Securing Your Remote Workforce, Part 3: How to Detect Malware in the Guise of Productivity Tools

As our workforce continues to be remote, SOC teams are tasked with an even larger threat landscape to secure. The challenge of adapting to this changing environment is not only for workers, but there is also a learning curve for the SOC team. SOC teams find themselves not only remote, but also with a new workstyle that forces an evolution in their security strategy. In part 1 of this series “Securing your remote workforce,” we discussed how cybercriminals are building out phishing and malware campaigns for personal gain. Our second post discussed vulnerabilities inherent in VPNs and offered some methodologies to secure VPN services and detect unusual VPN access.

In this post, we’ll define malware, explain the heightened risk in a work-from-home environment and provide tips on how to detect malware in the guise of productivity tools.

What is Malware?

Malicious software, or malware, is a term used to encompass any malicious program or code developed by attackers with the intent to cause damage to data or a system or gain unauthorized access to a network. Malware manifests itself in many forms: adware, spyware, virus, worms, a trojan, and ransomware, to name a few. But ultimately, the goal of an attacker is simple: personal gain.

Building a security fortress

Malware isn’t a new topic, in fact, the first virus created dates back to the 1970s when Bob Thomas at BBN technologies created the Creeper program, an experimental computer program that moved itself between computers. And in recent times, the number of malware attacks have shown a rapid increase, Security magazine reports that 7.2 billion malware attacks were launched in just the first three quarters of 2019 .

To combat attacks and protect valuable data and information, many companies have adopted a defense-in-depth security architecture. This is a layered security model designed to protect the physical, technical, and administrative controls of a network.

• Physical controls: physically limit or prevent physical access to IT systems (badge access, CCTVs)
• Technical controls: protect network systems or resources through hardware or software (firewalls, authentication, behavior analysis)
• Administrative controls: policies or procedures to ensure proper security guidance (data handling procedures, hiring practices)

The idea behind a layered security model is building redundancies and several lines of defense. If one security control fails, there is another one ready to thwart the attack.

The changing workforce

So if malware isn’t new, what is? The changing workforce. When many organizations built their defense-in-depth strategy, most weren’t anticipating an almost 100 percent remote workforce. This can be an issue for companies whose main line of defense against malware is a strong perimeter. While perimeter tools help secure the corporate network, with most of the workforce now outside the security perimeter, you reduce the efficacy of your defense-in-depth strategy. Oftentimes relying on point solutions, like endpoint detection and response tools, to block the malware your perimeter tools can no longer catch.

Cyber attackers prey on remote workers

Malicious cyber attackers are aware that the majority of office workers are at home, and they are taking advantage of the fact that employees and their devices are outside of the corporate network. Working from home means that employees are potentially working on unsecured Wi-Fi networks, using personal laptops that are not monitored or secured, and potentially even running out-of-date or unpatched systems. As employees transition into their new work from home environments, many are downloading new applications like productivity tools, applications, or zoom backgrounds.

While their intention is to be more productive while at home, employees are potentially exposing themselves, corporate data, and the remote servers they are accessing, to malware attacks.

Detecting malware with a remote workforce

On March 13th, the Cybersecurity and Infrastructure Security Agency issued an alert that “encourages organizations to adopt a heightened state of cybersecurity.” CISA recommends that IT security personnel be “prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery.”

While detecting and investigating malware-infected hosts is a common task for IT operations teams, today, it is business critical to strengthen this practice and improve your security posture. Now that employees are outside of the security perimeter, leveraging your Exabeam SIEM can help increase defense-in-depth in the following ways:

1. Log abnormal process executions or network connections — you can leverage event codes from Windows events. Windows Security Log Event ID 4688 documents when a new process has been created, and Event ID 5156 documents when the Windows Filtering Platform has permitted a connection. Logging different windows event codes can provide insight into the endpoint’s anomalous behaviors even when you do not have an EDR system deployed.
2. Tune Exabeam rule scores for first execution of process — Occasionally, some rules may need to have their scores adjusted. Oftentimes it occurs when the models need to adjust to sudden organization wide change. In this case, you may want to adjust the first execution of a process rule to increase the severity of this anomaly. This will flag potentially risky users to your analysts for review.
3. Threat hunt for first execution of process — If you have six months of data, and you haven’t seen anyone within the organization execute a new process in six months, this is probably something you would want to investigate. You can have analysts save this search query and run it daily, making threat hunting a part of their regular practice. You’re likely to experience an influx of these events, since employees will start to download tools to improve productivity, but threat hunting on first execution of process will provide an added layer of defense now that you are outside of the perimeter.
4. Create a watchlist — Any user that has a first execution of process event should be placed in a watchlist and monitored for at least 24 hours. If you notice a user’s risk score increase within 24 hours, it would be worth investigating to determine whether the initial download was malicious.
5. Automate your watchlist — Automatically add a user to a watchlist if they have abnormal process activity and an aggregate risk score over a specific threshold. You can configure the watchlist with a TTL so the user rolls off automatically if no additional concerning behavior happens.
6. Retrain your employees on security — This is as good a time as any to retrain your employees on the company’s security policies. Cybersecurity may not be top of mind for many of your employees, so it is important to remind them to be aware. When it comes to downloading new applications or clicking on links, share some simple best practices:
   1. Be careful of what you download
   2. Check that the website has a certificate
   3. Verify that you know the sender before clicking on email links
   4. Don’t trust your pop-up notifications
   5. Update to the latest operating systems and browsers
   6. Remove any legacy applications you don’t use

Taking these six easy steps will add a layer of security to improve malware detection within your organization.

Want to learn more?

Stay tuned. This is part three of a five-part series on common issues security teams face with remote workers. Over the next two weeks, we will also publish posts covering remote access monitoring and device policies.

Part 1: Detecting Phishing Scams Disguised as Updates 

Part 2: Detecting Unusual VPN Access and Best Practices to Secure VPN Services 

Part 3: How to Detect Malware in the Guise of Productivity Tools

Part 4: How to Detect Fraudulent Logins and Policy Violations Using UEBA

Part 5: Best Practices for Personal and Corporate Device Usage