Organizations have noted the widened gaps in IT visibility since remote work became the norm – now it’s time to react. Read on this article to learn how unified endpoint security (UES)/unified endpoint management (UEM) can help detect and prevent these pandemic-related threats.
Exploiting the New Distributed Workforce Economy
This article demystifies the new attack surface created by an organization’s entire workforce working from home and how unified endpoint security (UES)/unified endpoint management (UEM) solutions detect and prevent these threats.
Table of contents
Key Takeaways – The Most Important Facts
Introduction
The Math Behind Work From Home
The number of remote workers is increasing
The Threats Behind Work From Home
Endpoint
Network
Conclusion
Key Takeaways – The Most Important Facts
The numbers in the remote workforce have been increasing exponentially since 2018 and will only grow after the states reopen from the COVID-19 lockdowns. According to telecommuting statistics published in 2018 by Global Workforce Analytics, remote workers in the U.S. made up 3.2% of the entire workforce. By the end of the COVID-19 pandemic, it is estimated that the number of workers who work from home at least part-time will skyrocket to 25-30%. These statistics highlight an expanding attack surface underneath this unplanned shift to a distributed workforce.
The lack of security controls on home networks creates a massive attack surface. Organizations with remote workers face the challenge of absent endpoint and network security controls that fortify the internal or public cloud network from potentially compromised home systems (BYOD) and company-issued laptops as a result of compromised or unsecured home networks. The lack of proper IT hygiene, such as leaving default passwords on networked equipment, and impacted patch and vulnerability management create a significant blind spot and result in an increased attack surface.
Unified endpoint security solutions can fill the gaps on the endpoint from patch management to threat detection and response. You can’t protect what you don’t know you have. Unified endpoint security solutions can be used to eliminate these security, compliance, and visibility gaps by combining endpoint protection, endpoint detection and response, asset discovery and inventory, data risk and privacy, and vulnerability and configuration management capabilities into a single agent.
Unsecure VPN configurations enable a backdoor into the corporate network from home users. Split tunnelling configurations supported by organizations enable remote workers to access the internet directly, allowing malware and adversaries to compromise the home system and pivot onto the organization’s internal network over the VPN tunnel.
Company intellectual property and trade secrets going to employees’ homes creates a significant concern over the lack of data loss prevention on home networks. As sensitive trade secrets and intellectual property leave the confines of company networks to the homes of a company’s distributed workforce, a solution to address this new data loss prevention (DLP) gap is needed. A unified endpoint management and security solution that protects sensitive data at the endpoint when the network infrastructure can’t be secured by the organization should be implemented.
Introduction
Bring-your-own-device (BYOD) is a historical challenge that dates back over two decades but is now exacerbated by the new work-from-home mandate introduced by the COVID-19 pandemic. Not only has the current situation created its own ancillary set of new cybersecurity challenges that organizations did not have to previously overcome, but it also widened existing gaps in IT visibility and resilience.
Network infrastructure and operations (I&O) and the cybersecurity team are faced with both network and endpoint security challenges, such as resource restraints on VPN concentrators that were never sized to support 100% of the company’s workforce; bandwidth consumption of north-south traffic to the company’s internal network from the outside; and patch and vulnerability management of employees’ own home devices (BYOD).
This visibility and asset management challenge is created by today’s decentralized enterprise but can be solved by so-called unified endpoint security (UES) solutions. These solutions cohesively blend not just threat detection and response at the endpoint, but also endpoint protection, asset discovery and inventory, data risk and privacy, and vulnerability and configuration management in a single agent.
In addition to the challenge of implementing security controls on employees’ own devices, the work-from-home mandate also creates a new attack surface around employee issued devices, such as company-issued laptops that are now operating primarily on a network without enterprise network security controls.
Controls, such as network-based antimalware solutions, network detection and response (NDR), and data loss prevention (DLP) solutions aren’t present on home networks.
This article decomposes:
- The attack surface created by a distributed workforce of employees now working from their company-issued laptops and their own home networks and computers;
- The adversarial tactics and techniques that threaten an organization’s cyber resilience from assets out of their control;
- The threat created by absent or laxed IT hygiene practised by consumers on their home systems and network equipment, such as a lack of vulnerability and patch management and the use of default passwords;
- The widened visibility gap into endpoints used by employees working from home;
- How improperly configured virtual private networks (VPNs) can be a pivot point from these insecure home networks into an enterprise network or cloud workloads; and
- The casual environment of home networks that creates a vulnerability caused by complacency with workers when not taking the same precautionary measures they would if they were working from the corporate network
The Math Behind Work From Home
The number of remote workers is increasing
According to telecommuting statistics published in 2018 by Global Workforce Analytics, there are 4.3 million remote workers in the USA, which make up 3.2% of the entire workforce. The same report says that 40% more U.S. companies offered remote work as an option in 2018 than they did five years ago.
Another study by Global Workforce Analytics also estimates that due to the COVID-19 pandemic, the number of workers able to work from home in the U.S. will jump by 25-30% by the end of 2021, signalling a change in sentiment in how employers view remote work. Additionally, organizations will have the infrastructure and resources in place to support a larger number of employees to continue to work from home following the reopening of the U.S. economy.
This change in the amount of north-south traffic in and out of enterprise networks greatly increases the attack surface for these organizations, worsening the existing challenge of asset visibility, data loss prevention, vulnerability and patch management, and endpoint security.
The Threats Behind Work From Home
In this section, I discuss the threats posed by adversaries targeting the remote worker in their home network where adversaries face a much lesser challenge than targeting workers in an enterprise and cloud computing environment.
I’ve divided this section up into endpoint and network threats and the tactics and techniques employed by adversaries in the target-rich environment of home wireless networks.
Endpoint
Endpoints are networked nodes/devices on the network, such as a workstation, Voice over IP (VOIP) phone, server, or printer. Such endpoints are where adversaries gain an actual foothold on the network, such as the compromise of a Windows host giving them a shell on the system.
Because establishing a “beachhead” on a target network requires a foothold on an endpoint, the endpoint should have the most fortifications. And because humans interact with those endpoints, they have a big target painted on their back by adversaries who employ techniques, such as spear phishing or social engineering in order to gain that foothold. It’s because of this that it’s even more imperative endpoint security controls be considered the last line of defence for the endpoint and network if any network security controls in place fail or are simply absent.
There are numerous tactics and techniques that adversaries can employ against a remote worker’s endpoint, such as browser-based attacks, exploiting lax or missing endpoint security controls, or leveraging VPN split-tunnelling to pivot into the corporate network from the employee’s home.
The number of tactics and techniques used by adversaries that target the user or endpoint itself is numerous and far outweigh the efficacy-rate of network-based tactics and techniques. The targeting of endpoints yields a much higher success rate and offers more persistent access for the adversary than network-based attacks.
Techniques used against users, such as spear phishing, drive-by-download sites, SMS phishing (“smishing”), voice phishing (“vishing”), and others can all be stopped at the endpoint using effective endpoint security controls.
Client-Side Vulnerabilities
As the majority of the north-south traffic that leaves a home network is web traffic, the most prevalent attack employed against remote workers is browser-based attacks. In this scenario, an unsuspecting remote worker visits a hijacked legitimate web site that exploits a vulnerability in the web browser, OS, a file reader, multimedia delivery platforms, or browser plugins to download malware and/or execute code on the user’s device, giving the adversary remote access to the victim’s host.
Once this occurs, the adversary can then use the victim’s device to pivot into the internal network of the organization over the VPN tunnel if split tunnelling is being used. There are different techniques used in this tactic that I’ll describe below.
UES/UEM can detect and prevent these drive-by-download techniques by detecting the dropper when the malware is first placed on the endpoint after exploitation as well as fileless attacks when malware is running strictly in memory.
The attempt by the malware to establish C2 communication with its servers should also be detected and prevented by the UES/UEMsolution.
Web Browser Vulnerabilities
A common type of browser-based attack is the Document Object Module (DOM) injection. DOM is simply the hierarchical representation of elements on a web page, which is how modern web sites use JavaScript to manipulate the nodes and objects, as well as the properties of the DOM.
There are different types of DOMattacks, such as Reflected DOM Injection (RDI), DOM-based XSS (cross-site scripting), and DOM-based JavaScript Injection. Effectively, any type of DOM-based JavaScript injection occurs when an adversary inserts malicious JavaScript into a compromised web site or a web site under their control that then gets passed into the “sink” of a victim’s browser; a function where attacker-supplied code, such as eval() can be executed in the context of the victim’s session.
An example attack would be a redirect to a malicious site where the value of location.hash is set as the location property of the browser window when visiting a compromised site: https://www.google.com/example#http:/ /www.evil.com
Attacker-supplied code inserted into a sink can potentially steal session tokens, usernames and passwords, even perform keystroke logging where every key pressed by the victim is sent to a remote site.
Keystroke Logging
Another technique used by adversaries in DOM injection is keystroke logging. An example of this would be where a formjacked (hijacked web form) web site inserts JavaScript into the DOM of the victim’s browser that records every push of a key by the victim and sends it over the internet to a remote server under the control of the adversary. This technique is commonly employed to steal payment card information from compromised e-Commerce web sites or even usernames and passwords.
Because Keyloggers write to the drive and execute, UES/UEM solutions can detect the initial file being written to the drive and executed. Because the keystrokes need to be sent to the C2 server under the adversary’s control, UES/UEM should also be capable of detecting the outbound communication attempt to send the keystrokes to the C2 server.
VPN Split Tunnel
As discussed earlier in this paper, split tunnelling is a type of VPN configuration where the remote worker establishes a VPN tunnel from their device to the corporate VPN concentrator.
The victim’s internet traffic is established outside of the VPN tunnel directly to the internet sites they are accessing instead of it passing over the corporate VPN. The security implications of split tunnelling prevent the north-south traffic from the user’s device to the internet from passing through any network security controls on the corporate network, allowing malware and other vulnerabilities to go unnoticed by the corporate network.
Once an adversary establishes a foothold on the user’s device from the internet over the split tunnel, they can then pivot into the corporate network over the VPN.
UES/UEM solutions should be capable of detecting the initial foothold when the backdoor is installed on the file system and executed. The attempts by the adversary to then pivot from the system onto the corporate network over the VPN tunnel should also be seen and prevented by the UES/UEMsolution.
Network
Targeting the remote worker’s network infrastructure gives adversaries command and control of every networked asset on the home network, not just an individual host. While most breaches on home network equipment are a crime of opportunity, they invariably become part of a much broader campaign or pivot points into corporate networks. An example of this would be the compromise of the home network’s cable or DSL modem/router, weak security on home WiFi networks through easily cracked WEP or WPA keys, and the use of default passwords on home network equipment.
While some mitigations exist, such as DNS over HTTPs and certificate pinning to address some of the attacks mentioned in this section, many home users aren’t aware of security controls beyond installing antivirus or how they are even implemented.
Hacked Home Routers
A common misconfiguration by consumers is leaving a default password in place on their home router supplied by their internet service provider (ISP). While some ISPs are more secure by generating a unique password and placing it on a sticker at the bottom of the modem, many use default passwords that can be found on the Internet for accessing the router from the public interface of the device, such as those found here: https://bestvpn.org/defaultrouter- passwords/ While many consumers would not even know how to or need to access their home router, some “prosumers” are technically adept enough to perform what is called “port forwarding” for things such as gaming that allows traffic from the Internet into the home network.
In this section, I will describe some of the most common types of attacks that home routers are vulnerable to.
Because UES/UEM solutions aren’t installed on routers, there is no potential method for detecting attacks on a home router. However, once the adversary is capable of pivoting to establishing a foothold on an endpoint in the network, then the UES/UEM solution should be capable of seeing and preventing the activity.
Man-in-the-Middle
A man-in-the-middle attack or (MITM) is a type of attack where traffic from the source host or network is proxied through an adversary’s machine. MITM attacks allow an adversary to decrypt encrypted traffic (such as SSL/TLS) using a technique called SSL hijacking and SSL stripping. Once decrypted and read or manipulated by the adversary, the traffic is then passed on to its intended destination.
It’s important to note that MITM attacks are not limited to just passively sniffing/reading the captured data by the adversary. MITM attacks can also be an active attack, where the traffic is redirected to a different host under the adversary’s control, unbeknownst to the victim. In some cases, traffic is even manipulated or modified before being passed on to the legitimate destination as it passes through the adversary’s host.
To perform the MITM attack, adversaries have to either have control of a host on the local network, which gives them access to poison the ARP (address resolution protocol) cache of the victim host to pass all traffic through the host of the adversary (Figure 1), be in control of malware running on the victim’s host, or have control of the victim’s home router. The adversarial techniques described in this section are just some of the network-based threats home networks face that affect the confidentiality, integrity, and availability of enterprise networks introduced by the work-from-home employee.
ARP Cache Poisoning Process
UES/UEM solutions running on endpoints in the network should be able to detect and prevent the MITM activity from the point of the initial foothold.
Once the adversary has a foothold on the network and no UES/UEM solution is in place, detecting a modified ARP cache table would require the end-user to constantly know the MAC address of every IP in the local network and notice the change to the ARP cache, which is highly unlikely.
DNS Hijacking
DNS Hijacking, also known as DNS poisoning or DNS redirection, is a common technique used by adversaries once they have control of a home router. It allows the adversary to replace the router’s primary and secondary DNS servers with different DNS server IP addresses that are under the control of the adversary. Once this happens, the adversary can redirect requests for named hosts, such as www.google.com at 172.217.14.100 using their own DNS server to a different IP address under their control, such as www.google.com at 216.218.245.180.
As of version 80, Google Chrome does support the use of DNS over HTTPS (DoH) for increased privacy and security but is disabled by default that the user must enable using a hidden flag.
Popularized in April of 2017, adversaries can exploit the International Domain Name (DN) feature supported by web browsers where domain names can be written in foreign characters, referred to as a homograph attack. This allows adversaries to imitate legitimate domain names using characters from various alphabets in order to trick victims into thinking they are on the actual web site when they are not. This is also referred to as a Punycode conversion, such as xn--googe-95a.com, which is shown to the user as googĺe.com, virtually undetectable to the human eye. Take a particularly close look at the “L” in the domain name above in the word google. Once the victim is redirected to xn--googe-95a.com when visiting www.googĺe.com, they think they are visiting www.google.com and the adversary can then exploit browser vulnerabilities to download and install malware on the victim’s host, giving them remote access to the system. This type of attack is referred to as a drive-by-download, where malware is pushed to the host and executed remotely giving the adversary a foothold on the system. By controlling the system, the adversary has access to the entire home network and anything that host is connected to, such as the corporate VPN.
While Chrome beginning with version 51 implements an IDN policy that determines whether or not to display hostnames in Unicode that is independent of the language setting, there is a Chrome, Chromium, and Opera extension that can be installed to detect homograph attacks. In Firefox, this can be turned on manually by enabling the following configuration parameters, which again must be performed manually: network.IDN_show_puncode = true.
Because the point of this technique is for the adversary to gain a foothold on the endpoint, UES/UEM solutions will be able to detect and prevent the initial foothold when the dropper/backdoor is placed on the endpoint.
Evil Twin
An evil twin attack is a type of MITM attack where physical access to the victim’s home wireless network is required, such as the street directly outside the home. In this type of attack, an adversary uses a purpose-built device configured to be used as an evil twin wireless access point, such as a WiFi Pineapple from Hak5 or free tools, such as Fluxion, to pretend to be the user’s legitimate home wireless AP.
This works when the adversary broadcasts the same ESSID that the home user’s devices trust and connect to without validation. The wireless client of the victim connects to the fake wireless AP, thinking it’s the legitimate access point. This gives the adversary control of all data going to/from the victim’s device for sniffing, interception, and possible modification of the data before it’s passed on to the intended target. This is illustrated in Figure 2.
UES/UEM solutions are not capable of detecting evil twin attacks. Evil twin attacks are nearly impossible to detect because the SSID appears legitimate and the client is still able to access the Internet when connected to the evil twin.
However, once the adversary places a dropper/backdoor on the endpoint, UES/UEM should then be able to detect and prevent the execution and foothold of that adversary.
Example evil twin attack against a home wireless AP
Email security is a challenge in an enterprise environment where the cybersecurity team has more control versus home networks where they don’t have the ability to interdict and inspect north-south and east-west traffic. Many organizations use network-based antimalware solutions to identify when a user is hit with malware as a result of clicking on a URL or file attachment in an email that made it past their email security gateway. Most homes don’t have a network-based anti-malware solution, leaving any available protection to potentially outdated antivirus software running on the user’s endpoint.
Once the user clicks on the URL in a spear phish, the user is sent to a drive-by-download site where their browser is “sprayed” with vulnerability checks until a working exploit is found that installs and executes malware on the user’s host without them knowing.
A spear phish is usually a targeted email designed specifically to exploit human behaviour to induce the victim to click on a link in the email that sends them to a web site instrumented as a drive-by-download site that remotely installs and executes malware on the user’s host. Under the more general term of phishing, which covers the entire landscape of phishing style attacks, spear-phishing targets users via email in order to collect usernames and passwords, personally identifiable information, payment card information, or even gain access to the system they are using. There are other forms of phishing attacks, such as vishing, which is phishing an unwitting user through the telephone; and smishing, which targets users via SMS text message.
Spear phishing comprises the majority of phishing-type attacks as they typically result in an adversary gaining a foothold on a target network through the user’s system.
A specific type of spear phish called business email compromise (BEC) has become increasingly prevalent over the years where users are tricked into sending a last-minute wire transfer who has control of the purse strings for an organization. In a BEC-style phish, usually, the controller or CFO is targeted.
In this case, the adversary sends an email purporting to be the CEO of the company and demands a last-minute wire transfer right before the bank closes in order to fund a specific financial transaction. Unfortunately, many organizations have fallen victim to BECs, costing the company thousands, in some cases, millions of dollars and are unable to get the money back once the BEC has been discovered.
Not all threats can be countered purely with technology. BEC exploits are an example where UES/UEM is unlikely to prevent an attack. UES/UEM may, however, provide telemetry to behavioural analytics tools to assist with detection.
Server-Side Vulnerabilities
Routine patch and vulnerability management is rare in home networks. Therefore, unsecured endpoints where patches are not being regularly applied can be vulnerable to old and new vulnerabilities. This makes endpoints at home susceptible to exploitation when home users make their internal systems reachable from the Internet through port forwarding on their router and dynamic DNS services.
This is not to say that enabling port forwarding is the only method that can result in a compromised home system. Other techniques are used to compromise home systems, including a user clicking on a web link in a spear phish or visiting a hijacked web site that executes a “spray kit,” which checks the user’s web browser for a number of vulnerabilities until one work that allows remote code execution on the system.
Outside of client-based vulnerabilities, server-side vulnerabilities can make endpoints vulnerable to attack when they are running a service, such as a web server or DNS server that is accessible from the Internet. Once these services are exploited, adversaries can either access sensitive or confidential company data that may have been transferred to their system or pivot to internal systems over the corporate VPN as previously discussed.
UES/UEM solutions go beyond just securing the endpoint against malicious binaries. The UES/UEM solution should also provide patch and vulnerability management capabilities that ensure the administrator routinely applies the latest patches to prevent exploitation of the vulnerability in the first place.
Solution
Sun Tzu once said, “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”
However, how can an organization make their position unassailable if they don’t know what positions they have? Meaning, if they don’t know what assets are deployed and what software and versions they’re running, they can’t secure them. These assets are the position they must make unassailable, which can’t be done without a mechanized solution for patch and vulnerability management and asset visibility.
The fact remains true in this new distributed workforce that you can’t protect what you don’t know you have and simply implementing EDR is not enough. A new approach that combines EDR with endpoint protection, asset visibility for managed and unmanaged devices, vulnerability management, and patch management is needed.
Conclusion
While we have only covered a select number of different tactics and techniques employed by adversaries against employees in a distributed workforce, it’s clear there are significant visibility, compliance, accountability, and other security gaps created by a remote workforce that must be addressed.
Organizations are unable to implement and enforce network security controls onto the home network of remote workers, hence, the logical and most cost-effective approach would be to enforce security controls on the user’s endpoint using a unified endpoint security solution. This allows organizations to address IT operations and cybersecurity needs in a single platform, thus limiting the number of agents running on endpoints.
Additionally, a unified endpoint security solution adopted along with the best practices of proper IT hygiene can eliminate the root causes of vulnerabilities and significantly reduce the exposed attack surface, especially in a distributed workforce.
Some of the requirements buyers should look for in unified endpoint management and security solutions include asset discovery and inventory, data risk and privacy, endpoint detection and response, endpoint protection, and vulnerability and configuration management.
These unified endpoint security solutions can be required by the organization to be installed on the user’s devices, whether company-issued or not, before connecting to the company’s VPN.
The fact remains true outside of the confines of the enterprise network that you can’t protect what you don’t know you have. The goal of every organization should be to reduce IT complexity and adopt the best practices of proper IT hygiene that form the foundation to resolve the root causes of vulnerabilities.
A unified endpoint solution helps organizations achieve those goals.
Source: Knight Ink
