administrators and defenders must be ready and stay vigilant, implementing policies to reduce their exposure and protect their core.
If cybersecurity strategies fail to keep pace with business changes, today’s risk could become tomorrow’s reality.
The author is David Cummins, VP of EMEA, Tenable.