Blog

The Risky New World of Work

By David Cummins, VP of EMEA, Tenable

Dec-2022 3 min to read

According to the World Economic Forum’s Global Risks Report 2021, the failure of cybersecurity measures is highlighted as a key short-term risk facing organizations today. Last year there was a dramatic increase in cyber-attacks on government agencies and companies globally – many leveraged the COVID-19 crisis to infiltrate networks. According to the study, the attack volume doubled from the second half of 2019 to the first half of 2020.

Anatomy of an attack

When we look at how attacks play out, in the vast majority of cases, bad actors typically go after the low hanging fruit in networks — known but unpatched vulnerabilities. Having exploited a vulnerability to gain a toehold into the organization, attackers will pivot focus to Active Directory and the identity infrastructure to escalate privileges and move laterally, with an aim to target further vulnerabilities, install malware, exfiltrate data, or hold the organization to ransom with outages and disruption. Once an attacker gains control of Active Directory, they effectively have the “keys to the kingdom” which they can use to access any device or system connected to the network. In addition, if Active Directory serves as the Identity Provider (IdP), a compromise of it could impact a single sign-on (SSO) solution, giving attackers even more access to additional accounts which a user might be configured with access to.

To combat this, organizations must take a multi-layered approach to cybersecurity – one that looks to prevent criminals gaining that toehold, locks them down if they do get inside and looks for indicators of compromise to shut down attempts to exfiltrate data and eliminate bad actors from the infrastructure:

Prevent the toehold: While it might seem simplistic, basic cyber hygiene plays a critical role and acts as the first line of defense. Organizations need a modern, comprehensive strategy to identify vulnerabilities and misconfigurations quickly and accurately in their dynamic infrastructures, that delivers clear guidance and recommendations on how to prioritize and remediate any risks.

Prevent the pivot: The dissolution of traditional perimeters makes the configuration and management of user privileges and access more critical than ever before. However, when it comes to Active Directory and identity access management, this is where most organizations struggle. Here is a best practices checklist to help:

Make sure only authorized users are accessing data and only the data they are authorized to access. Require the use of multi-factor authentication and strong passwords (25 characters) on service accounts and actively manage the groups they are in. Enforce the principle of least privilege across all endpoints, blocking default administration, denying access from a built-in local administrator account, and avoiding built-in groups, which have too many permissions.
Clean up the domains in your network and limit the number of privileged users, administrative accounts, and permissions in the network.
Use technology that continuously scans directories for security vulnerabilities and weak configurations. Monitor events in Active Directory for unauthorized behaviors that could indicate signs of attack. And finally, deploy software updates as soon as possible.

Monitor for deviations: While keeping bad actors out of the environment is the primary focus, it’s also important to plan how to identify and prevent anyone that does. Here are some basic steps to consider:

Adaptive user risk profiles — based on changing conditions, behaviors, or locations — allow the organization to continuously monitor and verify every attempt to access corporate data before granting or revoking the request. For example, someone using a corporate-owned device within the office perimeter during working hours may be deemed a lower risk than someone connecting using their own device over an insecure Wi-Fi hotspot at 2:00 am.
Employ network segmentation to prevent uncontrolled lateral movement.
Continuously monitor for indicators of compromise. As illustration, a server in the basement used to control the air conditioning — if it suddenly starts trying to connect to an external source out of hours then this might warrant immediate investigation.

The new world of work has shattered the corporate network, forcing a move away from perimeter-based security architectures. Organizations must address the new and unmanaged cyber risks introduced. They need the ability to see into the entirety of the attack surface — on-premises and in the cloud. In tandem, they need to determine where vulnerabilities exist and their impact if exploited.