Maintaining Network Security when Everyone is Working from Home
Bad guys are laser-focused on finding opportunities they can exploit to get into networks and take whatever they can find, poison your network, paralyze assets, or just create havoc. And they don’t care if it’s because of a small change in your organization, or a global catastrophe. They aren’t affected by having some form of moral compass. After all, they’re *criminals*.
Unfortunately, the coronavirus epidemic has handed them a spectacular opportunity.
Let me pause here for a moment. These are not normal times. With the terrible effects, and the fear-inducing threat of COVID-19, we’re all anxious for ourselves and our loved ones. That has to be priority number one for everyone. Network security, understandably, is a lower priority. We must be focused on our health and safety, and on slowing down the spread of the virus, and ultimately beating it.
Unfortunately, slowing the virus has given rise to one of the most extraordinary security challenges IT professionals have ever faced. And it’s happened virtually overnight.
Under normal circumstances, the bulk of your employees work in a traditional corporate environment, connected locally to LANs, and behind the corporate firewall. Your IT and InfoSec staff have a relatively controlled environment.
Now, however, in just a matter of days, your staff are almost guaranteed to be working remotely, many for the first time, utilizing a VPN to connect to your corporate infrastructure at some point. Obviously, a number of companies utilize the cloud heavily, but there are always key systems that operate locally, rather than in the cloud. Payment gateways. Financial systems. R&D racks. Authentication and directory systems such as LDAP, x509 or 2FA servers. So at some point, our employees are connecting to a corporate VPN. And they connect over the only network they have – their home routers, cable or fiber modems, or Mi-Fi devices. Over the public Internet. We’re managing our businesses and our networks through dozens, hundreds, even thousands of individual VPNs across that open Internet.
- Statista reports that VPN usage jumped almost 60% in the U.S. from March 9 – 15 compared to the previous week, at the start of the national shut down. By now the figure is certainly higher.
At the same time that normal network topography has been upended, IT staffing patterns have been disrupted, too. Many of us in the technical world are working remotely at a time when we’re struggling to deal with the avalanche of user questions and issues that working from home has spawned.
So with resources stretched thin, we’re facing an expanded array of threats, including DDoS attacks that can freeze your network and cut off your employees.
The net result is that attackers now have a brand-new vector – or target – for certain attacks. These can be attacks designed to disrupt an organization’s activities, for anything from bragging rights to diverting attention away from phishing/spear-phishing attacks leading to ransomware. My group is tracking over 28,000 (yes 28,000!) COVID related domain registrations and host names identified through our threat feed systems and phishing campaigns within the last 3 weeks alone!
And the infuriating thing is that this malicious activity is threatening lives because critical real information is being filtered out by these domains being blocked defensively and coarsely.
So what should you be looking at?
VPNs are an easy vector for a DDoS attack. Most enterprises use “vpn” as part of the URL or host name for their VPN, which makes it simple for an attacker to identify the server. With a single DNS lookup they have the IP address and can launch a conventional volumetric attack using a rented bot network. Or a network protocol attack to paralyze server resources. Or an application layer attack.
That’s exactly what’s happening. We’ve seen an uptick in DDoS incidents mitigated through our Security Operations Center from March 11 – 18, including the largest pps attack we’ve ever mitigated. Here are the numbers:
- 92 attacks, up from 86 the previous seven days;
- Attacks from multiple vectors, but predominantly SYN;
- Multiple attacks against education platforms;
- A massive SYN flood attack of 462 Gbps/350 Mbps on March 18, which followed a 222.1 Gbps/208.9 Mbps attack against the same target on March 17.
In short, the bad guys are exploiting their opportunity.
So, as a first step, change the VPN hostname[s] to something less descriptive. But let’s assume you’ve done that now…
In normal times, you may have found that on-demand security services worked to protect your assets. But with attackers ratcheting up the heat – and your team spread out and stretched thin – you should reconsider the value of fully-managed services to take the pressure off and ensure your digital assets are safe and secure.
You’re probably getting some protection by having your public services, such as your website or email system hosted externally. What are you going to do about your VPN, or the other services that aren’t externally hosted, or protected? What happens if your corporate connection is attacked, and specifically targeting your VPN? If it goes down, your workforce is offline.
Next, let’s look at the email traffic coming in and going out of your infrastructure:
We know the criminals are looking at causing disruption. But to what end? One of the most likely objectives is to make a path for a targeted email attack. Phishing for a (BEC) Business Email Compromise attack. Or a Ransomware attack. Or even a keylogger. Europol has just published a news report on their activities in the last week dealing with some of the raids and arrests made as a result of COVID-19 criminal activity.
Many of these can be stopped by examining and filtering traffic headed towards (a “better than nothing” option), or originating from (a better than almost everything else option) these machines, and the IP addresses associated with them. This should be doable by whatever mechanism you use to defend you against the DDoS attacks that target your corporate infrastructure. Examine the traffic look at headers and content, score the combination by also utilizing reputation, and intelligently pass all the good traffic while minimizing that bad traffic that gets through. Use your risk profile to decide what level of accuracy you can live with.
At Neustar, we “eat our own dogfood”:
As part of our Security Solutions offerings we use our services and products to keep our traffic in an always-ready state and can do the same for you. Our systems will sit in-line between your corporate network and the outside world using a range of DDoS Protection options — Always-Proxied, Always-Routed, and Always-Hybrid. If an attack exceeds local capacity, we’ll fail over your traffic to the UltraDDoS Protect cloud and manage the response until the attack and the danger have passed, however long it takes.
Importantly, these are fully managed services. We take over the work of monitoring, detecting and responding to any DDoS incident that affects your network, freeing your team for all the other demands you’re fielding right now.
Lastly, let me urge you to consider a managed service option sooner rather than later, whether you include Neustar in your thinking or not. It’s much easier to mitigate an attack when you have a solution in place before you actually need it.
These are challenging times. We could all use one less worry on our plate.
Be healthy, stay healthy, and stay safe.