In order to contain the spread of COVID-19, employees are being asked to work remotely when possible. This sudden and immediate shift of employees who would normally work in an office to a remote location will naturally create a shift in internal movement of network traffic. The outcome will be a change of internal network traffic patterns in which attackers could hide their own communication.
For example, Microsoft Teams had 32 million daily active users last week on March 11th, but this jumped by 12 million to 44 million daily active users by March 18.
The below areas will require extra attention and understanding by the security operations analysts who are handling the day to day impact of their quickly changing environment.
As remote workers need to continue to be connected to their peers, clients and partners without in-person communication, the uses of web conferencing and instant messaging software is expected to grow. Vectra for example has pushed for more 1-on-1 video calls to maintain our sense of community. This usage will encompass not only peer-to-peer video communication but will also be used for sharing information through multiple methods including file sharing, screen sharing, and other related activities. Heavier usage of these features will increase the number of connections to be monitored and analyzed by security operations. Analysts will need to identify the expected communication services within their organization and mark those as expected behaviors.
For example, Microsoft Teams can be easily identified either by the IP range in use: 184.108.40.206/14 or by the primarily used protocol and ports: UDP 3478 to 3481 and TCP 80 and 443. By leveraging this information, monitoring can be adjusted with minimum impact to normal operations.
Command & Control
Web conferencing software is a commonly used application within most organizations and has the capability of controlling another user’s system. For this reason, there are known attacks that leverage existing web conferencing software for malicious purposes. The increased use of these applications can obfuscate these real attacks. What would normally be occasional events are now frequent. Discerning all of the legitimate from not will be an arduous task. Having a strong policy around what applications are authorized and what features can be used will greatly help the security team.
Exfiltration of data is simply data moving from inside an organization to an external destination. That is also the same traffic pattern of web communication software as users share files and send video. More data leaving the network means traditional threshold-based alerting become less useful. Security operations will need to adjust to finding the data moving through their network that is authorized to understand the movement of data that is unauthorized.
Another expected area of growth will be in the use of remote access tools such as TeamViewer to access internal resources. This will especially be true if the corporate VPN is notable to handle the traffic for the entire company as alternative means of managing internal resources.
In the same way an administrator would use remote access software to manage a server, an attacker regularly wants to access and manage these internal systems as part of their attack lifecycle. By design, remote access tools provide the ability to control both other users’ machines and servers, which is also an attacker’s goal. The more popular tools leverage the vendors external servers as relays (LogMeIn, TeamViewer) between the user requesting access and the system to managed. This makes these tools more easily identifiable as they occur from a known address space but make identifying the source of the activity difficult. Understanding these tradeoffs and building a strong policy around authorized remote access software can help security analysts by producing less noise from their monitoring tools.
In addition to third party remote access tools, Windows natively provides remote access functionality that allows a user to directly access internal devices that would usually be restricted but now require remote access for an administrator to function remotely. For example, a jump server could allow the Microsoft Remote Desktop Protocol to access specific systems to a privileged user. Due to the versatility of these tools, we recommend monitoring be as specific as possible.
Command & Control
Commercial remote access software becoming more common poses a challenge to security teams. As with web conferencing, limiting common behaviors associated to remote access software or the sending of data over encrypted channels and external remote access for malicious intent.
Security operations can also expect to see suspicious relay behaviors, which occur when a user uses a jump server or a relay for remote desktop access on a specific host. An analyst should track and monitor the source host as authorized for this action.
While online file sharing services like OneDrive and Dropbox are already popular in the enterprise and for consumers, we expect to see increased usage and leveraging of file sharing services as the primary means of document sharing and editing. Understanding how these file sharing services will be used within the organization is critical. Creating policy around authorized services can help analysts prioritize their investigations.
As users work from home, companies may be inclined to leverage personal systems in their employees’ home environment. These new systems, while enabling the rapid transition to remote work, pose their own issues for security teams. These new devices may lead to a variety of privilege anomalies and other behavior deviations and will have fewer means of investigating. It will be critical to have details to identify and correlate the unknown hosts by name, accounts, and activity time. This information, along with the identification of the organizational VPN IP pool, will help an analyst identify unknown user devices efficiently.
Many organizations use a split tunnel VPN. This style of VPN allows companies to direct company traffic to the corporate network while other traffic traverses to the internet without touching the corporate network. This has a number of security implications, but it is typically done to conserve bandwidth. For investigations, for organizations utilizing a split VPN, analysts can expect a reduced visibility into a user’s internet traffic, including that of attackers and command and control
We expect to see a large increase in VPN use as the bulk of organization users work remotely but still need access to the same internal resources they had when working in the office. This means that VPN availability will be critical for the organization to function and will be required to handle a much larger volume of traffic than usually seen.
Some user behaviors that would normally be innocent and benign when performed inside a network, such as listening to music apps on a PC while working, could be a problem on a full tunnel VPN. A full tunnel VPN sends all internet traffic through the organization internal network, thus consuming large volumes of network bandwidth which causes VPN resource exhaustion.
If the organization userbase is using a split VPN, analysts can expect reduced visibility in north/south traffic. With a split VPN, some of the user’s traffic will go straight out to the internet without first traversing the organization internal infrastructure.
Marion works as a Consulting Analyst based in Paris, France. Prior to joining Vectra, she worked for 7 years as a pentester and Red Team consultant, working for and supporting many different customers. During her assignments, she also worked with defensive teams of two large banking organizations, helping them understand the attacker’s context.