Author: Masayuki Nakada, IT Security Analyst
Since the COVID-19 pandemic started, working from home (WFH) has become more common for many companies. The Japanese government recommends WFH as a “new normal” that is different from pre-COVID-19 pandemic. I have switched to WFH since early April 2020 and at the time of writing this article (late June 2020), I have been able to continue working without ever coming to office. I can understand its potential.
Now, when in WFH situations, it is necessary to connect to internal systems of the organization by some means, but recently, utilizing a VPN (virtual private network) connection is probably the most popular method. Once the remote device connects to the VPN, it is recognized as a part of the corporate network and it is possible to directly access the internal system. It also enables defense in depth by the internal network security.
With the capability of monitoring the logs of network security devices, it is possible to quickly detect signs of an incident. So, you can say, a VPN is a convenient mechanism that achieves secure remote connection, but on the other hand, it has a disadvantage that incident response in the event of malware infection, etc. may become difficult.
In this article, we will explain the issues and countermeasures for endpoint security during WFH, referring to the incident cases that had actually occurred in WFH environments.
First, here is the system environment before discussing the incident case.
There are 3 points to pay attention to about this environment:
The structure of system like above is generally used in the real world and there are many cases where it is operated in the similar way.
The incident introduced here begins when the remote device used during remote work was infected with malware. The following is the timeline.
There are a few issues in this case. From the perspective of “incident response” in remote devices, let’s consider the following.
In this case, security control for the remote device depended on antivirus software. So-called “pattern matching” antivirus software has reached the limit of its detection capability against recent attacks, making it difficult to deal with ever-increasing malware.
Also, when not connected to a VPN, the internet can be accessed directly from the device. Protection by defense in depth with firewall, proxy, etc., which was effective via the internal network, was not utilized.
It is difficult to grasp the behavior and communication of remote devices without being connected to the VPN. Specifically, when malware or an attacker remotely controls an endpoint, it communicates with C2 server. If the endpoint is not connected to the VPN, logs will not be stored. Thus, it becomes difficult to investigate when the attacker’s operation was performed from the traffic logs such as proxy logs.
In addition, although logs were stored with asset management software, the main focus was on “user operations”. Malware and remote-control behaviors by attackers were not recorded in the logs.
Forensic investigation was conducted by clarifying the event, accumulating traces of the attack remaining on the OS as points, and connecting them as a probable line. Unfortunately, it was difficult to reveal how the infringement occurred with the limited traces available due to the elapsed time from incident occurrence to incident discovery.
To deal with this situation, the behavior is usually inferred by comparing security device logs (especially the proxy logs) with the forensic investigation result of the device. However, in this case, there was no log left during the period of direct connection to the internet. Despite the large amount of time spent in investigation, the findings were limited.
As a solution to solve the problems explained above, EDR (Endpoint Detection and Response) is being introduced by companies. EDR is a solution that assumes that an incident, such as malware infection, will occur. It will be a tool that strengthens the “investigation” and “response” when an incident occurs.
The following are benefits of introducing EDR and the explanation of how the above-mentioned issues will be solved when EDR is introduced.
EDR can record the events that occur on the endpoint at the process level and detect when an operation that seems to be caused by malware or an attacker is performed.
In addition, many EDR solutions also have antivirus capability and by enabling this, it is possible to implement advanced security features.
Many EDR solutions are cloud-native solutions and can be managed as long as the device connects to the internet. Even while not connected to VPN, which was a problem, detailed logs such as generated processes, created files, and communication destinations, are accumulated in the cloud environment. That makes the investigation easy and smooth even if there is suspicious behavior.
Also, during remote work, it is not easy to physically seize the device. With EDR, a suspicious device can be logically isolated from the network, making it easy to take primary action and prevent the spread of infection.
Now, you may ask “what if the device always keeps the VPN connected?” In many cases, the connection disconnects automatically due to issues, such as the load on the network and equipment.
In traditional forensic investigations, after seizing the device, a process such as “evidence preservation” with data copy takes a considerable amount of time (about 1-2 days) to conduct. EDR does not require such processes and can be investigated based on readable logs stored in the cloud.
There are also significant advantages that traditional forensics do not have, such as “the behaviors on the device becomes clearer in chronological order” and “it is easy to investigate multiple devices at the same time”.
Until now, the focus of security measures in organizations have been based on “network-type defense in depth” and “log acquisition at endpoints”, which have not penetrated deeply. However, now that remote work is common, there is an increasing need to improve the security levels of endpoints.
We provide “managed EDR service” which is an operation support service of EDR. We have seen cases where the safety of endpoints dramatically improved by introducing EDR, and response loads in the event of an incident have been reduced. No serious incidents have occurred for customers who introduced managed EDR as recommended by us. If you would like to know more about EDR, please feel free to contact us.