Randori named leader in Attack Surface Management in GigaOm ASM Radar Report

December 16, 2022

What Remote Work Does to Your Attack Surface

By: Randori Blog

Share on facebook
Share on twitter
Share on linkedin

The rise of remote work has been one of the biggest organizational shifts in the past two decades. 

  • In 2019, only around 6% percent of employees worked remotely. 
  • In 2022, about 60% of individuals who can work from home are doing so some or all of the time.

In most organizations, thousands of employees are now outside the corporate firewall at least some of the time. For security teams, remote work creates a whole range of unknown risks, increasing the likelihood of a breach and making compromise harder to detect. 

This fact was already obvious in August 2020, when a Malware bytes report showed that over 20% of companies had experienced a breach due to a remote employee. Today, working from home has become so widespread that the increased risk from remote work versus onsite work is hard to quantify. 

Remote work has simply become “work”. But the attack vectors exposed and expanded by remote work have not gone away.  

Even though remote work has upended traditional location based security postures, it is still possible to not only improve security for remote workforces but to become more secure than on-prem environments. Key to doing so is understanding and managing how remote work changes your attack surface risk. 

Remote Workforces Enable More Attacks

Remote and hybrid employees stretch attack surfaces and escalate breach risk. 

According to “The New Future of Work,” a Microsoft report on the evolution of remote work following the COVID-19 pandemic, remote work has increased the risk of almost all kinds of cyber attacks. 

Phishing, in particular, has grown both in incidence and success rate. In the Microsoft report, 62% of security professionals say the threat of phishing has risen the most since pandemic era remote work began. 

Remote employees are prime targets for phishing attacks, mainly because they are often less familiar with policies for things like password resets and help desk support and are likely to use a variety of personal and employer provided devices. Even when organizations utilize multifactor authentication (MFA) protocols, virtual private networks (VPNs), and other mitigation controls, phishing attacks still succeed. 

This year’s Twilio breach shows just how easy it is for threat actors to bypass access controls. The attack succeeded when threat actors socially engineered a remote worker by convincing them, via their personal phone number, to download a remote access tool. This process circumvented the company’s two-factor authentication (2FA) protocol and led to a massive data breach. 

The hacker’s behind the recent Uber breach used a similar technique. 

Once hackers breach a remote company’s perimeter, it can be harder for security tools and teams to spot indicators of compromise. Many remote employees work asynchronously and shift locations regularly. Log ins and network activity are more likely to happen out of hours and confuse network and behavior monitoring tools like user and entity behavior analytics (UEBA). 

Remote Tools Are Dangerous Attack Vectors

The software tools that remote workers need to do their jobs bring risks into their organizations’ IT environments. 

Compared to sharing an office full-time, working remotely often means having to build out a whole new set of processes and tools for interacting with colleagues, sharing files, and completing projects. 

For some organizations, this is a large shift in operations. Newly remote companies often see an explosion in the number of distributed software solutions and devices which are connected to their networks.

  • The average organization now uses 110 service-as-a-software (SaaS) apps, versus 16 in 2017. 
  • Over 19% of remote workers use three or more devices to do their job

The VPNs that remote workers rely on to connect to company networks are particularly vulnerable, and face attack vectors ranging from man in the middle attacks to Domain Name System (DNS) hijacking. In 2021 common VPN solutions including Pulse Connect Secure VPN and Fortinet SSL VPN experienced a more than 1000% increase in attacks. A 2022 FBI alert (AA22-294A) highlights how the “Daixin Team” ransomware group is actively targeting vulnerabilities in VPN tools. 

In remote and hybrid environments, BYOD policies are also popular. A recent IBM survey highlights how staff in most organizations (53%) use personal devices in their professional roles. Few organizations have measures in place to ensure BYOD laptops and mobile devices are secure.

Attack Surface Management (ASM) for Remote Companies

Remote work grows attack surfaces and exposes organizations to new attack vectors. Attack surface management (ASM) can help mitigate the breach risk this situation creates.

ASM is a method security teams can use to monitor the active weaknesses and potential attack pathways across their network. Companies with remote workforces can use ASM to gain a better understanding of what assets are plugged into their networks and where a potential attack might come from. 

At least 40% of remote workers are using IT applications and tools that are not approved or provided by their employers. 

When a remote employee or member of your IT team cannot complete a task with a tool your organization provides, they will use their own consumer grade application, or one they find online. This common situation creates huge blind spots in corporate attack surfaces. 

  • 76% of IT teams admit to de-prioritizing security during pandemic remote working.
  • 66% of remote employees admit to uploading corporate data to a non-work app. 
  • Remote endpoints take more than twice as long to patch compared to on premises ones.

These trends mean that security teams with remote workforces need to:

  1. Find a way to secure assets they do not know about.
  2. Secure larger numbers of network connected assets.
  3. Deal with longer time between patching events.

ASM helps security teams deal with this increased workload by making it easier for them to understand what assets are connected to their networks and what assets need to be patched first. 

Randori and Remote Work ASM

With Randori’s ASM platform, organizations can better understand how remote work impacts their breach risk. 

Attacks on remote organizations succeed when threat actors find vulnerabilities in known or unknown remote endpoints and use them to pivot attacks into organizations’ networks. The only way to stop them is to find and remediate these vulnerable assets before malicious actors get to them. 

Learn more about how to reduce the shadow IT risk created by remote forces with our e-book 3 Steps To Managing Shadow IT Risk

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.