With more people working from home due to the COVID-19 crisis, network intelligence is more vital than ever, a Microsoft security researcher told an online conference for infosec pros.
“Attackers thrive on chaos, and there’s no more chaotic time on the internet than right now,” Nate Warfield said Tuesday on the first day of Kaspersky Labs’ webcast Security Analyst Summit.
“Your network perimeter has changed, and it’s likely to have changed for the foreseeable future and possibly forever. The new normal may be the majority of our workforce is working remotely.”
Those workers have vulnerable devices like unpatched computers and routers, and poorly-protected connected devices ranging from smart TVs to refrigerators.
“Attackers know this … and they’re going to go after your home users to try to back-channel into your corporate network.
“They’ll find the low-hanging fruit — and a lot of it isn’t just low-hanging, it’s lying rotting on the ground. It’s compost. And it’s important you get rid of it. It’s important you assess your network regularly. Attackers are doing this already.”
You don’t need to port scan your whole network, he said. Free search tools like IoT search engine Shodan and honeypot network BinaryEdge already do that. “All you need to do is do the right search, ask the right questions to get the right answers from the services out there.”
Warfield is particularly enthusiastic about the potential for a service called GreyNoise Intelligence — which has a free version — that scans for “things that are spraying the internet with traffic” like botnets, brute force attacks and port scans.
GreyNoise can be used in many ways, he said. For example, an analyst can take a suspicious IP address identified by the service and do a Shodan search. If the source device has a vulnerability that that may suggest it has been hacked and repurposed into a brute force scanner.
The command-line version of GreyNoise has a tool to analyze any log file with IP addresses (like VPN logs) to find suspicious activity from employee devices.
GreyNoise and Shodan can be set up for alerts, Warfield added. (For example, give GreyNoise your network’s IP range and it will warn if malicious traffic coming out if it. Similarly, Shodan can tell if a service in your network has just been turned on.)
Looking ahead
Warfield was one of several presenters on the first of the free three-day webcasts. At one point 2,000 people had logged in.
Several Kaspersky analysts spoke about vulnerabilities they detected. Another was Sounil Yu, CISO in residence at YL Ventures, a U.S.-Israeli firm that funds cybersecurity entrepreneurs, who painted an optimistic picture for the future of infosec pros after the pandemic crisis eases.
Cloud computing and security led the post-COVID spending priorities of CIOs according to one survey he’s seen. “I’m bullish on security spending,” he said. Few infosec pros have lost their jobs during the crisis, he believes, and that relative stability could make it a draw to the profession.
Asked if the crisis will in some way help resolve the cybersecurity talent shortage, Yu sidestepped it with this analogy: Pets are like data: We protect them, take them to veterinarians when vulnerable. But apparently, there aren’t enough vets. This begs the question, do we have too many pets or not enough cyber veterinarians? “I would argue the bigger issue is, do we have too many pets? One of the things I hope for in the digital transformation is that we shoot a lot of pets. If we do that, the workforce shortage we have today could potentially be addressed, perhaps even more than if we hired a bunch of veterinarians.”
Kaspersky still hopes to host its annual Security Analysts Conference in Barcelona in November.