5 Remote Work Threatsand How to Protect Against Them

W H I T E P A P E R

With the surge in remote work, many IT and security teams are forced to make security tradeoffs to maintain business continuity. The numbers of internet-facing RDP servers and VPN devices have both grown very quickly—over 30%—in the past month, and Microsoft Teams usage has exploded. Whether it’s relaxing security policies so that employees can work on files, emails, and apps from home, or removing strict requirements around VPN, many business continuity efforts can introduce massive risk.

Here are the top 5 threats the Varonis Incident Response Team has seen over the past few weeks, and how to stop them.

Business Continuity and Security Challenges

2

1 VPN Brute Force

2 Phishing

3 Man-in-the-Middle Attacks

4 Malicious Azure Apps

5 Insider Threats

How Varonis Helps

You can also get a quick look at context-rich VPN activity (not raw logs) with a library of saved searches which can be used for reporting or threat hunting:

Varonis has a variety of built-in threat models to detect abnormal authentication behavior (credential stuffing, password spraying, brute force) on your VPN or Active Directory. You’ll notice that our threat models consider more than one source—activity is enriched and analyzed in context with information we gather from Active Directory, web proxies, and data stores like SharePoint or OneDrive.

Learn about the anatomy of a brute-force attack on the Varonis blog

3

1

The VPN is often the gateway to valuable, sensitive data. With so many people working from home, organizations are enabling VPN access for many more users. Hackers often target a VPN with brute force, using stolen cred-entials to try to gain access. If successful, they can escalate their privileges, recon the network, and use the stolen credentials to exfiltrate sensitive data.

By the way, it’s not just VPN that is targeted. Our team has also seen a spike in brute-force against Active Directory and a growing number of internet-exposed services. Some organizations have disabled alerts that trigger on too many failed login attempts. Others never bothered to monitor authentication activity. More importantly, not all intrusion attempts are noisy.

VPN Brute Force

How Varonis HelpsVaronis can detect network behavior that resembles command and control—not just by looking for connections to known malicious IP address or domains—by performing deep inspection of DNS and web proxy traffic to detect malware that disguises communication in HTTP or DNS traffic.

In addition to detecting the presence of malware and its communication back to a C2 server, Varonis’ data-centric threat models often catch a compromised user based on deviations in file or email access.

Download our shareable phishing awareness flyer on the Varonis blog

4

Phishing is one of the most popular infiltration techniques and, in uncertain times where people are hungry for information, it’s increasingly effective. We’ve seen several tricky COVID-19 campaigns luring people with emails about donations, medical supplies, and vaccines.

Clicking phishing email links and opening infected attachments can install malware on your computer and allow an attacker to establish command and control (C2), infect other computers on the network, drop ransomware, or exfiltrate data. Employees using personal devices with unpatched applications to access corporate assets are vulnerable targets to drive-by attacks, compounding the risk.

Phishing2

How Varonis HelpsIn the attack lab recording below, our security analysts demonstrate exactly how attackers execute this attack. Then, they review the alerts that trigger within the Varonis platform at each stage of the attack—from the initial visit to the fake login page, to the login attempt by the attacker from an unusual geolocation, to post-intrusion activity.

Watch a MiTM against a MFA-enabled Office 365 tenant

5

Man-in-the-Middle Attacks

Web-based productivity and collaboration products have surged in usage as more and more people work remotely. Many may even be accessing these applications remotely for the first time. Hackers can gain access to these applications, even if they have multi-factor authentication, by tricking users into entering their credentials and authentication code into a fake login page. Then, the hacker can use those credentials to log into the real application.

3

How Varonis HelpsVaronis can track Azure App consent requests to detect signs of this attack from the very start. Additionally, because Varonis is capturing, analyzing, and profiling all events in Office 365 for each entity, once a malicious app begins to impersonate the user—sending emails and downloading files—our behavior-based threat models will trigger.

Read the full analysis of the attack on the Varonis blog

6

Malicious Azure AppsWith people who are working remotely for the first time, many apps or processes may be unfamiliar. Attackers can include malicious Azure apps in phishing campaigns and prompt the user to allow access to their data in Teams and Office 365. Once a user allows a malicious app access, the attacker has access to all the files and emails the user has access to, indefinitely.

4

How Varonis HelpsVaronis detects insider threats by first identifying where sensitive data lives throughout an organization and then learning how users typically interact with that data. Varonis baselines user’s data access behaviors over time, and monitors file activity enriched with VPN, DNS, and proxy data. Varonis detects when users download large amounts of data, access sensitive data they don’t usually touch, and provides a full audit trail of the files the user accessed.

Here’s an example of a BackupService account that an IT admin had legitimate access to. The insider used the backup account to access sensitive documents and cover her tracks, which tripped a behavior-based alert.

These events, in context with the abnormal file access, give Varonis a high degree of certainty that this is an insider threat.

Here’s how we detected it:

• That service account doesn’t typically access Word docs (file access activity)

• The BackupService was accessed from the IT admin’s personal device (Active Directory)

• Then accessed the Internet for the first time (web proxy)

Watch the Incident Response Masterclass

7

In uncertain times like these, when employees are concerned with job security, or just with being able to get their work done remotely, they often access lots of sensitive information and download it onto their personal device. Even if the intent isn’t malicious, this still could pose a risk to the organization. It’s important for an organization to understand what’s happening with their sensitive data.

Insider Threats5

We’re here to helpVaronis has built a menu of free services and extended trial licenses to help you as you navigate the challenges associated with a remote workforce. Anything you need, let our team know. We’ll do our absolute best depending on resource availability.

BOOK A TIME WITH OUR TEAM

ABOUT VARONIS

Varonis is a pioneer in data security and analytics, fighting a different battle than conventional cybersecurity companies. Varonis focuses on protecting enterprise data on premises and in the cloud: sensitive files and emails; confidential customer, patient and employee data; financial records; strategic and product plans; and other intellectual property.

The Varonis Data Security Platform detects insider threats and cyberattacks by analyzing data, account activity and user behavior; prevents and limits disaster by locking down sensitive and stale data; and efficiently sustains a secure state with automation. With a focus on data security, Varonis serves a variety of use cases including governance, compliance, classification, and threat analytics. Varonis started operations in 2005 and has thousands of customers worldwide — comprised of industry leaders in many sectors including technology, consumer, retail, financial services, healthcare, manufacturing, energy, media, and education.

© Varonis 2020

Active Directory visibility

Free eval licenses of DatAlert can help you flag

suspicious authentication behavior, like an admin

account logging on to more devices than usual

Free Incident Response serviceTo help you investigate anything that’s suspicious, even if it’s not related to Varonis

Office 365 and Teams security

Ensure your data that’s in Office 365 and Teams is not

accessible to unauthorized users

VPN, DNS, and web proxy monitoring

Free eval licenses of Edge can help you detect data

exfiltration, people using RDP in different ways (with

AD), and more, especially as more employees work

from home