Cyberthreat trends in the remote work landscape
About 10 months after the COVID-19 pandemic forced millions of U.S. employees into remote operation, a new threat landscape emerged as companies scramble to manage a hybrid workforce.
Companies are working to manage security risks from vulnerable endpoints and sophisticated criminal and nation-state actors.
With a new financial year underway and vaccines rolling out, executives are taking a fresh look at how they will navigate a newly hybrid workforce in a secure business environment.
"What we are seeing is firms putting their plans together for a hybrid workforce," Bhushan Sethi, Global People & Organization co-leader at PwC.
About 24% of workers in the U.S. telecommuted due to COVID-19, according to the Bureau of Labor Statistics. Other data shows during parts of 2020, more than 50% of workers at major U.S. companies worked from home due to COVID-19 restrictions.
About 75% of executives expect at least half of their workforces to be back in the office by July, according to survey data from PwC.
Multiple hats
The task of organizing office returns will be a massive undertaking because for many companies the rapid changeover from corporate offices to remote operations left no time for planning. During the lockdown, remote employees scrambled to balance productivity with childcare, deteriorating mental health and logistical challenges of working in a secure environment.
"In response to sudden work from home orders, we saw many companies prioritize productivity above all else," Michael Covington, VP of product at Wandera, said. "Whether workers were forced to work from home, or IT was told to reduce security policies, job number one at most organizations was to keep the business operational while people were working remotely."
Companies abandoned traditional security protocols but are now taking a fresh look in order to phase operations into a long term recovery, according to a report by Wandera. The Wandera report contains proprietary corporate data using the Wandera Security Cloud, which is based on 425 million sensors. The data has been anonymized and normalized at organizations using the technology, ranging from 10 employees to hundreds of thousands of employees.
The report shows a 41% increase in malware attacks on an annual basis, as 52% of organizations faced a malware attack in 2020, compared to only 37% in 2019. The malware installations that affected remote work the most last year were spread using social engineering, according to the report.
The apps were made more potent when users granted too much access to their devices, which allowed attackers to gain access to "sensitive data and in some cases capture live recordings from the compromised devices," Covington said.
Remote workers have exposed corporate networks to high-risk activities or content. Out of the devices previously compromised by mobile malware in 2020, about 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage.
Multiple devices, operating systems
Part of the difficulty with remote workers in the current landscape is their range of operating systems, including Windows 10, Android and iOS. They are bringing their own devices to access corporate networks through unsecure home-based workstations.
Traditional office rules have gone by the wayside as the Wandera report showed up to 100% increases in workers accessing inappropriate content during office hours. Remote workers, particularly those using Android operating systems, were using vulnerable apps to access content or conduct work.
"The threat landscape remains fluid as attackers look to take advantage of disasters to phish and social engineer employees," Rick McElroy, principal security strategist at VMware Carbon Black, said via email. "Typically attackers target employees through email and attachments but have now started to use social media and texting as well."
Other threat actors have adjusted the way they use methods like ransomware to attack companies operating in remote environments, Vinay Pidathala, director of security research at Menlo Security said.
"What was old is now new," Pidathala said. "In 2019, ransomware was starting to decrease, but with COVID, attackers have pivoted back to ransomware, and they are having a lot of success with it."
More sophisticated actors are going after high value targets using web browser exploits, with Chrome being the browser of choice. Four out of 10 browser exploits used in the wild are targeting that particular browser mainly due its dominant market share, according to Pidathala. Additonally, Microsoft Edge has based its underlying technology on Chromium since January 2020.
In terms of specific threats, a large number of credential phishing attacks are targeting customers across various regions and business verticals, Pidathala said. There has also been a marked increase in web drive by downloads, with attackers using the SocGholish framework as their tool of choice.
These attacks use social engineering toolkits disguised as either browser updates in Chrome or Firefox, Flash Player updates, or Microsoft Teams updates.
In terms of security policy changes, Pidathala says that limiting administrative access, issuing corporate-owned laptops and application whitelisting are policies that usually pre-dated the COVID-19 outbreak. "More companies are moving their workloads and applications to the cloud," he said. "Given that shift, companies are strategizing around how to protect their data, web applications and users."
These include confirming access to cloud resources and assets are correctly configured and monitored, ensuring the security of cloud assets and ensuring the governance and protection of critical data.
Looking further into 2021, tens of millions of corporate employees will continue to work from home.
However, companies plan to resume work environments to operate under a hybrid environment. "Some employees have started to work out of the office already and more will likely transition back to the office over the course of 2021," Rick Tracy, CSO at Telos Corporation, adding that the company will be flexible regarding remote work for the rest of the year and beyond. "Remote work due to COVID has proven that remote work can be effective and secure if managed properly."
Companies are expected to embrace zero trust in terms of how they deal with future threats in a pandemic-enabled threat environment, according to Adam Meyers, VP of intelligence at CrowdStrike.
"I think the old castle kind of mentality around securing things to a certain extent will go away, as they embrace zero trust in the more modern way of thinking about security," he said. He expects more of a nuanced view of focusing on what needs to be secured and provisioning access appropriately.