Cybersecurity professionals in companies suddenly had to adapt to the fact that almost 100% of users work remotely. Today, in the face of uncertainty, companies are trying to preserve business processes, and security is fading into the background. Professionals who previously serviced primarily local computers may not be ready to deal with new remote access threats.
Our incident response team helps our customers resolve security issues daily. But over the past couple of months, the nature of attacks when connecting a VPN and using cloud applications and data has changed. We have compiled a list of five threats to remote work to tell you what our experts face during the COVID-19 pandemic.
1. VPN brute force attacks
Since many people now work from home, attackers have more opportunities for brute force attacks via VPN. ZDNet reports that recently the number of VPN connections has grown by 33%. This means that since the beginning of 2020, attackers have more than a million new targets.
In approximately 45% of cases, the Varonis response team has to investigate brute force attacks. Most of these attacks are aimed at gaining access to a VPN or Active Directory. It happened that organizations turned off built-in locks and other restrictions on connecting to a VPN so as not to stop working or reduce IT costs. This makes the system vulnerable to such attacks.
Attackers carry out brute force attack. They select a VPN portal and repeatedly try to authenticate using pre-compiled credential lists. This attack is called credential stuffing. If at least one login or password is selected correctly, an attacker can hack the system.
Moreover, if the system uses single sign-on (SSO), an attacker can also get the correct domain login. An attacker penetrates the network very quickly. He can start reconnaissance by logging into the domain and try to increase privileges.
How Varonis Can Help
Varonis solutions have over a hundred built-in threat models for detecting suspicious authentication (credentials, password spoofing, brute force) in a VPN or Active Directory. You will notice that our threat models take into account several sources: VPN activity data is supplemented by information from Active Directory, web proxies, and data warehouses such as SharePoint or OneDrive.
You can also quickly view contextual VPN activity (processed logs) in the saved searches library, which you can use to create reports or search for threats:
Several hundred failed login attempts from the same IP address or device can serve as evidence of brute force attack. But, even if attackers act quietly and slowly, Varonis can detect minor deviations by analyzing perimeter telemetry, Active Directory activity and data access, and then comparing this information with the basic model of user or device behavior.
2. Management and control through phishing
Another well-known threat adapted to pandemic conditions is phishing. Attackers capitalize on people’s fears during a pandemic, tricking users into clicking on malicious links and downloading malware. Phishing is real evil.
The criminals developed maps of the distribution centers of COVID-19 and created websites that sell medical supplies or offer miraculous means, after which you install malware on your computer. Some scammers are acting brazenly, for example, asking for $ 500 for an N-95 mask. Other attacks are aimed at gaining access to your computer and all the data on it. As soon as you click on the malicious link, a program will be downloaded to your computer with the help of which the attacker will establish a connection with the command server. He will then begin reconnaissance and elevate privileges to find and steal your sensitive data.
How Varonis Can Help
Varonis detects network activities that resemble management and control capture (not just connecting to known malicious IP addresses or domains). The solution performs a deep scan of DNS traffic and detects malicious programs that mask the transmission of data in HTTP or DNS traffic.
In addition to detecting malware and its connections to the command server, Varonis threat models often detect a compromised user by recording unusual attempts to access files or email. Varonis monitors file activity and perimeter telemetry and creates basic user behavior profiles. The solution then compares the current activity with these base profiles and an ever-growing catalog of threat models.
3. Malicious apps in Azure
This attack vector is relatively new; last month it was first discussed on our blog. We recommend reading the full version of the article, since here we provide only a brief description of it.
Microsoft said that over the past month, the number of Azure tenants has increased by 775%. This means that some of you are now creating Azure environments for your remote employees, and many are spending all their efforts to keep the business afloat and quickly introduce new features. Perhaps this applies to you.
You need to know which applications users allow access to data, and plan regular checks of approved applications to be able to block everything that carries a risk.
The criminals realized that they could use malicious applications for Azure in phishing campaigns, and when the user installs the application, the attackers will gain access to the network.
How Varonis Can Help
Varonis can track installation requests for an Azure application and detect signs of this attack from the start. Varonis collects, analyzes and profiles all events in Office 365 for each component, therefore, as soon as a malicious application starts to impersonate a user (send emails and upload files), our behavioral threat models work.
4. Bypass multi-factor authentication
Another threat to remote employees is a man-in-the-middle attack. Your employees may not have worked remotely before and are not very familiar with Office 365, so they may be misleading. fake login windows in Office 365. Attackers use these login windows to steal credentials and authentication tokens, which are enough to simulate a user and login. In addition, remote employees can use an insecure Wi-Fi router that can be easily hacked.
In short, an attacker intercepts an authentication token that the server sends to you, and then uses it to enter the system from his computer. Having gained access, an attacker takes control of your computer. It tries to infect other users’ computers or immediately searches for sensitive data.
How Varonis Can Help
Varonis can detect simultaneous login from different places, as well as login attempts that do not match previous user behavior and serve as evidence of fraud. Varonis monitors your data for abnormal access attempts that cybercriminals can make by simply being inside your network.
5. Internal threats
Now is a time of great uncertainty for everyone. People make every effort to overcome the crisis, and fear and uncertainty make them behave unusually.
Users download work files to an unprotected computer. This is due to fear of losing a job or the inability to do it effectively. Both options have a place to be. This complicates the work of IT and information security services that need to ensure data security.
Internal threats can be difficult to identify, especially when an employee uses sensitive data to access personal device. It does not have corporate security controls, such as DLP, that could detect the user transmitting this data.
How Varonis Can Help
We detect internal threats by identifying where company confidential data is located, and then examine how users typically work with this data. Varonis for a long time monitors the actions of users with data and files, and then supplements them with VPN, DNS and proxy data. Therefore, Varonis notifies you when a user downloads a large amount of data over the network or gains access to sensitive data that he did not have access to before, and can provide a complete list of files that the user has accessed.
Most often, employees do not have malicious intent. However, it is important for the company to understand how to store sensitive data, as internal threats are a frequent occurrence. The ability to directly respond to employee behavior is not only a way to reduce risks, but also discuss problems with the team.
Varonis It will help you investigate everything that looks suspicious and give recommendations on how to recover your system after an attack. If necessary, we provide free trial licenses.
As you understand, we do not rely on one type of protection. We stand for several levels of protection that cover all systems, like a web. Our incident response team will help integrate Varonis into your current cybersecurity strategy and provide recommendations on other security systems that you might want to invest in.