A view from the SOC: Maintaining security capabilities during the pandemic

With the exponential growth in working from home as a result of the Covid-19 coronavirus pandemic, many organisations have scrambled to provision technologies that facilitate remote working, in order to maintain business continuity.

This rapid shift has undoubtedly led to some hastily conceived infrastructure deployments, which may well have circumvented routine change-control processes and associated risk assessments. Even for companies that already promoted home working before the outbreak, typically, such solutions did not encompass the entirety of the workforce – both in terms of number of employees, and job roles.

For SOCs (security operations centres), both in-house and managed service providers, this has presented a number of challenges and underlined the importance of working closely with infrastructure and technical teams.

A well-performing SOC should always have a comprehensive understanding of the environment being monitored as a matter of course. Now more than ever, keeping this knowledge up to date is vital.

For example, you want to know about any new software products or features that have been rolled out and any additional servers that have been stood up to handle the increased workload of more employees working remotely. Once you have captured new information of relevance, it is also important to ensure it is shared among analysts on the front line and review your playbooks to ensure they are still valid.

Don’t forget policies and procedures. If restrictions and red tape governing how people work have been lifted by organisations to aid productivity, this will influence the environmental norms just as much as the technologies in use.

For instance, expect existing out-of-hours detection logic to become false-positive prone due to flexible working arrangements. Previous “red flags”, such as administrative activity originating off-premise, might now be null and void. If possible, get copies of key communications sent to employees and examine how it is influencing the effectiveness of your detection logic.   

Poor security hygiene and substandard configuration are very often contributing factors to serious cyber breaches. Just because solutions might have been deployed in a sub-optimal fashion to expedite the delivery of an operational capability, it doesn’t mean you shouldn’t try to fix weaknesses retrospectively once the dust has settled.

So, work with engineering teams and other stakeholders – including the senior information risk officer (SIRO) – to put forward sound and achievable security recommendations. Strive to align to industry best practice where possible, but don’t veto tangible improvements in security posture while holding out for the perfect solution. Be prepared to compromise, but just make sure you understand the shortcomings.

Here are some of the pertinent areas where you should seek to prioritise visibility and detection:

• Authentication activity. Most organisations will be using some form of virtual private network (VPN) connectivity to provision corporate network access. Capturing and interrogating log data from VPN endpoints will enable you to identify anomalous login attempts and less subtle activity, such as brute force/password spraying. Pay particular attention to authentication attempts originating from outside your geographies of business, as well as duplicate user sessions and activity during abnormal time periods. Using a well-configured SIEM toolset with user behaviour analytics tool (UEBA) will give you the best chance of identifying atypical activity.
• Covid-19 phishing campaigns. Phishing remains one of the most prevalent attack vectors for a multitude of threat actors, including both financially motivated organised crime groups and nation state adversaries. Threat actors are seizing the opportunity to capitalise on the fear and uncertainty caused by Covid-19 itself, and the scope for abusing consequential communications relating to IT/business continuity is significant. Consider stepping up your efforts to identify malicious emails, focusing on keyword searches and analysis of web proxy logs to spot potential credential harvesting websites. Because of the variance and volume of both legitimate and malicious Covid-19-themed communication, some proactive analysis of data will be required.
• Externally facing infrastructure. Irrespective of the current landscape, understanding the public-facing attack surface exposed to an attacker is important. It is even more vital if remote access solutions and other web services have been opened up to the public internet. The first step is to run an external vulnerability scan against all public IP addresses associated with the organisation you are protecting; the goal is to identify services that could be vulnerable to an unauthenticated threat actor and the scope should include cloud service providers, where relevant. Once you have an understanding of the number and nature of services exposed, determine what visibility you already have, paying particular attention to applications that are newly provisioned. For instance, consider whether any IDS/IPS systems are deployed in the correct place to flag exploit attempts against known vulnerabilities and work out if you are collecting data that would enable the identification of a large increase in outbound traffic, and attribute it to a specific user.

Much of the above should be part and parcel for a SOC that is well aligned to the needs of the business. Understanding the monitored environment and being aware of potential weaknesses are key elements in running an effective security monitoring programme. However, in this time of heightened uncertainty and unprecedented change, now is not the time for a complacent SOC. Level up, identify weak spots and verify that your detection rules and playbooks are still cogent.

Tom Hawcutt is a senior analyst at Context Information Security.