Security in Sweatpants: Embracing Remote Workers via Zero Trust
March 16, 2021Tim Parisi - Ashley Kalina - Joel Mehler From The Front Lines
The “Great Pivot” of 2020, when the global pandemic forced many organizations to allow employees work from anywhere, accelerated both the adoption of cloud technology and support for hybrid working environments, and CrowdStrike continues to see more organizations shifting their cybersecurity models from on-premises to cloud-centric solutions. In the work-from anywhere world, identity management and workload security — on endpoints, cloud workloads and mobile devices — are crucially important. Because there are multiple ways to architect secure remote employee access to a cloud resource environment, having a consistent framework for Zero Trust is key to managing all resources and credentials securely.
Networks Turned Inside Out
The pivot to a work-from-anywhere model occurred under extreme time and operational pressures. Organizational perimeters suddenly and dramatically changed as employees began accessing network resources from new locations and sometimes with new personal devices. RDP and VPN usage both shot up as workers attempted to maintain productivity from new and often insecure home environments.
Despite the best efforts of security teams, attackers have consistently taken advantage of security gaps or unintentional configuration errors, even discovering new protocol attacks. In 2020, CrowdStrike Services responded to multiple cases where this remote transition resulted in unauthorized remote access to internal systems (read our CrowdStrike Cyber Front Lines report for details). In some of these cases, companies adjusted configurations to allow expanded use of VPN and RDP, but did not simultaneously restrict activity to approved internal IP addresses or require multifactor authentication.
Targets New and Old
The work-from-anywhere model has expanded the ways attackers exploit individual users and their credentials to infiltrate organizations. CrowdStrike continues to see attackers using remote access credentials to gain such access or launch Pass-the-Hash or Golden Ticket attacks for lateral movement. Simultaneously, the pivot to remote work highlights the difficulty security teams face administering and patching systems when users are not required to connect to the domain with a VPN.
This doesn’t preclude using old tactics — attackers continue to exploit vulnerabilities against network resources and authentication protocols as well as workloads and cloud environments. Organizations lacking robust system configuration controls still face challenges in patching, updating and maintaining devices and workload security as well as managing credential controls. CrowdStrike has worked with organizations where attacks stemmed from initial access gained through vulnerabilities in publicly exposed systems and applications.
Security After the Great Pivot
In this work-from-anywhere landscape, adhering to the fundamentals of cybersecurity remain crucial. Organizations that migrate to cloud-centric architectures must focus more on implementing identity- and device-based access controls for a Zero Trust security approach.
- Survey your battlefield. Visibility and speed are critical for blocking attackers with the capability and intent to steal data and disrupt operations. As organizations support work-from-anywhere operations, security teams must establish consistent visibility into on-premises and cloud environments — including service and programmatic accounts — and proactively address potential vulnerabilities before attackers can leverage them.
- Security teams should reinforce their understanding of externally facing devices by performing routine vulnerability and asset management scans.
- Security teams should be able to readily discover cloud assets, detect misconfigurations and quickly perform remediation in their cloud environments.
- Local and cloud-hosted applications should be consistently patched, and business-critical applications should be carefully monitored and maintained.
- Security teams should be able to see all credentials — both on-premises and cloud — within one location, and monitor any changes in risk.
- All perimeter devices — including network DMZs, jump servers, and web and email servers — should be treated as high-risk systems and subjected to security reviews equivalent to critical systems on the network. A review of which systems are logging is prudent.
- Security and infrastructure teams should ensure that externally facing systems are hardened by closing unnecessary ports and network services, applying strict firewall policies and properly segmenting networks.
- Risk-informed access and identity controls must be enforced to contain lateral movement, especially for RDP to the Domain Controller.
- Service accounts should be locked down to only access specific sources and destinations.
- Access control policies should be applied both at the device and credential levels, and security teams should monitor for unauthorized attempts to access networks, such as through brute-force vulnerability exploitation or similar techniques.
- Establish Zero Trust controls for critical systems and data. CrowdStrike continues to observe identity-based attacks that use compromised or weak credentials to evade detection and access “crown jewels” and critical systems. A Zero Trust approach continuously evaluates access requests and enforces risk-based challenges as anomalies occur. Focusing on the fundamentals of Zero Trust and closing the biggest gaps in your environment with Zero Trust principles have the most immediate impact and can be achieved in a short amount of time, and Zero Trust principles of “never trust, always check” have an immediate impact to reduce lateral movement. Organizations can achieve quick time-to-value by focusing on privileged or over-privileged accounts, building a baseline of behavior, and putting in prevention or conditional access for high-risk authentication scenarios (e.g., RDP access to Domain Controller or service account RDP). Zero Trust can include extending multifactor authentication for all systems that hold sensitive data or support key operations, enforcing least-privilege access on sensitive systems, and reducing the size of network zones through micro-segmentation. Zero Trust security involves real-time monitoring, both of potential misuse of sensitive credentials and of suspicious system or attack patterns.
- Control access and data within cloud environments. Organizations using cloud or hybrid environments should control and monitor access to them through a cloud access security broker (CASB). Regardless of network architecture, organizations should provide their security teams with tools to monitor both user access patterns and the movement of sensitive data. Ultimately, organizations should reevaluate all default access controls, removing trusted sources and requiring all connections to be authenticated, authorized and encrypted.
- Test your operations with tailored exercises. Even if moving to a work-from-anywhere model has been relatively smooth, the pivot has likely introduced subtle but significant changes to baseline security posture and response processes. For many organizations, long-held assumptions about security processes and workflows may no longer be true. CrowdStrike has seen organizations benefit from remotely hosted red team/blue team exercises that highlight new operational challenges and opportunities for SOC teams to answer red team attacks. Remote tabletop exercises provide technical and management teams with crucial opportunities to rehearse incident response activities while all participants are limited to virtual interactions.
The lessons learned through these proactive engagements pay significant dividends in keeping incident response and management teams alert to evolving threats, nimble in their response, and savvy regarding how organizational processes should evolve to meet current needs.
- Download the report: CrowdStrike Services Cyber Front Lines Report: Observations From the Front Lines of Incident Response and Proactive Services in 2020 and Insights That Matter for 2021.
- Watch the on-demand webcast: CrowdStrike Services Cyber Front Lines Report.
- Find out how CrowdStrike Services can help your organization answer its most important security questions: Visit the CrowdStrike Services webpage.
- Learn about CrowdStrike’s comprehensive next-gen endpoint protection platform by visiting the Falcon products webpage.
- Visit the CrowdStrike Resource Center for Securing Your Remote Workforce.
- Test CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.