These are strange times. COVID-19 has changed the way we work, the way we communicate, and the way organizations operate. One of the concerns that is taking more and more focus now is around the move from working inside the perimeter to working outside the perimeter. We all know how to work in the perimeter, and we have learned in the past few months how to work outside the perimeter, but the back and forth between these two modes of operation can introduce risks on its own. Think about a computer in the perimeter, protected with perimeter security, that now goes out and is being used by someone working from home. During that time it’s less protected since the perimeter isn’t there. Then that computer is taken back into the perimeter and brings along with it threats it picked up outside - unwanted software, maybe an attacker with a persistent foothold on it. Now, it poses a risk to the entire organization from the inside.
In this article I describe a security strategy that helped my organization avoid this scenario by simply ignoring the perimeter, making us indifferent to the location our employees are working from.
About a year ago, I was adjusting my security strategy. As a CISO at a cybersecurity vendor, I have access to information about many attack groups and techniques as well as organizations who suffer from cyber attacks. My conclusion was that, despite some organizations having a much larger security budget and a larger security team, they all still eventually fell to the same techniques over and over again.
I had to find another trick that could keep my organization secure from these attacks. It needed to be a strategy that would allow me to reach a very high level of resilience to the techniques I commonly see, and simultaneously would align with the way the company operates.
Our company is relatively young and relies heavily on SaaS and cloud infrastructure. We don’t have many legacy systems, and our corporate architecture is similar to many companies, based on Microsoft Active Directory. In terms of operation, our company is distributed around the world. Some employees work from an office, some from home and some from the road.
For my strategy to provide security in this heterogeneous operating environment, it had to address a component that is present in all of the APTs out there. The universal element here is the login. In (almost) all attack scenarios, at some point, an attacker needs to gain access using a valid login. It can be an interactive login session or by hijacking an existing one, it can be using a token or key, or it can be compromising a password; no matter what, it’s always there. This was the key insight that led to much more.
Attack scenarios on the login process come in many forms: brute forcing, getting a password via social engineering and phishing, hijacking session tokens and using them, or even just getting control over a workstation and using the legitimate access of the user.
The thing about the login process is that in a corporate environment, especially one that is based on Active Directory, it is very hard to follow the complex array of different login actions and to define strict rules for them. It’s really a mesh of services and accounts that all work very well together in the background to make Microsoft-based infrastructure work conveniently.
Unfortunately, attackers are constantly taking advantage of these services in order to conduct attacks. A few simple examples are pass-the-hash/pass-the-ticket techniques, the use of domain controllers accessibility from all domain member workstations, the use of NetBIOS weaknesses, and many more. All of these are used to “move around” in a compromised environment, gathering credentials and moving from machine to machine.
To avoid such attacks and make sure the login process is secure, I decided to take a different IT approach altogether. Being a young company with few legacy services, there’s not much reason for us to be tied to the traditional Active Directory. Many of the services that organizations use that tie them to it are used differently by us: email, file storage and sharing etc all have cloud-based alternatives. Moreover, even if we wanted to, we couldn’t rely on these solely, simply because many of our users are working beyond an office network, and forcing them to be connected to a VPN all the time is simply not practical.
The new approach puts the authentication process in the center. For that, we need to protect the parts that may be attacked independently:
If any of these parts is susceptible to an attack, the attacker can get in. For example, an attacker can gain access to an insecure endpoint and just “ride” on legitimate sessions without the need to attack the authentication point itself. Another example, if a system manages accounts poorly, an attacker may find accounts with weak passwords and use them, even without gaining any access to the endpoint that the real user uses. Time for the Internet cafe strategy (from now on: ICS) to go into action.
The way I built the strategy is based on the following concepts:
Critically, the strategy was executed as a set of projects and not in one monolithic, risky move:
It sounds quick and easy, but it wasn’t. There are several challenges when implementing this strategy. I’ll describe the main ones:
The end state this brought us to is better than the original:
Bottom line, we moved from office-centric security management with a lot of baggage we didn’t need to an individual-centric security management, hardened, resilient and simpler environment.
And the office remains as a very fancy internet cafe with nicer screens, artwork and rooms. For more info on securing your remote workforce, check out our secure business continuity toolkit.