SecurityHQ Update • 6 Mins READ

Revolutionising the Contingency Plan. How the Developing Threat Landscape is Changing Business for Good

by Eleanor Barlow • Jun 2020

As remote working continues across the globe, cyber threats grow in both size and sophistication.

Off the back of COVID-19, bad actors are taking advantage of the new infrastructure that businesses are now finding themselves using. Organisations are stuck in a limbo between solely working remotely, slowly returning to the office environment, or incorporating shift patterns for employees. All of which require new methods and procedures regarding security intelligence. Which, in turn, requires a reassessment of protocols and contingency plans.

With the reality that the threat landscape has changed significantly, and with threats becoming more aggressive, it is crucial that:

  • Remote worker policies are re-established and enforced.
  • That awareness and vigilance is maintained.
  • That businesses are educated regarding current threats, so that they can defend against what is, essentially, a cyber battle.

The main issue with current business infrastructure, is that the IT employees that you rely upon to run your business, are currently at their most vulnerable, as their support mechanisms have been taken away.

Before COVID-19, if you wanted to sabotage a company or steal data, a bad actor would target the business itself. The website, the social accounts, the logins and all their vulnerabilities. In response, organisations had parameters set up for this. But now these have changed. Now, to take down a business, you just need to target a single remote worker.

Plans have not been put in place for such events. Not on any large scale anyway. Businesses did not foresee COVID, or how long remote working would take place for. And, without contingency plans for such events, the IT teams that companies rely upon, are now left to fend for themselves in the best ways that they know how. Using, perhaps, not always the best methods.

Because of this, many aspects regarding remote working and disaster recovery plans have been rushed. And this is what criminals are exploiting.

DNS Vulnerabilities

Organisations should pay extra attention to DNS vulnerabilities. There are a multitude of DNS anomalies that leave your organisation vulnerable. Read our blog specifically on spotting DNS Vulnerabilities here.

Read More: Threat Hunting Concepts & Trigger Points DNS Anomalies Blog

VPN Attack

For the majority, VPN’s are being used by remote workers across most organisations. These are crucial and form a level of protection for remote worker devices. The major issue here, however, is that most organisations were in such a rush putting plans in place for their teams to work remotely, that these VPN’s did not/still have not passed the normal quality checks that you would expect. Some of these VPN connections were only initially meant for staff to dial into and were not intended for mass users. Now that everybody is using them, systems are under extreme pressure.

What Happens When a VPN is Attacked?

Now, say your company mail was to go down for a few days, due to the influx in traffic as the whole world works from home. This would be significantly inconvenient for the whole organisation. But can be worked around.

But now say, for instance, that an organisation of 8000 employees is using a single VPN gateway. Let’s now say that somebody does a denial of service, using a VPN remote gateway. Because processes were rushed, this system now crashes under the significant capacity, and goes down for 2 to 3 days. The amount this will cost an organisation is substantial.

What Does This Mean for the Future of Work?

It is reasonable, following the latest trends, to predict that such DNS disruptions and direct attacks of VPN gateways will increase. It is equally plausible to surmise that these attacks will be followed by extortion emails and campaigns.

How Should Organisations Reduce Threats?

Organisations need to ensure that they treat their VPN and remote workers properly. It is critical right now.

Often, for threats to get their foot in the door to lead to a VPN attack, they will start with dictionary attacks, attacks on cloud-based solutions, or phishing campaigns.

Contingency Plans for Everything

While organisations may temporarily go down, businesses also need to have contingency plans in place for when/if the whole organisation goes down completely.

Because the bandwidth that all these companies have utilised comes from the outside, service disruption is inevitable. Which means that rules need to be implemented. Rules such as, ‘if you are in the office and don’t have to be online 24/7, stop being online 24/7’, to reduce the bandwidth and save it for those who need to use it most.

As we continue to work remotely, businesses will be tested. And they need to be prepared. You need to support and protect your external exploits, VPN’s, remote access, configuration changes. You need to be on the ball now more than ever.

When working remotely, we must still be in collaboration with one another, to mitigate threats, visualise attacks and safeguard your data, people and processes.

Our Initial Tips?

Here are our initial tips:

  • Implement a Remote worker policy and remember amendments, awareness.
  • Do NOT leave you endpoint connected to the corporate network.
  • If BYOD, ask to be responsible with corporate data, by:
    • Restricting corporate data to a single BYOD device.
    • Ensure regular patching
    • Only used BYOD with Endpoint protection AV/FW
  • Be Vigilant
    • Think twice before going to a website (especially from mail). And do not click on anything you are unsure of.
    • Only get COVID, Corona information from trusted sources. Not via email or social media accounts.
  • Understand the changes to the threat model. No remote access = Zero productivity.
    • Evaluate Fallback/Contingency
    • Test DOS protection / Capacity
    • Identify Threats/Vulnerabilities … E.g. DOS against DNS
  • Patch your perimeter!
    • Enforce/Implement MFA – Does NOT give significant service disruption.
    • Disable Interactive logon on ALL default user/service names.
    • Disable all accounts that have not been used for a significant period.
    • Maintain and implement a top 20 country blocklist (SecurityHQ maintains a top-20 based on risk models)
    • Implement audit related security controls and monitoring. Analyse these for threats.
    • Monitor remote worker behaviours: such as duration and access denied.
    • Attempt to implement more granular access control on critical data/systems.
    • No Backdoor for IT (like RDP, RAT tools)
    • No remote logins using privileged accounts
    • Implement / enforce Jump host for IT operations.

For more information, to speak with an expert, and to learn how SecurityHQ can support and safeguard your people, processes and data against current and future threats, contact us here.