Incident Response for the Work-from-home Workforce

Incident Response to Remote
Employees and Workforces
4/16/2020
Webinar

Infocyte - IR for Work from Home Workforce
Validating integrity via live forensic analysis of a set of hosts
Overview
Situation:
• COVID-19 has forced many businesses to Work-from-home (WFH)
before they were ready
• Attackers are taking advantage of this
Today’s Discussion:
1. Remote Workers & IT Architectures
2. Prioritizing Attack Vectors
3. Detection & Response for the WFH workforce
4. Incident Response Process
5. Recommendations

Remote Workers &
IT Architectures

Legacy Architecture - The “M&M Defense”
Situation:
• Most enterprise networks are defended by
the M&M model of defense:
– Hard Candy Shell, Soft gooey center
Traditional Managed Network Defenses
Include:
• Perimeter defenses (IDS, IPS, Firewall)
• SD-WAN / MPLS / VPN
• Network monitoring centrally managed
controls (Active Directory)

Cloud-Model Architectures & Zero Trust
Security Foundations:
• The perimeter is the foundation in a legacy
network
• Identity is the foundation in a zero-trust or
cloud-model architecture
Cloud-model architecture defenses
include:
• Cloud-based identity (w/ SSO & MFA)
• Endpoint Security
Google’s “Beyond Corp” Zero-Trust model (2014)
begins with this assumption:
Connecting from a particular network must not
determine which services and data you can access
Learn More about Zero Trust:
https://www.beyondcorp.com/

What Really Matters
With employees working from home, you don’t control the network or the
perimeter...
What Really Matters for WFH personnel security:
1. Verifying WHO is accessing corporate resources (Identity/Authentication)
2. Ensuring the device they connect from is secure/clean (Endpoint Security)
A natural fit for Zero-Trust / Cloud-Model Principles

Where are you on digital transformation?
Does WFH increase risk to the enterprise?
It Depends
• Companies that rely on traditional network defenses find it difficult to
transition to WFH workforce, increasing risks massively.
• Organizations that already had wide cloud adoption find it much easier.
WFH Workers
Corporate owned devices or BYOD?
Managed or Unmanaged?

Exploiting COVID-19
Attackers have all converged on the
current situation
• 98% of phishing emails are
Coronavirus/COVID-19 themed.
Source: https://www.fireeye.com/blog/threat-research/2020/04/limited-shifts-in-cyber-threat-landscape-driven-by-covid-19.html

Top Threats to Consider
Source: https://enterprise.verizon.com/resources/reports/dbir/2019/results-and-analysis/
Home Office or Not:
• All of these threats still
exist with home workers
and corporate networks,
regardless of architecture.
Vuln Scanning?
• The threat rankings are
pretty clear where our
focus needs to be.

Top Three Attacks to Consider
Weak Auth Trojans/Phishing Lost/Stolen Data
Cloud and VPN services attacked
directly with stolen passwords or
brute forcing weak ones
Invest in SSO/MFA-enabled
cloud identity
WFH devices infected with malware
Enables session hijacking to
compromised corporate network or
cloud resources
Invest in Endpoint Security
for home devices
Devices will be lost/stolen
or damaged
Store data in the cloud.
Invest in remote device
wipe software

Remote Worker
Detection & Response

Endpoint Monitoring
All devices require Endpoint Security Monitoring:
• Upgrade: Consumer Antivirus won’t protect against corporate threats
• Licensing: Modern endpoint vendors may have home device licenses or, like Infocyte,
don’t have a restrictions on BYOD / Home networks.
Security Monitoring / MDR:
• Select a cloud-native endpoint monitoring solution (i.e. Infocyte RTS)
• Manage alerts in a cloud console or send to cloud-based MDR provider
Protection (Antivirus/EPP) +
Endpoint Monitoring (EDR/MDR platform)

Agents
Infocyte Cloud
Cloud
Architecture
RTS
Console
customer1.Infocyte.com
Controller Endpoints
/ Servers Endpoints
Agentless
Threat Intel & Analytics
User
Cloud (AWS)
Plugin
API & UI
Agents communicate directly with
cloud service
Cloud infrastructure/workload
monitoring via IaaS API
Controllers can discover internal endpoints,
then scan or deploy agents within a
managed network
Threat & Incident Response Platform

Forensic Collector
Host
Capabilities
Extensions
Memory
On-Demand / PeriodicPeriodic / Triggered
Artifacts
Applications
Autostarts
Accounts
Custom Collections
Response Actions
Remediation
Extension
Subsystem
Detection
Compliance
Hardening
Analytics
Intel
ReportingCloud Console Threat & Incident Response Platform
Host/Server
Real-Time Agent
Process
Monitor
Logs
Continuous
RT Agent monitors endpoint process
activity in real-time.
Forensic Collector inspects memory
and collects key forensic artifacts.
Primary data collector for agentless
and offline scans.
Extensions are scripts or modules
that perform custom collection or
action.
Isolation
Active Agent

Identity Security
Extending Active Directory
- Azure AD
- SAML
Select a cloud-based identity provider
- Okta, OneLogon, etc.
- Should provide Multi-Factor Authentication (MFA)
- Consider Hardware Security Keys (i.e. Ubikeys)
- Consider feeding auth activity into a central monitoring solution (i.e.SIEM)

Monitoring Cloud Services
3rd Party Cloud Services
• Get to know your cloud services’ logging and security features:
– i.e. Microsoft 365 security center https://security.microsoft.com
– Identity should tied to a cloud SSO identity provider
– Heads up: Every service is unique…
Your internal services:
• Use a cloud-based identity provider: Azure AD, Okta, OneLogin, etc.
• Ensure services are tied to your corporate identity provider (i.e. SAML)
• Consider implementing centralized security feeds (activity logs)

Legacy Service Access
Legacy on-prem apps are generally accessed via:
• VPN
• Remote Desktop Services (RDP/RDS)
Secure your VPN & RD Gateways:
• Remote Desktop is the #1 attacked service by ransomware attackers in 2019.
All Ransomware families have capabilities to exploit it.
• By default, RD Gateways are not secure: https://turbofuture.com/computers/How-To-Setup-a-Remote-
Desktop-Gateway-Windows-Server-2016

2019 – Incident Response Readiness
Detection: Typically detect malicious activity via endpoint monitoring, external
reports, or support tickets.
Triage Determine scope of breach, gather evidence/information.
Contain Ensure it can’t spread or access corporate info
Recover Business continuity - ensure business can continue
Investigate Analyze evidence and determine root cause
Learn Implement new controls based on lessons learned
Incident Response Steps

Getting Device Access
Ideal:
• Cloud-native endpoint
security solution (EDR)
should grant access directly
to devices
Workarounds:
• Install a temporary agent on the
affected device, or
• Perform an offline/manual scan
using Infocyte’s Collector
(“survey”).

Got on-prem problems?
Putting an on-prem
security tools in the cloud
for WFH devices?
• Does it handle
overlapping IPs?
• Cross Platform for
BYOD?
• Secure?

Getting BYOD Device Access
Remember to get Consent:
• Corporate BYOD policies should have a consent to monitoring, if not, get it in writing
from the device owner
• Talk to your legal counsel about this
Things to collect:
• Executables, OS and application logs, identified malware, scripts
Things to avoid (scan them with an automated tool, but don’t collect):
• Pictures, personal data, browsing history
Be careful with Browsing History… Use a licensed forensics professional if you are interested
in collecting this type of data.

My Advice:
• Take the compromised device and issue/purchase a new
one.
• Don’t rely on at-home devices to store data, they should be
treated like dumb replaceable terminals.
• Assume the user reuses passwords: Know how to rapidly
lock out a user from cloud services
Resolutions

Securing Publicly Available Services
Every IP on the internet is being bombarded by malicious requests...
Required Security Features for globally accessible services:
• Signed SSL Certificates for Authentication (Verifies service identity/authenticity)
• Transport Encryption (i.e. HTTPS/TLS)
• Multi-Factor Authentication (i.e. Auth0, WSO2)
• Brute Force Mitigation (IP auto-block on multiple failed auth or malformed requests)
Optional (based on your threat model):
• DDoS protection (i.e. Cloudflare, Akamai, etc.)
IP whitelist the service or restrict to VPN if you can’t enable these features

VPNs are becoming obsolete.
• Cloud-model architectures don’t need them
• VPNs give unnecessary full-network access
• They are often inconvenient, expensive, and
difficult to maintain
VPNs are a Crutch, Not a Solution
Corporate VPNs Role:
• VPNs are mainly designed to extend the
perimeter in legacy network architectures
• VPNs provide remote authentication /
access to on-prem non-cloud resources
Read More On This:
https://www.akamai.com/us/en/multimedia/documents/white-
paper/the-4-benefits-of-vpn-elimination.pdf

QUESTIONS
Chris Gerritz
Co-Founder, Infocyte
cgerritz@Infocyte.com
Twitter: @gerritzc
@InfocyteInc
The Weapon of Choice for Incident Responders
www.infocyte.com

Incident Response for the Work-from-home Workforce

More Related Content

What's hot

Similar to Incident Response for the Work-from-home Workforce

Recently uploaded

Incident Response for the Work-from-home Workforce