Compromised Devices Await Office Return to Strike

When organizations start transitioning back to the office from the current pandemic-wrought remote work environment, there will likely be some relief for seemingly having made it through lockdown successfully.

However, with threat activity reaching record levels in this period, there is every chance employees return to the office and bring malicious programs and code that's waiting to reconnect to the IT network. These include ransomware, widely feared for its capacity to take down systems, cripple business operations, and extort substantial payouts.

Today's attackers are in this for the long game. Organizations that think they have come through the worst may now find their challenges are just beginning. Security teams must act fast to uncover and flush out dormant, in-network threats before their attackers connect to the enterprise network and initiate a wide-spread attack.

Coming home to roost

The need for continued business operations after countries went into lockdown at the start of the pandemic saw staff taking their connected work devices home. IT security teams focused on helping employees transition to remote work successfully, doing what they could to protect the organization with minimal disruption.

However, once connected to less secure home environments, there's often no reliable way to tell if malware infects employee systems. During the pandemic, attackers have tried everything to compromise these at-home systems.

The standard home defenses of anti-virus software and virtual private networks (VPNs) are no match for the latest signature-less, file-less, or other advanced attacks. The aim is to exploit vulnerabilities or establish backdoors in preparation for a more extensive attack later on.

Even in "normal" working conditions, dwell time – the time it takes to discover an attacker – is averaging over 200 days. In the "new reality" era, following so many opportunities for security compromise, attackers may wait months or even years for the right moment to access the data and maximize the payout or ransom demand. Supply chain attacks, which exploit weaknesses in the supplier's network, are another factor to consider.

Cybersecurity priorities post-lockdown

Research conducted during the height of the pandemic in conjunction with SINC and MIT Sloan found that security decision-makers expect that a changed security landscape awaits workers returning to the office.

CISOs’ concerns over ransomware's capacity to disrupt services or to infiltrate the organization with stolen credentials have grown. Concerns around protecting cloud architectures also increased following greater adoption of cloud services to maintain and expand services during the pandemic.

Remote working has also put an increased focus on identity access management, credential theft, and privilege escalation. With this shift comes an increased interest and focus on protecting Active Directory - used by virtually all businesses to authorize and grant employee access to services.

As such, defenders are elevating their detection game. The research indicates that the top three tools for uncovering lateral movement, APTs, ransomware, and insider threats were EPP/EDR, Intrusion Detection/Prevention Systems (IDS/IPS), and deception technology.

Mind the security gaps

Most organizations have some form of endpoint protection in place, which is sufficient for attacks with known signatures, but relatively easy to bypass with slightly modified malware, file-less malware, or zero-day exploits.

One can stop malware passing from employee machines onto the corporate network but only by proactively monitoring every device. Properly doing this ties up much time and resources and is simply not feasible for most organizations, especially given the amount of generated false positives. While Endpoint Detection and Response (EDR) tools can track behavioral anomalies, there are still gaps. EDR does not, for example, protect against credential theft, exploitation of Active Directory (AD), or early detection lateral movement.

Closing the gap requires organizations to detect in-network threats and credential theft, discovery, lateral movement, and data collection activities accurately, and where technologies such as deception and data concealment - or a combination of both - can help. Their function is to hide real assets such as Active Directory objects, files, folders, or mapped network and cloud shares from an attacker's view.

They also send misinformation to the attackers, fooling them into a decoy environment. Security teams can also place deceptive lures and decoys throughout their networks, creating virtual landmines for their adversaries. From the moment attackers interact with the deceptive assets, it records their every move, helping security teams defend against the attack and repel threat actors using the same tactics, techniques, and procedures in the future.

As staff return to the office, it will be critical to have a robust, layered cyber defense, so that if attackers get through one, there will be a safety net to stop them. Deception technology, and its sibling, concealment, act as the last lines of defense capable of detecting suspicious activity inside the network and denying an attacker's ability to see or access critical data.

What’s Hot on Infosecurity Magazine?