Get best of the week

How not to give your company to a hacker while she is away. Tips for SOC Specialists



Images: Unsplash

The concept of "remote work" for many gained importance only in connection with measures for the non-proliferation of viral infections, which we all, alas, had to face. An extremely small number of companies have experience of mass transfer of employees to a remote site. And even those who are distinguished by a powerful and developed IT infrastructure are often not ready for this and do not have the corresponding built-in processes and a set of protection tools. Therefore, their IS department also has to solve new, specific tasks. And here the industry is not at all important. There are examples of companies whose business is based on working through the Internet, and they seemed to have eaten the dog in remote work and its security - but no, they also have problems in the new reality.

In order to make life easier for our colleagues, we have formed a number of tips for working on a remote site, designed specifically for SOC units (no matter which ones - internal or outsourcing), which are now also adapting to new realities.

RDP, VPN, DaaS - what do you have?


Of course, it is important to determine exactly how remote employees will gain access to the company's infrastructure. Access to a remote workstation can be organized in several ways:

  • from a corporate device provided to an employee with access to the company's internal network;
  • with the help of a thick client to certain published services of the company;
  • using a thin client, through a browser, to published services that have a web interface.

On the one hand, a thick client is preferable, as it allows you to control the device. On the other hand, installing it on personal devices is fraught with the risk of compromising the service, since in this case the state of software on the device is not monitored (there is no vulnerability management and compliance, you cannot verify the availability of anti-virus protection and certain OS settings). A personal device is almost guaranteed to be weaker than a corporate device.

Depending on the method of organizing remote work, the emphasis of monitoring and identifying attempts to compromise also changes. For example, WAF does a good job of protecting and detecting attacks on published services for thin clients.. And to protect and monitor the activity of devices that have access to the corporate information network via VPN, you need a wider range of information security solutions. It should be borne in mind that the Internet channel to which the employee’s device is now connected is not under the control of the IS service, and this creates an additional risk of leakage, for example, of user credentials (and sometimes company data if the user is actively working with them and constantly exchanges large volumes of information with the company’s network).

In the case of a mass transfer of employees to remote work, some of them will probably be provided with corporate equipment configured in accordance with all safety standards. But it is impossible to exclude possible mass violations (especially if we are talking about an organization with an extensive network of branches) and attempts to access the company’s network not from a corporate device, but from a personal one after installing the appropriate software on it, even if there is a direct ban on such actions . In this case, it is worthwhile to consider when monitoring the possibility of classifying devices connected to the company’s network and separating them according to certain criteria.

What is under the hood and how effectively is it used


The first thing you need to pay attention to is an inventory of available protective equipment (if for some reason you used to relate to this issue after the sleeves, then now is the time to clean the tails). So, the technological minimum includes:

  • Access control and data security systems designed to provide employees with access to work tools without compromising security. First of all, we are talking about firewalls and means of organizing virtual private networks (VPNs).
  • SIEM-system as a monitoring “information center”, designed to aggregate information about what is happening at all nodes of the protected network and quickly respond to abnormal changes and identified incidents.
  • Web application firewall, , . IT-, , , (, -).
  • NTA-, , , , .
  • DLP-, .
  • Analysis of user and organization behavior (user and entity behavior analytics, UEBA) - since we are talking about profiling, we can’t do without it either. However, in this case, it is worth remembering that with the mass transition to remote work, the usual user behavior changes, so it is important to lay the time for fine-tuning profiles.

The list goes on. It doesn’t differ too much from the list of information security systems required in each well-developed IT infrastructure — focuses are mostly changing: if protection against external threats was previously more relevant, now users of the systems themselves can be equated with an external threat (they cease to be completely trusted side when connecting to the infrastructure).

At the same time, if for some reason you missed out on something from the listed technological list, then the possible way out of the situation may be to use open-source information systems (as additional ones) or to implement certain missing functions using existing means. The IB community is rallying in the midst of a general crisis, and now you can take advantage of special offers from manufacturers of network equipment and SZI (both domestic and foreign): they provide products and services that facilitate the organization of secure remote work, with discounts or grace periods of use.

Is it possible to re-already existing


One of the most successful protections for testing in a new role - SIEM. Which is not surprising: it is in the arsenal of almost any information security team, and if we are talking about an SOC team, it is a basic tool. The rules for correlating events from a variety of sources make it possible to implement virtually any type of control and monitoring, as well as automatic notifications. For example, using the SIEM system, you can create some kind of UEBA (which is part of the set of necessary technologies described above). By connecting network equipment and workplaces taken out of the organization’s infrastructure as sources, you can monitor information resources accessed by employees from a remote location and respond to access attempts, for example, into network segments in which there is nothing for this category of users to do.

By distributing the anti-virus protection tools available at the company to users ’home devices (of course, with their consent) who are delegated the right to use published services, the company's information security service receives more information about new endpoints connecting to these services, and also increases the security of these devices That, in addition to additional protection of corporate information, provides protection and personal data of employees.

When working remotely, the amount of data circulating in the company's information and telecommunication network inevitably increases, so NTA class solutions become a good help in monitoring this activity, detecting computer attacks and other anomalies. With their help, it is possible both to detect directly harmful influences in real time, and to solve the tasks of retrospective analysis of incidents and events if the NTA system provides sufficient memory to store traffic records.

Monitor classic or with a twinkle?


To disassemble and try on all the variety of cases is impossible, and not advisable. But there is a certain set of them, including the most critically significant scenarios. These scenarios can be implemented in a reasonable time and, importantly, require an adequate amount of resources. At the same time, they allow you to cover the most likely attack vectors, through which an attacker may try to penetrate the company's information network.

Simple but tasteful: erroneous passwords, IP and duplicate connections


So, let's start with the classics of the genre, which is geared to tracking simple markers of employee activity, such as IP mismatch, an excessive number of errors when entering a password, etc.

  • . , VPN-. , . , , , , .
  • IP . ( ). , . , .
  • ( ). . , , . SIEM-, (VPN) ( , — ).

«» —


A set of more complex monitoring and incident detection schemes is aimed at significantly enriching the data collected during classical scenarios and increasing the accuracy of identifying illegitimate connections in the mass of requests that are generated on the network during total remote access. All scenarios included in it also imply the accumulation of data that is necessary for the most prompt and effective investigation of the incident.

  • Identification of domain and non-domain workstations with remote connection. , , . , Microsoft, , AD, , , . ( ), «» , . , (FQDN) ― , , . NTA , , .
  • , . , , . , GeoIP- ( ) . , , , , .

The use of a retrospective analysis of stored data about a user's location may reveal less conspicuous anomalies: for example, it is unlikely that a legitimate user who needs to use a desktop computer will be connected to a corporate network from different cities.

For a full reputation assessment of the addresses from which external users connect, threat intelligence systems can be used. They will help to identify both infected machines that are members of botnets and connection attempts from various anonymizing networks (for example, through TOR or anti-abuse VPN providers).

  • Monitoring administrators' connections and making configuration changes to critical infrastructure services. , , , , . , , . ( , ) , . ― , AD. .

In the case of mass remote work of employees, it is absolutely necessary to strictly control access to points of entry into the corporate network via the same VPN and changes in their configuration. Tracking and logging this data is useful both for verifying the legitimacy of actions and for investigating possible IS incidents. General control over the actions of administrators on critical infrastructure services is not specific to the situation with mass remote work of employees - this is a common necessity, but it cannot be ignored.
  • . , , IP- VPN, . , . , , , ― .


When monitoring information security, completely non-standard cases sometimes occur. The benefit of the available tools most often allows them to be performed with relative ease.
For example, for some reason, the company may not have a DLP class system. What can be done? Use SIEM and monitor file storage accesses. To do this, make a list of files access to which and downloading from a segment of VPN users working remotely is undesirable or prohibited, and configure the appropriate audit policies on the storages themselves. When fixing such attempts in the SIEM system, an incident is automatically started. However, it happens that the volumes of file storages reach such sizes that the task of compiling a list and classification of data on them becomes practically unsolvable. In this case, the minimum program is setting up logging of accesses to storages and file operations - this information will serve well in investigating possible leaks.

But there are even more sophisticated puzzles. For example, data on connecting to a VPN or published services, duration of sessions can give an analyst abouthow labor discipline in a company changes (and does it change) with changing working conditions. Joking as a joke, but drawing up work hours for employees on a remote site in the case of information security monitoring is very useful: connecting to a company’s network outside the time limit can be considered as a clear IS incident. If it is impossible to draw up such a regulation, it makes sense for the monitoring service to pay attention to obviously anomalous things: say, the activity of a user who is not related to any duty service at night. Agree that the employee of the personnel department who remotely connected at three in the morning is at least suspicious - it may turn out to be an attacker using the employee’s account.

One cannot but mention the in- depth analysis of network traffic. Having implemented the NTA class solution and ensuring it is connected to the network traffic channel from the gateway to remotely connect users to the internal network, you will be able to effectively determine which intranet services are being used and identify attempts to compromise them, including “users” who in fact turn out to be intruders or workers stations infected with malware. In addition, NTA can make life easier for IS personnel in terms of controlling whether corporate network segments are allowed or explicitly prohibited for remote access.

***


In the current stressful situation, employees of IT and information security services can spend a lot of energy and nerves if they try to ensure a safe transition of the company to remote work carelessly or on a hunch. And in order to simplify their work as much as possible, we have outlined the main directions of movement. For example, if there is an embedded SIEM system and sources connected to it, including SZI and network equipment, the selection of the main zones for monitoring and implementing the corresponding rules for correlation of events will take two to three days together with the establishment of sources. That is, this task is more than feasible against the background of the movement of employees' jobs at home.

Much remained behind the scenes: for example, we practically did not touch on the general level of maturity of the information security company, while the implementation of protective measures for the cases considered today can be completely depreciated when the everyday security system has serious shortcomings. Suppose you have well-organized monitoring of remotely connected users, jobs with 100 percent accuracy are classified as domain and non-domain, but at the same time, a self-written web service with an elementarily detectable RCE is published outside the corporate network, the server of which also has an internal address, and the network diagram is close to the classic star. Reinforced concrete protection does not exist, and in its improvement there is always room for creativity and development.

Posted by Pavel Kuznetsov, Head of Information Security Monitoring,PT Expert Security Center , Positive Technologies

More articles:


All Articles