Organizations have quickly transitioned to a remote workforce in various ways to continue their operations through the COVID-19 crisis. The team at FireEye has created models showcasing how certain transitioning routes may have been risky, opening the door to an attack. See their recent blog post consisting of the threat models and key areas of weakness.
With the rapid escalation of COVID-19, organizations are having to rapidly adapt to limit contact and person-to-person contamination. Over the past several weeks, organizations around the world have instituted remote, work-from-home policies. While some organizations have maintained a robust remote work structure for years, many organizations have had few remote workers and restricted employees to work from home. And even for organizations that have maintained a remote workforce, the breadth and depth of remote work has dramatically increased. Business units and functions that have never been done remotely are now required to operate in a fully remote mode. During these rapid changes, security experts are rightly pondering what new risks may be introduced.
To consider some of the risks this new remote connectivity brings, we’ve threat modeled a sample of the remote access implementations we’ve seen. Of course, these threat models represent a sampling and each organization is going to have nuanced implementations, variances and considerations. It’s important that each organization considers their implementation and the risks when proactively assessing these capabilities.
Remote Access Architectural Approaches
Highest Risk Remote Access Method
The simplest and least secure remote access method is exposing networking protocols to the internet such as Microsoft Remote Desktop Protocol (RDP). While we still encounter organizations that expose RDP to the world (mainly in Incident Response cases), mature organizations prohibit direct access through proper firewall configurations and restrictions. However, even in mature organizations, security teams must be cognizant of shadow IT operations that may spin up systems on unmanaged cloud platforms or third-party services.
Given the lack of controls and risk of the previous model in exposing RDP and other remote protocols to the internet, enterprise organizations have centralized remote access to a few technologies. This implementation allows for improved access management, logging and security controls.
We see this centralized enterprise standard implemented in a couple of ways:
VPN / Virtualized Desktops
The most common implementation we encounter is a VPN solution and/or a virtualized desktop interface such as Citrix or VMWare:
These solutions are placed within the organization’s DMZ. For VPN traffic, this may either be a full tunnel solution or split tunnel. We often see organizations implement this VPN connectivity to provide a significant amount of internal network access. Given the significant increase in remote connectivity during COVID-19, organizations that were full tunnel may be migrating to split tunnel to reduce bandwidth, we’ll discuss some of the risks of this later in the post.
Citrix, VMWare and other solutions can provision a user with applications or a virtualized desktop. These often provide a set of applications such as Internet Explorer, homegrown application, and third-party applications. Alternatively, organizations may provide a virtualized desktop to the user, providing for access to network shares, applications and internal resources.
Zero Trust Model
The emerging model of remote access is the Zero Trust model, which utilizes an identity provider to provision access to the applications and determines the authorization rights based on both the user and device. Common authorization rights include device and user identity checks to consider if the device is managed by the organization (such as a certificate stored in the Trusted Platform Module or TPM), the origination of the login and the user’s roles. While we have seen organizations move toward this model, legacy challenges and exceptions remain with either half-implemented solutions or traditional VPN access still provisioned as a backup.
Threat Modeling the Risks
The dynamic nature of COVID-19 has resulted in rapidly evolving shifts to the remote workforce. Given the level of access provided through remote connectivity, the newly minted remote workforce and potential for limited security reviews, attackers are likely to take advantage of weaknesses to gain internal network access. FireEye Mandiant Threat Intelligence has identified a significant number of COVID-19 phishing and spear phishing lures, which we suspect will continue.
With the rise in the remote workforce, organizations may modify their remote access standards such as removing IP address whitelists, allowing unmanaged devices and moving to a split tunneling solution. Any of these configuration changes should be weighed against the new threats to the organization and the risk appetite, based on thoughtful security reviews and testing.
Direct Access Threat Modeling
For direct network access, we’ll continue to see the traditional means of gaining access to externally facing services: network scanning of external ports and exploitation through brute forcing, credential spraying or spear phishing. Further increasing the risk of this direct network access is that these services likely allow unmanaged devices direct access, providing little visibility into the hosts that are connecting to these services.
Enterprise Threat Model
VPN / Virtualized Desktops
To consider the threats to the common VPN / Virtualized Desktops, we’ve considered attacker behavior from several angles such as unauthenticated attacks, compromised credentials and compromised systems. Furthermore, as attackers often chain control deficiencies together, we’ve considered how attackers exploit the initial access to a VPN / Virtualized Desktop to gain further access. In light of the current remote workforce growth and common deficiencies we’ve seen in threat modeling, incident response, and red teaming, we want to highlight several key areas of weakness:
- Endpoint Remote Access: Employees will continue to be targeted in phishing emails on a regular basis. The controls of email filtering, endpoint hardening, reduced administrator privileges and visibility should continue to apply. In the current COVID-19 situation, security teams should validate that endpoint visibility remains consistent for users that are remote, including any new users or third parties.
- Attacker Lateral Movement: Once an attacker gains access to a remote access solution, be it VPN or a virtualized desktop solution, they will likely attempt to gather credentials and move laterally. To reduce this ability, network access should ideally be restricted to the resources that are necessary to perform job duties. Virtualized services should be hardened, as we’ve outlined in previous posts.
- Multifactor Authentication (MFA) Bypass: Fortunately, many organizations have implemented MFA to reduce the success of brute forcing or credential spraying attacks. However, in our red teaming exercises, we still encounter users accepting push notifications after credential spraying, enabling remote access. Employees should be trained to identify and report unauthorized push notifications. Additionally, some methods of MFA, such as SMS text messages, have been previously exploited to gain access to the user’s second factor. The MFA implementation methods should be considered and evaluated against the organization’s risk tolerance.
- Unmanaged Device Access: Organizations often conduct limited validation checks to identify unmanaged devices, including attacker systems connecting to remote access solutions. Oftentimes, these ‘posture checks’ performed by VPN solutions may be bypassed through modifying VPN software responses or registry key settings. In addition to attacker systems connecting to the network, security teams should consider that users may be connecting from unauthorized systems. The COVID-19 situation has resulted in remote workers that may not have experience working remotely and may not have been provided company-issued laptops. If they were previously only provisioned a desktop, how are they now connecting to the network remotely? Are they utilizing unmanaged personal systems that leave the security team with limited visibility and controls?
- Split vs. Full Tunnel Visibility: To handle the increase in remote workers, organizations may be moving from a full tunnel VPN configuration to split tunneling. With a full tunnel, all traffic traverses the VPN, allowing web proxies to filter traffic and security teams to identify unauthorized activity. Split tunneling may reduce this visibility unless appropriate endpoint agents are installed to provide sufficient visibility and controls.
- Remote Access Denial of Service: With entire organizations moving to a remote access model, the impact of a denial of service on these remote access portals will significantly impact operations. For example, an attacker may be able to generate multiple failed password attempts on an account and lock the user out. If this attacker scripts this action across a significant number of users, they may be successful in causing a widespread account lockout.