Industry Perspectives

Remote Work in an Age of COVID-19 — Threat Modeling the Risks

With the rapid escalation of COVID-19, organizations are having to rapidly adapt to limit contact and person-to-person contamination. Over the past several weeks, organizations around the world have instituted remote, work-from-home policies. While some organizations have maintained a robust remote work structure for years, many organizations have had few remote workers and restricted employees to work from home. And even for organizations that have maintained a remote workforce, the breadth and depth of remote work has dramatically increased. Business units and functions that have never been done remotely are now required to operate in a fully remote mode. During these rapid changes, security experts are rightly pondering what new risks may be introduced.

To consider some of the risks this new remote connectivity brings, we’ve threat modeled a sample of the remote access implementations we’ve seen. Of course, these threat models represent a sampling and each organization is going to have nuanced implementations, variances and considerations. It’s important that each organization considers their implementation and the risks when proactively assessing these capabilities.

Remote Access Architectural Approaches

Highest Risk Remote Access Method

Direct Access

The simplest and least secure remote access method is exposing networking protocols to the internet such as Microsoft Remote Desktop Protocol (RDP). While we still encounter organizations that expose RDP to the world (mainly in Incident Response cases), mature organizations prohibit direct access through proper firewall configurations and restrictions. However, even in mature organizations, security teams must be cognizant of shadow IT operations that may spin up systems on unmanaged cloud platforms or third-party services.

Enterprise Standard

Given the lack of controls and risk of the previous model in exposing RDP and other remote protocols to the internet, enterprise organizations have centralized remote access to a few technologies. This implementation allows for improved access management, logging and security controls.

We see this centralized enterprise standard implemented in a couple of ways:

VPN / Virtualized Desktops

The most common implementation we encounter is a VPN solution and/or a virtualized desktop interface such as Citrix or VMWare:

These solutions are placed within the organization’s DMZ. For VPN traffic, this may either be a full tunnel solution or split tunnel. We often see organizations implement this VPN connectivity to provide a significant amount of internal network access. Given the significant increase in remote connectivity during COVID-19, organizations that were full tunnel may be migrating to split tunnel to reduce bandwidth, we’ll discuss some of the risks of this later in the post.

Citrix, VMWare and other solutions can provision a user with applications or a virtualized desktop. These often provide a set of applications such as Internet Explorer, homegrown application, and third-party applications. Alternatively, organizations may provide a virtualized desktop to the user, providing for access to network shares, applications and internal resources.

Zero Trust Model

The emerging model of remote access is the Zero Trust model, which utilizes an identity provider to provision access to the applications and determines the authorization rights based on both the user and device. Common authorization rights include device and user identity checks to consider if the device is managed by the organization (such as a certificate stored in the Trusted Platform Module or TPM), the origination of the login and the user’s roles. While we have seen organizations move toward this model, legacy challenges and exceptions remain with either half-implemented solutions or traditional VPN access still provisioned as a backup.

Threat Modeling the Risks

The dynamic nature of COVID-19 has resulted in rapidly evolving shifts to the remote workforce. Given the level of access provided through remote connectivity, the newly minted remote workforce and potential for limited security reviews, attackers are likely to take advantage of weaknesses to gain internal network access. FireEye Mandiant Threat Intelligence has identified a significant number of COVID-19 phishing and spear phishing lures, which we suspect will continue.

With the rise in the remote workforce, organizations may modify their remote access standards such as removing IP address whitelists, allowing unmanaged devices and moving to a split tunneling solution. Any of these configuration changes should be weighed against the new threats to the organization and the risk appetite, based on thoughtful security reviews and testing.

Direct Access Threat Modeling

For direct network access, we’ll continue to see the traditional means of gaining access to externally facing services: network scanning of external ports and exploitation through brute forcing, credential spraying or spear phishing. Further increasing the risk of this direct network access is that these services likely allow unmanaged devices direct access, providing little visibility into the hosts that are connecting to these services.

Enterprise Threat Model

VPN / Virtualized Desktops

To consider the threats to the common VPN / Virtualized Desktops, we’ve considered attacker behavior from several angles such as unauthenticated attacks, compromised credentials and compromised systems. Furthermore, as attackers often chain control deficiencies together, we’ve considered how attackers exploit the initial access to a VPN / Virtualized Desktop to gain further access. In light of the current remote workforce growth and common deficiencies we’ve seen in threat modeling, incident response, and red teaming, we want to highlight several key areas of weakness:

  1. Endpoint Remote Access: Employees will continue to be targeted in phishing emails on a regular basis. The controls of email filtering, endpoint hardening, reduced administrator privileges and visibility should continue to apply. In the current COVID-19 situation, security teams should validate that endpoint visibility remains consistent for users that are remote, including any new users or third parties.
  2. Attacker Lateral Movement: Once an attacker gains access to a remote access solution, be it VPN or a virtualized desktop solution, they will likely attempt to gather credentials and move laterally. To reduce this ability, network access should ideally be restricted to the resources that are necessary to perform job duties. Virtualized services should be hardened, as we’ve outlined in previous posts.
  3. Multifactor Authentication (MFA) Bypass: Fortunately, many organizations have implemented MFA to reduce the success of brute forcing or credential spraying attacks. However, in our red teaming exercises, we still encounter users accepting push notifications after credential spraying, enabling remote access. Employees should be trained to identify and report unauthorized push notifications. Additionally, some methods of MFA, such as SMS text messages, have been previously exploited to gain access to the user’s second factor. The MFA implementation methods should be considered and evaluated against the organization’s risk tolerance.
  4. Unmanaged Device Access: Organizations often conduct limited validation checks to identify unmanaged devices, including attacker systems connecting to remote access solutions. Oftentimes, these ‘posture checks’ performed by VPN solutions may be bypassed through modifying VPN software responses or registry key settings. In addition to attacker systems connecting to the network, security teams should consider that users may be connecting from unauthorized systems. The COVID-19 situation has resulted in remote workers that may not have experience working remotely and may not have been provided company-issued laptops. If they were previously only provisioned a desktop, how are they now connecting to the network remotely? Are they utilizing unmanaged personal systems that leave the security team with limited visibility and controls?
  5. Split vs. Full Tunnel Visibility: To handle the increase in remote workers, organizations may be moving from a full tunnel VPN configuration to split tunneling. With a full tunnel, all traffic traverses the VPN, allowing web proxies to filter traffic and security teams to identify unauthorized activity. Split tunneling may reduce this visibility unless appropriate endpoint agents are installed to provide sufficient visibility and controls.
  6. Remote Access Denial of Service: With entire organizations moving to a remote access model, the impact of a denial of service on these remote access portals will significantly impact operations. For example, an attacker may be able to generate multiple failed password attempts on an account and lock the user out. If this attacker scripts this action across a significant number of users, they may be successful in causing a widespread account lockout.

Zero Trust Model Threats

The threats to VPN / Virtualized models should also be considered in a Zero Trust model, such as endpoint visibility / hardening, MFA bypass techniques, and denial of service. Additionally, in the Zero Trust model, as device trust is a component of authentication and authorization, organizations should also consider the following to maintain this level of trust:

  1. Device Trust Mechanisms: Device trust may be established by utilizing a certificate to validate the device is managed by the organization. Organizations should consider how this certificate is protected: if an attacker gains access to a user’s system, this certificate should not be able to be exported and reused by the attacker. Solutions should include limited user rights to export a certificate and placement within the Trusted Platform Module (TPM).
  2. Unmanaged Device Access: Unmanaged devices should be provided limited access to data and resources. A common example of this is Microsoft O365 Conditional Access Policies that restrict unmanaged devices from accessing files or email attachments. Validating that these restrictions are in place are critical for the implementation of a proper Zero Trust environment.

Remote Access Controls

In light of these threats, organizations must focus on creating a strong set of protections on the edge of their networks. In order to adapt to a remote and distributed workforce, organizations need to focus on protecting identities and applications regardless of whether they are in the corporate network or the cloud. By implementing the following recommendations, organizations can reduce the ability of unauthorized access in remote access solutions.

Authentication

  • Multifactor Authentication: Organizations must implement MFA on all external corporate resources to reduce the ability of network and application access through credential spraying, password stuffing and phishing attacks. Review all external corporate resources, including cloud services and their configurations. For example, an organization may implement MFA for users’ Microsoft Office 365 access, but still allow single-factor legacy authentication for Office 365 such as Exchange Web Services (EWS) or IMAP. Disaster Recovery (DR) and legacy VPNs must be considered in-scope when reviewing all network connectivity authentication, as these may maintain single-factor authentication settings.
  • Device Trust: Organizations should not stop at MFA. Implement a method to validate the device establishing connectivity is a known device managed by the employee. This can be accomplished by utilizing a system management platform that places identity certificates in the device’s TPM.

Endpoint Controls

  • Endpoint Visibility: Many organizations lose visibility into malicious activity targeting remote workers. Organizations should deploy a multi-layer endpoint agent on all employee endpoints. The endpoint agent should be able to detect, protect and respond to malicious activity.
  • Endpoint Hardening: Harden devices to reduce the ability for an attacker to gain access to systems and escalate privileges. Local administrator rights should be limited, and systems should be hardened to a common baseline standard such as CIS benchmarks.
  • Virtualized Applications / Desktop Hardening: Default configurations of virtualized interfaces may allow the ability to ‘break out’ of virtual sessions, allowing access to the underlying operating system. See our hardening standards for more information.

Cloud Controls

  • Cloud Visibility / Controls: Cloud services are an important resource for remote workers and can contain sensitive corporate data. Ensure that teams are receiving logs from cloud providers and regularly reviewing them for unauthorized access and data exfiltration. To limit unauthorized access, configurations should be assessed and controls reviewed on a regular basis.
  • Unauthorized Cloud Services: Create suitable corporate alternatives for personal cloud services. Employees may start using third-party solutions for note taking, file storage and document management. By implementing corporate alternatives, organizations can ensure that corporate data is protected and monitored by corporate security controls.

Users and Administrators

  • User Awareness Training: Provide security awareness training for remote workers. In addition to computing hygiene topics such as phishing and password guidance, train employees on physical security topics such using a privacy screen, limiting work on confidential material in public spaces and securing physical computing assets.
  • Environment Drift: As networks grow and change, security controls may weaken over time and legacy systems may be unmanaged. Avoid environmental drift by continually evaluating security controls through red and purple team exercises.
  • Secure Privileged Accounts: Privileged users, such as domain administrators, should maintain separate accounts and be prohibited from remote access using their privileged credentials. These privileged users should escalate access when necessary on a dedicated Privileged Access Workstation (PAWs) dedicated to these accounts.

Network Controls and Visibility

  • Virtual Desktop Connectivity: Restrict off-network communications from virtual desktops to limit exposure. If some external network access is required, maintain a whitelist inclusive of only necessary, approved resources.
  • Split Tunneling Visibility: Though shifting from full-tunnel to split-tunnel VPN may be necessary, it may restrict outbound endpoint visibility. Consider augmenting network visibility with a cloud proxy or similar solution. While that will not cover all the communication methods, it does cover popular ones. Be sure to review DNS logs for remote endpoints.
  • Source IP Visibility: Depending on the network topology, identifying the origination IP address for traffic may be hindered by load balancers, proxies, DNS configurations and DHCP pools. Ensure that any traffic originating from the VPN can be appropriately tied to source IP address, and assignment of IP addresses can be determined and appropriately correlated to user accounts.

Physical Controls

  • User Training: Users should be provided the necessary equipment and trained on privacy best practices, including privacy screens, device locks and endpoint hardening.
  • Device Encryption: Organizations should consider the potential for laptops to be lost or stolen. Ensuring that all employee computing resources have full disk encryption enabled will help protect corporate data in the event the resource goes missing. Be sure that full disk encryption controls have a solid strategy around key and password management. With the evolving workforce, are these new remote workers provided encrypted devices?

Shadow IT

  • Unapproved Access Methods: As remote access needs dramatically change, organizations will likely be faced with employees and third parties attempting to stand up services in an unapproved manner. Security teams should continue to monitor for unauthorized remote access methods through regular vulnerability scanning, proactively engaging business units and penetration testing.

The sudden shift to remote working for some organizations and the acceleration of a work-from-home culture introduces new risks. And while each organization needs to take their own unique circumstances into account, the aforementioned sample implementations and remote access considerations offer a step in the right direction to keeping operations both secured and productive.

Check out our webinar recording for more information.