An attacker’s view of a work-from-anywhere world
Sep 21, 2021
How deception can be a powerful tool in defending the new attack surface
Big changes are underway in the world and a new paradigm is emerging in how we work. In response to the government lockdowns last year, organizations were forced to open their perimeters to allow employees to work from home practically overnight. Applications, servers, and databases that previously lived behind firewalls were suddenly out in the open and exposed to the internet, as the corporate network extended into employee’s homes. It’s as if the moat of the organization and its usual first line of defense, the firewall, dried up and the bridge to the castle was drawn down.
Attackers are surely seeing this as a golden opportunity to ramp up their exploits. The ROI on spear-phishing, credential stuffing, stealing valid credentials, and other techniques have been very attractive. We've seen an explosion of perimeter-facing attacks to attacks targeting VPNs and email to attacks originating with cloud providers.
Three paradigm shifts to internalize
There are three important paradigm shifts that every CXO should have internalized by now that working from anywhere and working-from-anywhere (WFA) architectures are here to stay:
1. Employee homes are now part of your corporate network
Employee homes are now part of your corporate network, with all their weaknesses and vulnerabilities. You know, whether it’s weak Wi-Fi passwords, misconfigured routers, unpatched computers, or vulnerable Internet of Things (IoT) devices, employee home networks are far easier to compromise than corporate ones.
A typical home network is 3.5 times more likely to have malware. It usually has multiple untrusted devices coexisting with your work machines. If the VPN is not always on—and probably it won’t be—at best, you can expect only intermittent protection. On top of that, you have weak network access control to contend with. All in all, it’s a recipe for exploitation.
How can you gain visibility into threats within these network segments, where you essentially don’t have visibility? The answer is to use deception. You can lure attackers to planted decoys—false files, processes, passwords, and cookies—on the work machines of all your remote employees. Once they encounter these decoys and fall for the trap, you will catch them. And you can do so without having to deploy appliances or network traffic monitoring choke-points that diminish user experience.
2. Use deception to help strained security teams
Security teams no longer have the same level of access they once had to do their job. New WFH systems aren’t integrated into security information event management (SIEM) solutions. They are provisioned, but not integrated, so there’s a lack of endpoint visibility into home networks. The internal monitoring systems that previously provided real-time analysis and alerts are no longer fully accessible.
On top of that, teams are not adequately staffed, so there’s less headcount to handle the overall increase in alerts and attacks. The wide skills gap means that teams are finding it more and more difficult to retain the top talent necessary to support their detection and response metric goals.
How can you help your already stretched team prioritize an increased workload? Again, by using deception. If an attacker is accessing one of your decoy services, you know your team must act. These are highly accurate, high-confidence alerts that you can and should count on. The alerts can be sent over text messages or through automated phone calls, so there’s no need to monitor a SIEM 24 hours a day, seven days a week. Because the alerts are so accurate, you can also automate your response to them and save your team precious time.
3. Heavy reliance on cloud services is here to stay
The third major paradigm shift that CXOs must wrap their heads around is the pervasiveness of remote access cloud services. Cloud services expose internal web applications and services to the internet, creating opportunities for attackers to access internal networks with stolen credentials. And, with the corporate network being online and exposed, attackers can easily scan it for vulnerabilities and misconfigurations. Some of the more common vulnerabilities include Apache Tomcat servers, open databases, and Amazon S3 buckets.
IT teams are unfamiliar with these new remote access VPN systems and Citrix servers, so user error is not uncommon in the configuration process. This exposes the organization’s internal apps and databases. Attackers also rely on spear-phishing, credential stuffing, and stealing valid credentials to remotely access large segments of an organization’s data center.
When the credentials used by attackers are valid, how can you know who is legitimate? In this case, once again, deception is a great tool. By creating a couple of decoy VPN portals, you can catch those logging in with stolen credentials. To protect against credential stuffing attacks, you can create web application decoys. And to prevent attackers from stealing credentials in the first place, you can create fake users in the system to detect the phishing campaigns and alert real employees not to click on the links in those campaigns.
You can also deploy decoy servers, applications, and databases that resemble vulnerable ones, or have the recent Citrix and ManageEngine vulnerabilities, making them attractive honeypots to catch attackers. Any attempt to seek out these assets is an obvious incoming threat, with very low alert volume.
New Attack Surface, New Strategies and Tools
In summary, by using the tool of deception and deploying dozens of decoys in multiple ways throughout your WFA network, you can do more with less, adapt to the new modern workplace, and balance security, user experience, and accessibility for your employees and trusted third parties.
Editor's note: This article is by Amir Moin, product marketing manager at Zscaler.
What to read next