The COVID-19 pandemic has driven many organizations to transition to remote work without sufficient time to prepare, creating new opportunities for hackers to attack vulnerable systems and unsuspecting users. This article delves into how the rush to maintain “business as usual” during a crisis may have caused an organization to overlook the impacts of telework incident response capabilities.
Since telecommuting increases an organization’s vulnerability to some cyber threats and can handicap an unprepared incident response team’s (IRT’s) response to a security incident, it’s important to now consider incident response for a new remote workforce.
Teleworkers share many of the same cybersecurity risks and threats as employees working in the office. However, as we previously discussed in detail, due to their off-site work locations, these employees are vulnerable to other potential threats as well.
In fact, there is increasing evidence that hackers such as nation-states are taking advantage of the situation and using the concerns over the virus to exploit telework environment vulnerabilities. This is such a problem that the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security’s cyber agency, recently issued an alert regarding cyber vulnerabilities created by working from home versus the office.
Related Webcast: Remote Workforce + Data Breach: A Perfect Storm
Many organizations were unprepared to support a fully remote workforce, as the COVID-19 pandemic demanded. For instance, existing virtual private network (VPN) infrastructure was often designed to support less than 30% of the workforce at any given time, rather than the 90-100% using it during the outbreak.
To alleviate these issues, some organizations have switched to using split-tunnel VPNs, where only traffic intended for the enterprise network passes through the VPN tunnel. All other traffic is routed directly to its destination.
While the use of split-tunnel VPNs can help to solve the VPN scalability problem, it introduces new security concerns. Traffic that does not pass through the enterprise network does not receive the benefit of the organization’s cybersecurity infrastructure. As a result, employee systems are more vulnerable to malware infections, and most employees are likely unaware of the additional risk.
During a crisis, such as COVID-19, or other major events, social engineering attacks typically spike. These attacks take advantage of heightened emotional states related to current events to build pretexts more likely to result in clicked links or downloading attachments.
When working from home, employees are especially vulnerable to these attacks. Personal devices used for business purposes almost certainly do not meet security requirements typically imposed on corporate devices, such as configuration hardening, updated patches and anti-virus signatures, and strong passwords.
The use of split-tunnel VPNs could also mean that email traffic is not scanned for threats before delivery. Additionally, in-home offices, it is more difficult for an employee to ask a colleague if an email “looks right” before acting on it.
The new threats associated with a mostly or fully remote workforce increase the probability that an organization will experience a data breach or other cybersecurity incident. At the same time, an organization’s IRT is operating in a very different environment than is covered by most incident response plans.
If your organization moved most or all employees home during the crisis, here are three differences to consider for incident response for a new remote workforce:
One impact of a remote workforce on incident response is decreased threat visibility. When employees are working on-site, all work is performed on corporate computers, and all traffic flows through perimeter-based defenses before reaching the public Internet.
With a remote workforce, employees may be working from personal devices, and not all business traffic may be visible to the security operations center (SOC). This means that identification of a potential incident may be delayed, and root cause analysis may be difficult or impossible.
Because most organizations do not have technical architectures which support remote devices logging and monitoring, log information critical to the mission of digital forensics and incident response may be inaccessible or non-existent. One of the benefits of centralized log monitoring is that it obviates the risk of a common attack technique – the attacker covering their trail by deleting logs from the target device. Lacking this information, the IRT will struggle to identify the scope of a compromise and move into containment, eradication, and recovery.
Under normal circumstances, an IRT can respond in person to most security incidents, or ensure ‘smart hands’ are available to work with a remote specialist in executing scripts and furthering the investigation towards the root cause. This ensures that trained personnel are the ones performing the investigation and any remediation actions.
Additionally, to ease administrative challenges created through rapidly moving to a largely remote workforce, many organizations opted to grant elevated privileges to their home-based staff. This amplifies risk as threats executed against that device or user execute within the elevated security context of the user. This gives the attacker more ability to do harm upon first obtaining access, and may remove their need to perform other more complicated attacks to elevate privileges as the attacker works towards their target objective.
When employees are working from home, an in-person response by the IRT may be difficult or impossible. Instead, IRT members may need to guide an employee who likely does not have the technical knowledge or capabilities typically available to the incident responder.
Guiding a non-technical employee through the process of remediating a potential incident can be cumbersome and challenging, and time is one resource the incident responder simply does not have in a live incident. As a result, recovery times are likely to be longer than normal, which can impact the cost and effect of the incident on the organization.
Clear communication channels are one of the most critical elements of good incident response. During a crisis, it is essential that the IRT be immediately reachable to minimize the impact of an incident. Additionally, IRT members should know who to contact if additional actions or authorization are needed, and how they should be reached. In most organizations, the incident response involves or impacts third parties, including cloud service providers, hosting providers, managed services providers, outside counsel, and more.
A well-constructed incident response plan describes the communications paths to reach these third parties and the situations were escalating to a third party may be necessary.
Some businesses have been forced to downsize due to changing economic circumstances, and in some cases, those cutbacks could have eliminated a resource the IRT relied upon to perform some element of responding to an incident, even if only providing institutional knowledge. Any such impacts must be identified and addressed through an updated plan, clearly identifying roles and responsibilities.
With telework, communication channels that IRT members rely upon have likely changed. Employees may not have access to desk phones and may only be reachable via personal phones or online collaboration tools. Third parties may have changed the communication paths they ask their customers to use, and the incident response plans must be updated to reflect these changes in communication channels.
In addition, normal operations usually allow for one qualified single point of contact with whom to coordinate the response effort. Having telecommuting employees in dispersed locations results in many points of contact, who sometimes need to be contacted simultaneously depending on the appropriate course of action.
We recommend establishing within your incident response plan the activation of an incident conference bridge that is active throughout the response effort, where members of the IRT can collaborate centrally and enable focused tasking for specialists and workgroups to take action in a cohesive manner.
A remote workforce changes an organization’s exposure to cybersecurity threats and how the IRT is able to respond to potential security incidents. Good incident response for a remote workforce requires identifying these impacts, updating the incident response plan, and communicating the new plan to the IRT.
Performing a tabletop exercise simulating a security incident in a telework scenario can dramatically help IRT members to adapt to their new operating environment. Reach out to start the conversation.
Check out our webinar-on-demand, “Remote Workforce + Data Breach: A Perfect Storm”, to listen to legal, data privacy, and cybersecurity experts as they discuss how to adapt an Incident Response Plan for the remote workforce model so you can Show No Weakness.