Threat models are an often discussed but sometimes nebulous term that is frequently thrown around within the cyber-security arena. The intent is to structurally plot the risks, threats, and mitigation to a particular item of value―something Digital Shadows has outlined in a previous blog, Understanding Threat Modelling.
Though the remote-work landscape has been steadily moving forward over the past decade, COVID-19 (aka coronavirus) has forced many organizations to accelerate their plans or create them on the fly. As such, Digital Shadows has produced a threat model for the remote worker, taking into account the various risks and threats that employees face while working off site.
7 steps involved in threat modeling
In approaching our remote-worker threat model, we walked through 7 steps that will serve as a guide to the rest of this blog:
- Enumeration of the target system’s assets
- Review of data and/or process flow diagrams
- Identification of most relevant threat actors
- Identification of most relevant threats
- Evaluation and prioritization of risks/threats
- Evaluation of currently existing controls and/or countermeasures
- Prioritization of mitigation steps and recommended security controls.
Enumerating the remote worker’s assets and reviewing process flow diagrams should be taken and applied on a case-by-case basis. There is no “one size fits all” when it comes to those first two items, as every enterprise environment is built differently.
5 threat actors and motives targeting remote workers
The threat actors we would expect to target remote workers are very similar to those targeting in-office employees; however, working remotely introduces a larger attack surface. As such, controls on specific systems or processes may be reduced and can increase the likelihood of these attacks being successful.
Digital Shadows has identified the following threat actor categories that have the motive to abuse and take advantage of remote workers.
- Cyber/organized crime: Cybercrime groups have the capacity and the skill set to perform targeted attacks on end users with increased volume due to work-from-home (wfh) conditions. Use of personal devices with fewer security measures/controls makes users more attractive for such operations. Access to corporate services and resources, even from the end user’s own devices, makes the target more attractive as the probability of gaining unauthorized access is significantly increased.
- Fraudsters: Fraud attempts are expected to increase, exploiting the COVID-19 outbreak. These will likely be especially effective against workers not used to working on personal and/or mobile devices.
- Accidental/Malicious Insider: Non-hostile threat actors who need special consideration are the users themselves. Those not used to remote working might experience issues with accidental sensitive data exposure, mistakes in file sharing, etc.
- Hacktivists: Regular phishing attacks will continue to evolve, especially now with the end user being more exposed to the Internet, where they can be targeted more easily.
- State actors: Remote working extends to governmental and other critical infrastructure entities, which are top targets for state actors. Such operations are expected to increase since users will continue to have access to restricted resources from home.
We also made a quick graphic to help showcase this threat model. Check it out here:
6 major cyber threats targeting your remote workers
The threats generated by the previously identified threat actors are not wholly new attack techniques. However, some of them become more prevalent in a remote working situation.
Here are six cyber threats we’re likely to see targeting your remote workers:
- Attacks on availability: Increased dependency on remote-access solutions, such as VPNs, may increase the impact of these attacks. Internet traffic is expected to increase significantly by default during the COVID-19 outbreak, so denial of service attacks might have more chances to be successful.
- Lost/stolen laptop: A wfh restriction might be helpful to mitigate this use case, which generally refers to remote workers using public places to access the Internet. There is a small likelihood of this threat.
- Data leakage owing to inadvertent disclosure (accidental sharing, shoulder surfing, etc): Since the users themselves have been identified as a threat, there is a high probability of accidental exposure of a company’s sensitive information. Cloud-based file-sharing platforms might cause confusion between what is personal and corporate data.
- Unauthorized access to corporate sensitive data through a software bug exploitation: Since access to corporate resources and services with sensitive information for remote workers is the business goal, attackers will have many more chances to exploit those conditions.
- Phishing: Initial access using phishing will remain the top attack vector, but now the success rate is expected to be higher with potentially fewer security controls and measures applied to remote users. (If you’re interested in phishing protection, check out our blog The Ecosystem of Phishing: From Minnows to Marlins)
- Stolen/leaked user credentials reuse: Credentials will still be the number-one goal for attackers to gain access to unauthorized resources.
6 security controls for remote workers
Finally, after examining the potential threat actors, along with the tactics and techniques they may use, security controls should be recommended to decision makers for implementation. In the case of remote workers, Digital Shadows recommends that the following six security measures be adopted to decrease your organization’s overall risk level.
- Advanced endpoint protection: Next-generation endpoint detection and response (EDR) and continuous monitoring will significantly aid in detection and response.
- Encrypted communication: Extensive use of VPNs with an always-on model, whenever applicable, is highly recommended to mitigate man-in-the-middle (MITM) attacks. Always-on refers to the idea that the user’s device must be connected to the designated VPN to access any resource that requires an Internet connection.
- Increased identity and access management: Access controls should be improved to mitigate lost or stolen credentials and their reuse. Multi-factor authentication is highly recommended for access to every corporate resource, especially the critical ones. Continuous monitoring and visibility of access is also very useful for auditing and abnormal behavior detection. Least-privilege/need-to-know principles should be also applied and reviewed carefully to avoid unnecessary access to sensitive information.
- Email, instant messaging, and browsing protection: Advanced and specific solutions should be used to protect users from malicious emails and URLs, which are the main threat vectors. Those services are expected to be used widely, given the nature of remote working, so they will be heavily targeted by threat actors.
- Endpoint security hygiene: Endpoints, both corporate and personal, should be included in the continuous asset management program enforcing the latest patches, properly managing vulnerable software, and effectively controlling access to any corporate resource.
- User security awareness: The remote environment, and in many cases the new tools and solutions that might be used, need to be well communicated and presented to the users. Users should be educated on the risks of remote working and with the advanced threats that they may encounter. Extensive user education and training is required to mitigate this increased risk as users might not be familiar with special tools or solutions tailored for remote working, making confusion between personal and corporate data/resources very likely to happen.
Despite the recent surge caused by the COVID-19 outbreak, the global workforce is increasingly moving to a remote working environment. As such, organizations should be applying security controls and creating threat models for their particular environments now, and after things go back to normal. Digital Shadows strongly recommends planning ahead for situations like these, though understandably this might not always be possible. In that case, please feel free to use this as a resource to help guide internal security teams to start thinking about remote working threat vectors as well as threat modeling in general.
Need to detect sensitive data that’s been exposed by your employees, contractors, or third parties? See how we can help with data leakage detection here.
To see all of our threat intelligence updates related to coronavirus, visit our resources page below.
And here’s a webinar that CISO Rick Holland and I did as well on the subject.