Are traditional security methods effective in the era of remote work? Yes, but you need to use different rules and products. Traditional networks were set up in the same way: a traditional Active Directory domain, multiple domain controllers, workstations under the control of this domain, and all this is hidden behind a firewall.
Before the pandemic, we had roaming laptops or users who gave us headaches due to profiles and group policies targeting those who stayed online, rather than those who moved across our domains. The pandemic has hit, and now workstations are everywhere and everywhere. Instead of a fairly nice and neat domain hidden behind a series of firewalls and security features, it's now connected to the same network as Alexa devices. In response, workstations often host scanning engines and antivirus products, but all they do is delay the download and login time.
Having multiple scanning tools deployed is not a solution to the problem. You need to pay attention to different methods of protection. Instead of deploying security resources at the workstation level, you need to check what security features you have at the authentication level. As Microsoft noted in a recent blog post, information security directors are keen to focus on protecting against ransomware because they see it as a clear risk to their networks, the CSO writes.
Outgoing filtering
Let's start with one of the basics of the old network: filtering outgoing traffic. FireEye reports that the average time an attacker stays on your network before launching a ransomware attack is just over 72 days. This way, you have two months to analyze network traffic and find the hidden attacker.
One of the first tools in your arsenal is to view outgoing traffic from workstations and servers under your control. Determine if you can disable the old file sharing and sharing protocols that allow attackers to move freely around your network. View traffic coming from sensitive servers with informative databases.
Output filtering is not a new technique, but it is often neglected. For these sensitive systems, limit outgoing systems to only those ports and protocols that meet the network's needs. Configure firewall rule sets so that Remote Desktop Protocol (RDP) is allowed only for certain administrative workstations, where possible. Ransomware attacks often start with opening a remote desktop and collecting a password. Scan your network for remote desktops before attackers discover them.
Use government security tools
Governments are also ramping up resources to help us defend against threats. The National Cyber Security Center of the United Kingdom (NCSC) has released a series of NMAP Scripting Engine scripts designed to help owners and administrators find systems with vulnerabilities. Use this along with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) list of known exploited vulnerabilities to configure your security accordingly. On your own network, phishing attempts can still get into the network, even though tools have been enabled to block them. Often, the only barrier between the network and intruders is one slightly paranoid person who doesn't click anything.
Use cloud-based conditional access options
As more and more workstations move to home or remote connections, it may not be possible to restrict access to services with just an IP address. Cloud services offer technologies commonly referred to as conditional access. In Azure, conditional access can add risk-based authentication rules that validate usernames and logins for specific behavior. If you know that users in one department will never log in to the service using IP addresses in a country other than a specific country, you can set conditional access rules for the appropriate restriction.
You can use Intune to configure these risk-based policies for accessing network resources. You can also use it to control access to local applications. For example, you can use Intune rules to set conditional access based on network access control or device risk, for Windows PCs, including both enterprise machines and computers with native devices (BYOD), as well as for on-premises Exchange. You can configure Intune for use in either hybrid Azure Active Directory join scenarios or Azure Active Directory cloud deployments. You can also set rules that allow access for specific apps.
Our networks are no longer just Windows desktops. Now we need to protect Apple devices such as iPhones and iPads connected to our networks. Microsoft adds device management features to manage other operating systems.
Another argument in favor of using conditional access rules: attackers steal credentials in non-traditional ways. One method involves injecting malicious software into applications that are then embedded in other networks, which is also known as a software supply chain attack. It focuses on credentials, not device-specific attacks.
Crowdstrike described in detail the attack sequence, which uses credential switching to hide lateral movement, interception of the principal of the Office 365 service and application, impersonation and manipulation, theft of browser cookies to bypass multi-factor authentication, use of the TrailBlazer implant and the Linux variant of the GoldMax malware in systems, and finally, stealing credentials using Get-ADReplAccount. Crowdstrike found that the account was authenticated to a Microsoft 365 account from the server, not from the expected workstation.
To counter these types of attacks on credentials, use conditional access rules to get a warning about unusual access activity to your cloud resources.
Review your options and use different methods to protect users and credentials in addition to devices and workstations.
Author: Susan Bradley
Before the pandemic, we had roaming laptops or users who gave us headaches due to profiles and group policies targeting those who stayed online, rather than those who moved across our domains. The pandemic has hit, and now workstations are everywhere and everywhere. Instead of a fairly nice and neat domain hidden behind a series of firewalls and security features, it's now connected to the same network as Alexa devices. In response, workstations often host scanning engines and antivirus products, but all they do is delay the download and login time.
Having multiple scanning tools deployed is not a solution to the problem. You need to pay attention to different methods of protection. Instead of deploying security resources at the workstation level, you need to check what security features you have at the authentication level. As Microsoft noted in a recent blog post, information security directors are keen to focus on protecting against ransomware because they see it as a clear risk to their networks, the CSO writes.
Outgoing filtering
Let's start with one of the basics of the old network: filtering outgoing traffic. FireEye reports that the average time an attacker stays on your network before launching a ransomware attack is just over 72 days. This way, you have two months to analyze network traffic and find the hidden attacker.
One of the first tools in your arsenal is to view outgoing traffic from workstations and servers under your control. Determine if you can disable the old file sharing and sharing protocols that allow attackers to move freely around your network. View traffic coming from sensitive servers with informative databases.
Output filtering is not a new technique, but it is often neglected. For these sensitive systems, limit outgoing systems to only those ports and protocols that meet the network's needs. Configure firewall rule sets so that Remote Desktop Protocol (RDP) is allowed only for certain administrative workstations, where possible. Ransomware attacks often start with opening a remote desktop and collecting a password. Scan your network for remote desktops before attackers discover them.
Use government security tools
Governments are also ramping up resources to help us defend against threats. The National Cyber Security Center of the United Kingdom (NCSC) has released a series of NMAP Scripting Engine scripts designed to help owners and administrators find systems with vulnerabilities. Use this along with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) list of known exploited vulnerabilities to configure your security accordingly. On your own network, phishing attempts can still get into the network, even though tools have been enabled to block them. Often, the only barrier between the network and intruders is one slightly paranoid person who doesn't click anything.
Use cloud-based conditional access options
As more and more workstations move to home or remote connections, it may not be possible to restrict access to services with just an IP address. Cloud services offer technologies commonly referred to as conditional access. In Azure, conditional access can add risk-based authentication rules that validate usernames and logins for specific behavior. If you know that users in one department will never log in to the service using IP addresses in a country other than a specific country, you can set conditional access rules for the appropriate restriction.
You can use Intune to configure these risk-based policies for accessing network resources. You can also use it to control access to local applications. For example, you can use Intune rules to set conditional access based on network access control or device risk, for Windows PCs, including both enterprise machines and computers with native devices (BYOD), as well as for on-premises Exchange. You can configure Intune for use in either hybrid Azure Active Directory join scenarios or Azure Active Directory cloud deployments. You can also set rules that allow access for specific apps.
Our networks are no longer just Windows desktops. Now we need to protect Apple devices such as iPhones and iPads connected to our networks. Microsoft adds device management features to manage other operating systems.
Another argument in favor of using conditional access rules: attackers steal credentials in non-traditional ways. One method involves injecting malicious software into applications that are then embedded in other networks, which is also known as a software supply chain attack. It focuses on credentials, not device-specific attacks.
Crowdstrike described in detail the attack sequence, which uses credential switching to hide lateral movement, interception of the principal of the Office 365 service and application, impersonation and manipulation, theft of browser cookies to bypass multi-factor authentication, use of the TrailBlazer implant and the Linux variant of the GoldMax malware in systems, and finally, stealing credentials using Get-ADReplAccount. Crowdstrike found that the account was authenticated to a Microsoft 365 account from the server, not from the expected workstation.
To counter these types of attacks on credentials, use conditional access rules to get a warning about unusual access activity to your cloud resources.
Review your options and use different methods to protect users and credentials in addition to devices and workstations.
Author: Susan Bradley
