How to protect remote employees, or Home Office Security

The coronavirus epidemic is forcing companies and state authorities to massively abandon their security principles, leave protected perimeters and transfer users to a remote mode of operation. Many articles have already been written on how to make access secure and where to get free licenses. We, as a center for monitoring and responding to cyber attacks, will try to describe the risks and temporary difficulties in protecting the perimeter that arise in connection with the new world order. About what and how to monitor when transferring employees to remote work, read under the cat.

Drains, leaks and home appliances

The path to remote access begins with a connection. If we had a lot of time to design a real secure solution, we would build entire echelons of protection:

  • Checking connected devices for security policies or, at a minimum, denying access from personal devices.
  • A certificate embedded in devices or a second authentication factor.
  • Administrator control system for recording accesses, commands and videos.

But time is limited, it is urgent to transfer employees to a remote site, so no one will wait for a large implementation, delivery of tokens / new systems or scaling of current access. As a result, most companies remain in home devices and connection protection at the configuration file level (easy to select), as well as the classic username / password pair from the account.

And here we go into the orbit of the first circle of problems. Despite domain policies, users manage to use “dictionary” and “rainbow” passwords. Some of them coincide with personal passwords from external resources, where the plums are so active that it does not even make sense to do analytics. Sometimes logins and passwords simply leak from infected personal devices and in new realities not only compromise mail, but also give an attacker room for further impact on the infrastructure.

What we recommend to follow:

  • VPN connection geolocation – the error of the scenario is high (especially when working with Opera Turbo or actively bypassing locks), but, nevertheless, allows you to see the deputy general manager, connecting (suddenly) from Senegal. Each geolocation base has its own limitations and error, but now it’s better to overdo it.
  • Connection from a “strange” device – modern VPN gateways can collect a lot of information about the connected device (host name, network attributes, application used to connect). This allows you to identify potential anomalies in the behavior of at least critical users.
  • “Simultaneous” connection under one account from multiple hosts. Often, the reasons are not criminal at all: a forgotten session on a laptop, a phone connection, stuck sessions that a VPN concentrator hasn’t disconnected, etc. But a situation where a user who, in theory, should sit at home and work continuously from one host suddenly connects from another place – this is an occasion to think and understand what is happening. Criteria of “simultaneity”, of course, each exposes for themselves.
  • Connection at the weekend or after hours. In a classic situation where access targets IT and application administrators, connecting at night or on weekends is more of a part of business processes. In mass work – an occasion to understand.
  • Password guessing (successful or unsuccessful). On a corporate network, this usually does not indicate an attacker, but a password forgotten after a stormy weekend or a service that has forgotten, where they forgot to change the password for the system account. But on the perimeter and when connected to the VPN, everything looks more unpleasant, especially when it ends with successful authentication after selection. The necessary response measures, I think, need not be explained.
  • An important factor is the use of TI. Attempts, and even more successful connections from compromised hosting, anonymizers, proxy servers or TOR nodes, can be a sign of an attack by hackers who try to hide traces of their work through anonymizing the last step.

VPN is hacked, we protect the network

If an attacker managed to get past the first line of defense and gain access to a VPN, then our capabilities in identifying it do not end there. Like the problems:

  • As a rule, in the heat of quick work, redundant accesses are opened: instead of target systems, to entire network segments.
  • Often there is no full-fledged account management, and up-to-date system or privileged accounts are made public.

What to control at this stage:

  • User account mismatch (KM) in the VPN and on the end system. KM can be privileged or systemic, but a mismatch always indicates an anomaly. Most often, these incidents arise due to IT administrators who, after entering the VPN, use the account of the domain administrator or KM root, but combat operations in this scenario are not uncommon.
  • Connection to network resources that were not planned / were not used in remote access. If the amount of resources in the VPN pool turned out to be excessive, then often the attacker begins to “probe” the machines in random order and arrives at a random host that he does not need for full work. It can be a test environment, control systems or just a random server. These deviations from the usual user behavior according to the instructions also help to effectively identify attackers.
  • Malicious or intelligence activities. This includes exploiting vulnerabilities, scanning administrative ports, low and slow attacks, and other techniques. If the attackers do not expect the information security to work, then after receiving the first access they can behave quite rudely, which gives us tools to identify and counter them
  • Indirect signs of an attempt to collect data are monitoring the volume of sessions in the VPN, their duration and any anomalies that indicate that the user is behaving unusually. This allows you to identify both internal and external incidents.

Protecting target systems or terminal access

If we are not so desperate Since they are brave enough to let each user to their workstation, the terminal servers / hubs of users usually act as a collaboration / proxy environment for remote employees.

In their case, monitoring approaches are completely identical to monitoring any critical host:

  • Analysis of host process start logs for anomalies
  • Monitoring remote process and service launches
  • Remote Administration Tools Control
  • Control of received files and changes in the system
  • Analysis of anti-virus software logs, monitoring its status

About monitoring of end stations, I hope we will tell you in the near future. But it is important to note that if in the general scope of machines, as a rule, there are a lot of false positives, then in the local group of terminal servers we are usually able to deal with each positive and render a verdict.

One way or another, providing remote access for employees to the infrastructure does not have to be implemented due to expensive and complex solutions, especially at the start. And while we are designing truly secure access, it is important not to let go of the level of security in free swimming and continue to deal with key problems and risks. Therefore, observe hygiene in everyday life, but do not forget about hygiene in terms of information security. And be healthy.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *