The remote workforce is now more prevalent than ever. In fact, it is expected that as many as 75 million people (1,500% increase) may be working from home before the COVID-19 pandemic comes to a close. As such, significant focus has recently been placed on security controls designed to protect workers from the cyber threats associated with working from home. But what if those controls fail and there is a security incident originating from a remote employee?
Remote incident response creates several new challenges that can further compound an already stressful situation. In this article, we will discuss new risks associated with remote employees, challenges, and solutions around incident response, as well as some preventative steps that can be taken in order to be better prepared.
Remote Employee Risks
The rapid growth of the remote workforce was borne out of necessity rather than convenience due to the COVID-19 pandemic. Consequently, organizations had little time and few resources to plan and execute a secure solution. As a result, exposure has increased significantly due to new remote employee risks.
Data Flow Changes
First, data flows have changed to support a disparate workforce. These changes include both official, sanctioned data flows as well as those that have developed organically without the company’s blessing. More cloud services have been adopted to give employees connectivity wherever they are, and VPNs or other remote solutions have been deployed to connect computers to the office network. Not only is data moving between these cloud services or remote connectivity solutions, but it is also residing in new places such as on remote machines, external devices, such as flash drives, or even personal computers. This presents new challenges for the investigation as the organization may not know where their data is stored.
Less Monitoring of Employee Behavior
Second, it has become more challenging to monitor employee behavior and devices. It is much easier to have touch-points with employees and to observe behavioral changes, including stress and non-verbal communication, in employees when you work face-to-face with them. Working remotely, however, eliminates much of this.
Modern video conferencing tools have come a long way to bridge the communication gap. Unfortunately, these tools still do not present the same level of interaction of a direct conversation. Furthermore, video conferencing tends to be more structured, often involving scheduled calls, which leaves out the impromptu interactions that occur within the workplace.
Similarly, employee devices may not be connected to the network at all times, so existing auditing and monitoring systems may not be capturing the relevant data for detecting a cybersecurity incident. Some devices, such as personal devices may not be monitored at all. This makes it difficult for a company to respond to a cybersecurity incident quickly and may increase the damage and scope of an incident, such as a data breach.
Third, employees face more distractions as they try to balance work and home life in the same place. There are often more interruptions from children, spouses, or others living with them, and they are out of their normal workplace routine. Some have additional responsibilities, such as childcare or homeschooling, which further divide their attention. The result is a workforce that may be less focused, more susceptible to social engineering or phishing, and more apt to make mistakes.
Use of Personal Devices and Networks
Lastly, the use of personal devices has increased. Companies may not have the resources to provide each remote employee with a company-issued device, and even those who have company-issued equipment may opt to use their personal computers, phones, tablets, and other systems if they are more powerful or convenient. These devices, however, may not offer the same level of protection against attacks as corporate equipment and may not include the same level of logging for an investigation.
For example, anti-virus software may not be up-to-date or even installed, passwords may not meet length or complexity requirements or change intervals, and operating systems or software may be out of date. Furthermore, logging of important events may not be enabled, and existing logs may be set to overwrite very quickly on the devices. These all present significant risks to the organization and may complicate incident response due to the fact that they are connected to the corporate network or are currently storing sensitive data.
Similarly, an organization’s incident response team may further be hampered if they are also working from home. Do they have the communications infrastructure and access to systems that they need in order to effectively do their job? It is important to understand and address these challenges ahead of time. Similarly, now is also a good time to update the incident response plan to formally document these new logistical considerations.
Suspect a Data Breach?
Time is of the essence.
Remote Incident Response Challenges
Let’s pretend one of your remote employees opened a malicious attachment on a phishing email and infected their personal laptop with malware. The malware installs a keylogger, a remote access trojan (RAT), and a whole host of other nefarious tools whereby the device is effectively under the control of the attacker. In this scenario, the personal computer was also used for company work, including remotely connecting to office resources, Office 365 access, file storage, and so forth. Before long, this incident has resulted in the compromise of the user’s Office 365 instance, unauthorized access to the company network via remote desktop, possible disclosure of sensitive company data, and will quite likely culminate with a ransomware attack.
Where to begin? There are a plethora of resources available through known compliance and regulatory frameworks on how to establish incident response plans, how to respond, and how to identify the data that is important. Two widely accepted incident response frameworks are from NIST and SANS. NIST provides the Computer Security Incident Handling Guide, and SANS offers the Incident Handler’s Handbook. Both offer similar guidance when addressing incident response, with foundational elements that include:
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
It is commonly said that it is not a matter of if you will experience an incident, but instead it is only a question of when it will happen. The threats that existed prior to the large-scale adoption of remote work still exist and have been ramped up by malicious actors.
The needs of each organization can vary widely depending on the type of business conducted and individual characteristics. There are still general guidelines, however, to follow when it comes to incident response. First and foremost, you need a documented incident response plan regardless of your business. If you do not have a documented incident response plan then you are not prepared for a data breach. Even a plan as simple as an outline matrix of the technical, legal, and human resource contacts is still better than no plan at all.
Processes are outlined for the majority of an organization’s business logic. It is also important, however, to clearly identify various processes when it comes to incident response. This includes processes on how a potential incident is reported, primary and secondary incident reporting contacts, actions the incident reporter should take, actions the responders should take, and identifying additional resources that should be contacted in the event of specific incidents (ransomware as opposed to business email compromise). These documented processes should be reviewed and updated as it relates to your remote workforce and then communicated to relevant parties.
Remote workers are connecting their company-issued or personal device to their home network, which can expose that computer to other potential threats on the network. Amid an incident, you do not want to be in the position where you do not have enough data to come to a definitive conclusion, especially if you have reporting and or notification requirements.
Detection and Analysis
As mentioned, a simple but very important risk to remote employees is that there may be less monitoring of employee systems, which will inevitably lead to a lack of data in the event of an incident. Nonetheless, monitoring options are still available. Just because an employee may be using a personal device for work does not mean that the employer cannot require the installation of security software that is managed by the organization. This can be a pre-requisite for using a personal device for company purposes.
It is important for the organization to actively search for and detect potential security incidents. There are various cloud-based endpoint security tools available that work on devices that are not connected to the corporate network. These tools are invaluable for protecting devices and providing timely alerts to threats.
Another important tool for detection is a security information and event management (SIEM) platform that will actively search for anomalies in log data and alert the security team of significant findings. Microsoft Office 365 (O365) has built-in SIEM connectors that make it easy to integrate your SIEM so that it can monitor your O365 environment. Many other cloud-based tools also offer SIEM integrations.
Proactively Defend Against Cyber Threats
TCDI's managed security service combines security information and event management (SIEM), vulnerability scanning, endpoint protection, and data loss prevention technologies to provide a holistic threat management and monitoring solution.
As remote workers adapt to their new working conditions, they may prioritize actions of convenience instead of following established procedures. For example, a remote worker is more likely to transfer company work product to their remote work device for convenience instead of interacting with those work products through a secure channel. Data loss prevention (DLP) solutions are designed to block or alert the IT staff of data transfers that do not follow-protocol.
Finally, regularly review the list of approved Administrators and set up alerts for when a new admin is created or when a user’s privileges are escalated to an Administrator. Unauthorized changes to this list can be a telltale sign that an attack is in progress.
The aforementioned tips will not only assist with detection but also with analysis during the triage stage when trying to identify the scope and impact of the incident. On a similar note, ensuring enhanced logging is enabled, and the log retention time is generous (e.g., 12 months), is arguably the single most important measure a company can take to aid in their incident analysis. Unfortunately, these settings must be changed before an incident occurs. Without log data, gathering the facts surrounding a data breach becomes more difficult and sometimes impossible.
Containment, Eradication, and Recovery
Following the detection and analysis phases are the containment, eradication, and recovery phases. Containment focuses on restricting an incident to the minimum number of devices, usually by removing connectivity from those devices or disabling services or systems.
Containment is usually accomplished by disconnecting the system from the network. This prevents malware from spreading to other machines and disconnects sessions that cybercriminals may have to the machine. Forensics and cybersecurity professionals could then work on the machine while it is isolated. This approach is not so simple in the remote scenario where physical access to the devices is not possible. Containment is still vital in these cases, but access to the machine must still be maintained for analysis and remediation.
The nature of the incident will determine exactly which steps are performed to contain it while preserving connectivity for cybersecurity and forensics.
For example, if the incident were malware related, the methods used by the malware to propagate would factor into how it can be contained. It can also be helpful to reduce the amount of time the machine is connected. The machine can be disconnected from the network, and then teams can request that it be re-connected for brief periods while they remote-in to the machine to retrieve files for analysis or perform a task. This is dependent, however, upon whether the end-user of the machine is cooperating with the investigation.
Another approach is to establish a dedicated link for the system to communicate with those analyzing it. A hotspot can be shipped to the site, and then the system could be connected only to the hotspot so that teams can have access. This is only applicable for certain cases, however, as it would not prevent persistent access from a cyber-criminal to the machine, and malware used for data exfiltration might still be able to operate over the link. Technology can be used to funnel outgoing connections to the remote analysis site and then prevent external connections from that site to others. Unfortunately, this increases the complexity of the deployment and may take away valuable time from the investigation and eradication phases.
The next step is to remove the cause of the incident and recover the system to a functional state. This step is only performed after the system is contained, and the relevant information has been preserved for subsequent forensic investigation. If it is performed too early, the eradication steps can remove valuable evidence for the investigation.
Eradication may involve cleaning malware from a machine, removing persistent access, or reversing unauthorized configuration changes. It is not enough to simply clean the indicators that were identified when the incident was detected, as incidents often go much deeper. The exact eradication steps are often dependent upon what is determined in the investigation, but eradication can take place at various points following preservation.
Forensically Preserve Critical Evidence
When responding to an incident, it is essential to not overwrite critical evidence. TCDI's digital forensics and cybersecurity team is trained to forensically preserve data amid a crisis.
The most thorough way to eradicate the issue and recover the system is to wipe the hard drive of the machine and then restore from a clean backup or image of the system. Some companies may be hesitant to do this for fear of losing data. This is another reason why the company work product should not be stored on local machines, because then these systems can be wiped and restored without fear of significant data loss. The last part of the recovery is to apply any customization that the end-user needs on the system so that they can begin using it again.
After an incident has been contained and remediated, many questions will still exist regarding how the incident occurred, what data may have been impacted, when did it occur, etc. A post-incident forensic investigation is an important step toward analyzing the available evidence and gathering the facts. Oftentimes, log data will be analyzed, malware will be reverse engineered in a sandbox environment, and forensic images of devices will be analyzed to put together the pieces of the puzzle. This analysis is important to better understand the impact of the breach and the parties who may have been affected.
Debriefs are also important as each incident provides an opportunity to strengthen organizational security and improve a security culture. Consider how the incident occurred and design solutions to reduce the likelihood of it occurring again. The cybersecurity team investigating the incident will likely have recommendations for you in this area. Second, debriefs can aid in identifying ways to improve the overall incident response process. Debriefs involve by discussing the incident and how well the incident response steps were performed. Improvements are then documented, and responsibility for implementing the improvements is given to someone in the organization so that the lessons learned from the engagement can be implemented.
The culture of an organization is developed over time and with shared experiences. Discuss the event and the changes that will be implemented as a result. This may include changes to processes, new technology, or additional training. This aids in fostering support for the updates and is a reminder moving forward of why they are necessary.
It is also important to reflect on and re-evaluate security controls in light of the costs of the incident. It can be difficult to quantify needs and risks in a vacuum, but an incident provides tangible evidence of the costs that are directly relevant to an organization. The decision may be to increase cybersecurity insurance coverage, add more security technologies, perform more frequent penetration testing or security assessments, or engage in more regular security awareness or other specialized training. These are all important things to consider following the incident.
In the midst of a large influx of remote workers, it can be daunting to think about the potential cost and effort required to implement an infrastructure that would not only support staff working remotely, but also provide a secure environment and resources to perform incident response on remote systems effectively. It is important to note that in the majority of cases, many organizations already have the necessary infrastructure in place to pivot their business logic into a remote-workers-centric infrastructure whilst implementing security best practices.
From a technical perspective, organizations can leverage their existing server infrastructure to support secure remote connections using deployments already available in most Windows Server environments. These configurations can enable remote workers to have encrypted and secure access to internal resources like file shares, printers, and intranet web applications. Ensure that these systems are able to be remotely managed, monitored, and collect relevant investigation data from remote systems.
Organizations should take the time now to assess current technology and processes to identify the most effective way to utilize what they already have. This process can help optimize existing equipment and foster the implementation of new technologies that effectively complement current systems at a lower cost. This often involves updating or creating new processes.
Procedural enhancements can also be made to take advantage of the existing licensing features that come with Office 365 and G-Suite business licenses that offer secure cloud storage, collaboration, and communication. Take the time to outline processes with the new implementations on clear and direct lines of communications for technical, information security, and other support systems present within the organization.
Lastly, consider organizational policies and how they can best establish expectations for remote work and incident response. In addition to incident response plans, this may also be a good time to update security or remote work policies and acceptable use policies.
The new reality of remote work has taken the complexities associated with incident response to a whole new level. To begin preparing for an incident:
Evaluate how the associated cybersecurity risks and challenges affect your organization.
Ensure your incident response plan and other policies and procedures are updated accordingly.
Review infrastructure and security controls to identify improvement opportunities.
Consider rolling out new technologies like DLP, SIEM, and cloud-based end-point security.
During an incident, it is important not to destroy important log data and other evidence that could be invaluable during the post-incident analysis. For example, if you decide to “wipe and restore,” then ensure you have a forensic image of the affected computer first. Finally, do not miss the opportunity to conduct a debrief after the incident to identify lessons learned and opportunities for improvement. Then, document and implement the changes, roll out enhanced security controls, provide additional training and take other steps to prevent a similar incident from happening again. As the saying goes, “Those who fail to learn from history are doomed to repeat it.”