Do the traditional techniques of protection still work in the age of work from home? Yes, but users need to use different rules and products. Traditional networks have been set up in the same fashion: a traditional Active Directory domain, a variety of domain controllers, workstations under the control of that domain, and all tucked behind a firewall.
Before the pandemic we had roaming laptops or users that gave us the headaches of user profiles and group policies targeted to those who stayed in the network versus those who roamed our domains.
The pandemic hit and our workstations are now anywhere and everywhere. Instead of a somewhat nice and tidy domain tucked behind a series of firewalls and defences, it is now connected to the same network as Alexa devices. The response is often to throw scanning engines and antivirus products at workstations, but all that does is delay boot up times and logging into the network.
Having multiple scanning tools deployed is not the answer. Users need to pivot to different methods of protection. Rather than deploying protection resources at the workstation level, they need to review what protections CISOs have at the authentication level. As Microsoft pointed out in a recent blog post, CISOs are looking to focus on protection against ransomware as they see that as a clear risk to their networks.
Let’s start with one of the basics of the old-fashioned network: egress filtering. FireEye reports that the average dwell time for an attacker to stay in a network before they launch a ransomware attack is 72.75 days. Thus, businesses have two months to analyse network traffic to find an attacker lying in wait.
One of the first tools in the arsenal is to review the outbound traffic from workstations and servers under control. Determine whether they can disable older file and sharing protocols that let attackers roam free in the network. Review the traffic leaving sensitive servers with juicy databases.
Egress filtering is not a new technique but is often overlooked. For these sensitive systems limit outbound systems to only those ports and protocols to handle the needs of the network.
Set up firewall rule sets so that Remote Desktop Protocol (RDP) is only allowed to certain administrative workstations where possible. Ransomware attacks often start with a left-behind remote desktop opening and a harvested password. Scan the network for remote desktop openings before the attackers find them.
Use government-provided security tools
Governments have also been stepping up with resources to help us protect against threats. The UK’s National Cyber Security Centre (NCSC) released a series of NMAP Scripting Engine scripts designed to help system owners and administrators find systems with vulnerabilities.
Use this along with the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA’s) listing of Known Exploited Vulnerabilities Catalog to target protections accordingly. In my own network, phishing attempts still can wiggle into the network despite tools that I have enabled to block them. It often takes one slightly paranoid person who doesn’t click on something as the only barrier between my network and the attackers.
Use cloud-based conditional access options
With more workstations moving to home or remote connections, limiting access to services via IP address alone may not be feasible. Cloud services offer technologies typically called conditional access.
With Azure, conditional access can add risk-based rules to authentication that vet usernames and logins for certain behaviours. If users know users in one department will never log into a service using IP addresses in anything but a certain country, they can set conditional access rules to limit accordingly.
Users can use Intune to set these risk-based policies to access network resources. They can also use it to control access to on-premises applications.
For example, they can use Intune rules to set conditional access based on network access control or device risk, for Windows PCs including both corporate-owned and bring-your-own-device (BYOD) machines, and for Exchange on-premises. CISOs can design Intune to be used in either Hybrid Azure Active Directory join scenarios or Azure Active Directory cloud-first deployments. They can also set rules to allow access for certain applications.
It’s no longer just Windows desktops on our networks. Now we must secure Apple devices such as iPhones and iPads connected to our networks. Microsoft is adding device management features to control other operating systems.
Another argument for using conditional access rules: Attackers stealing credentials in non-traditional ways. One method is to inject malicious software into applications that then get inserted into other networks, also known as a software supply chain attack. It focuses on credentials rather than attacking specific devices.
Crowdstrike detailed an attack sequence that uses credential hopping for obscuring lateral movement, Office 365 service principal and application hijacking, impersonation and manipulation, stealing browser cookies for bypassing multi-factor authentication, using TrailBlazer implant and the Linux variant of GoldMax malware on systems, and finally credential theft using Get-ADReplAccount. Crowdstrike found that an account authenticated into a Microsoft 365 account from a server rather than the expected workstation.
This is how Crowdstrike explained the credential hopping process:
Gain access to the victim’s network by logging into a public-facing system via Secure Shell (SSH) using a local account <user sftp> acquired during previous credential theft activities.
Use port forwarding capabilities built into SSH on the public-facing system to establish a Remote Desktop Protocol (RDP) session to an internal server (Server 1) using a domain service account.
From Server 1, establish anotherRDP session to a different internal server (Server 2) using a domain administrator’s account.
Log in to O365 as a user with privileged access to cloud resources.
To counter these sorts of credential attacks, use conditional access rules to alert users to unusual access activity into cloud resources.
Review options and use different techniques to protect users and credentials in addition to devices and workstations.