I get it, everybody is working from home, and it is changing things on the network. The limits of VPNs have been pushed, stretched, and exceeded. Video conferencing systems have shown some “growing pains.” And, online SaaS applications have seen a lot of “resource unavailable” errors. These are examples of some of the effects we can easily see. What is less easy to see, however, has me much more worried.
Expect more Spear Phishing attacks
With face-to-face interactions removed, spear phishing has become a bit easier. Follow me on my thought exercise: you forget to lock your video conferencing room, a malicious actor joins (without video this time) and learns a detail or two of the on-goings in the business. Next, this hacker crafts a spear phishing email: “Attached is a link to the document I promised you during our 3:00 PM call. Ping me if you have further questions.” The link contains the malware, which now installs on the worker’s computer.
This malware has a signature that the corporate firewall might have blocked. The command & control (C2) communications perhaps go to a well-known C2 server, which the IDS (intrusion detection system) could have spotted. But because the VPN is struggling to keep up with demand, most workers have enabled split-tunneling1 so requests for resources outside the corporate network go direct to Internet. The firewall and IDS are not seeing the malware. Even if this particular scenario does not apply to your network, it does not stretch the imagination much to see how the current WFH environment has ushered in the Golden Age of Spear Phishing.
Data theft now easier than ever
In a similar vein, performance degradations and access to a company’s sensitive resources has become much harder to understand. It is as if we have all picked up and started working from the coffee shop. To enable access to resources, IT security teams are punching holes faster than a prize fighter. Which ones will get closed when people return to their offices?
Which data accesses are benign and which ones are malicious? What does data theft look like in these WFH times? Time will tell, but one thing is certain: what once appeared to be highly abnormal is now the new norm. It is going to take time to figure out what changed, how it changed, and how to tell right from wrong.
So, the new reality is that we do not know today what we will need to be looking at tomorrow. Especially if we work under the assumption that attack vectors have now moved outside of most corporate security visibility and that more system compromises are taking place where we are unable to directly detect them. Our best hope may be to detect the knock-on behaviors that result from these compromises: brute-force attempts at corporate resources, large data movements, scanning and reconnaissance behavior, etc. These “Network Behavioral Anomaly Detection” techniques have at times been accused of inconclusive alerting, yet a notification of an odd or changing behavior may be the only indicator the cyber defender is going to get these days.
Full fidelity visibility is the last line of defense
In fact, the best preparation we have is to simply record network data such as packets, flows, and logs – and store it for future forensic analysis. This, incidentally, separates the field of available visibility solutions. There are those that record everything they see vs. those that only record graphs and derived metrics. Full fidelity, or “forensically accurate” visibility, may seem like a last line of defense in normal times. But in changing times, it certainly shines at the front line.
In conclusion, even during the best of times threats are evolving. Investing in telemetry collection, and storage can help any organization prepare for an unexpected reality, whatever that may be. Just remember: packets don’t lie!
1 “Split-tunneling” is a VPN trick where only the traffic destined for the corporate network goes into the tunnel and all other traffic goes out the normal path to the Internet to reduce VPN congestion and delays.