During the period of March 2020, we looked at a sample size of 41,000 US-based organizations to understand the difference between corporate networks and Work From Home-Remote Office (WFH-RO) networks from a cyber-risk perspective.
In this post we take a closer look at corporate associated residential IP addresses (work from home-remote office IPs) and discover attributes that pose unique cybersecurity risks as compared to in-office corporate networks. With companies around the world adapting to a remote workforce in an expedient manner, we wanted to understand any inherent and unconsidered risks posed to those organizations due to the home environment. We isolated the study to the assessment of the network perimeter of devices on those networks and researched the differences in the distribution of compromised systems observed on those networks on a sample of 41,000 US-based organizations.
In order to perform this study, we first had to programmatically construct the asset maps of work from home-remote office (WFH-RO) IP addresses associated with each company. Since BitSight evaluates the externally-observable security performance of organizations across many industries around the world, we already had the corresponding maps of assets directly controlled and associated with organizations. We enriched the WFH-RO maps using the same aforementioned telemetry that we continuously gather to assess corporate cybersecurity hygiene as data points for this study.
The move of corporate managed assets into largely unmanaged environments with its attendant increase in local threats brings challenges to security practitioners. Employee education may be the best approach to maintaining adequate security.
To perform this study, we had to discover the set of remote IP addresses used by the employees of each organization. To drive its Security Ratings product, BitSight already has a set of high-quality, up-to-date maps of corporate network assets including those self-hosted and in the cloud. These maps are primarily constructed and maintained via automated processes with constant feedback from human intelligence to improve the automation. We used an extension of these processes to find additional IP addresses used by employees working at home or in remote offices by investigating the ecosystem of devices observed on corporate networks and finding their most closely associated non-corporate networks via session identifiers and device behaviors. Once that process is completed, we are left with a set of IP addresses for each organization representing a sample of associated residential networks that fit the criteria for this study. We term that set of IP addresses for each organization as their corresponding work from home-remote office (WFH-RO) asset map.
There are many sources of noise that complicate the discovery of associated residential networks, which if introduced into the resulting asset maps, can cause significant skews in findings and results. These sources can include IP addresses used by cellular networks, carrier-grade Network Address Translation (NATs) serving many consumer networks, or common access points such as Internet cafes or transient access services such as hotels and airports. One input of how we measure risk for our Security Ratings is to assess the distribution of Internet-facing workstation and mobile operating systems in-use at organizations. We not only look at the mere presence of the operating system of Internet-facing assets (e.g., the use of Windows XP) but we also model the number of systems using that operating system (i.e., the presence of an estimated 1,000 Windows XP machines is more notable from a risk perspective than an estimation of a single Windows XP machine). The more prevalent an out-of-date operating system is within an organization, as well the number of distinct out-of-date versions, is a telling insight into the security controls and practices at a company. We used the foundation of these principles and models into order to significantly improve the quality of the WFH-RO network asset maps.
The following graph is a visual representation of how the individual WFH-RO IP addresses are connected with the corporate network after the noise-reduction process has completed. The IP addresses directly managed by the company are highlighted in blue while the black nodes represent WFH-RO IP addresses associated with that organization. The lines in between the nodes represent the relationships identified between those IP addresses.
Depending on the organization, IP addresses can be seen to be clustered by geographic location of the physical office locations.
Other more centralized corporate networks, or those without a large physical footprint, resemble more straightforward spoke-hub graph representations, as shown in a larger organization, below.
The network perimeter and subsequent access control layers are one of the most closely managed and watched elements of a comprehensive security and network operations program. The first artifact we wanted to understand was how the perimeter attack surface differed between work from home-remote office networks and their corresponding corporate offices.
When we assess the perimeter of these corporate-associated residential IP addresses, we find that 25.2% of them have one or more services exposed on the Internet. The following bar chart shows the distribution of ports and services across IP addresses belonging to corporate networks and IP addresses belonging to WFH-RO networks. The port and service counts are normalized by the total number of IP / service pairs for each category in order to highlight the differences in the distributions between the two types.
Another way of looking at this distribution is to show the most relative prevalent services exposed on WFH-RO networks in comparison to company networks:
The presence of compromised devices on corporate networks is strong evidence of poor security hygiene or failed controls, particularly on endpoint workstations whose risk is often concentrated in the maturity and configuration of the endpoint protection technologies federated across the operating system protecting that device, as well the education and knowledge distilled into the individual users of those devices. For this reason, we continuously research and monitor the devices infected by botnets associated with currently over 250 active malware families spread across the world. This wide visibility into infected systems forms a core component of how we measure the cybersecurity posture of organizations.
We previously reported that we observe approximately 90% of malware infections on service provider networks. However, that research did not explore the differences between security controls on corporate networks, as compared to associated home networks. Unlike the analysis of the network perimeter where we had collected all corporate assets into one group and the WFH-RO IP addresses into another group, we split those assets into independent maps based on companies. More specifically referring back to the graphs shown above, for each organization we treat all the blue nodes as representative of the corporate company map, or “corporate networks,” while we treat all black nodes as representative of the “work from home-remote office (WFH-RO) networks,” and treat each group as a single entity. Each company thus has a map representing their corporate assets and another map representing their WFH-RO assets.
With this in mind, we can compare the malware behavior between those two groups for each company, as well as the wider population, by joining our compromised systems telemetry from March 2020 onto these asset maps. The following scatter plot shows the distribution of companies and their respective family counts between both of their asset types. Each family is only counted once when it is observed during that period, even if it affects multiple devices or occurs across multiple days. Each dot represents a single company in the study.
During this period 13.3% of companies had at least one observation of a malware family on their corporate network for the families we observe, while 45.0% of companies had at least one observation of malware family on their WFH-RO networks. 2.3% of companies had observations of at least 5 distinct families on their corporate network while 17.3% of companies had at least 5 distinct families observed on their WFH-RO networks.
As the number of WFH-RO IP addresses associated with a company increases, we observe more unique malware families on both the WFH-RO networks and the corporate networks.
This relationship reflects the fact that the count of home IP addresses acts as a rough proxy for the size of an organization. As the size of the organization increases, so does their complexity at managing infrastructure, processes, and human practices within the physical and digital boundary of the corporate network. However, the size of the organization also has a much more rapid relationship to the diversity of malware families that their assets are exposed to outside the corporate network and in residential networks.
The second component we wanted to investigate was the characteristics of the individual malware families. More specifically, we wanted to determine whether there are families that are observed more frequently on residential networks and less likely on corporate networks and vice-versa. The following plot shows the number of company asset maps that each family was observed on, with the Y-axis representing the count of WFH-RO networks and the X-axis representing the count of corporate networks.
In general, every family was observed more frequently on WFH-RO than on their corporate network counterparts. As malware families drift away from the center line towards the top-left they generally appear more frequently on consumer networks while those families that are further to the bottom-right have a tendency to be seen relatively more on organizational networks.
These preferences are generally representative of the types of devices and software that these malware families target, and we see this reflected in the frequency and infection targets of those families:
These characteristics give us visibility on the likelihood of the environment for which we would observe a given family. For example, Mirai is observed at least 20.1 times more frequently on WFH-RO networks than corporate networks, QSnatch is observed 29.7 times more frequently on WFH-RO networks, while Necurs and Trickbot are observed at least 13.8 and 3.8 times more frequently on WFH-RO networks than corporate networks respectively.
While the notion of a single trusted network that corporate workstations exclusively operate in has been fading over the last decade, there are certainly challenges that organizations are going to face who haven’t dealt with such diverse environments. Given the circumstances of the last several months, these devices have now abruptly moved into environments with a different set of unique entries into the local network on a persistent basis, and organizations should be aware that their cybersecurity policies, practices, and education should be aligned with these new operating environments.
Worms, particularly those that have been developed as ransomware, have become a recent concern amongst many practitioners and network operators, due to the ability to spread onto unpatched systems once they gain entry to the local network. The success of these families infecting many other systems internally reflect the disparity of attention paid to the corporate perimeter versus the health of the individual workstations and endpoints. Defense-in-depth strategies are also now more complicated and difficult to implement as security and network operation teams already had to balance the technology and configurations they deploy against the freedom that the various functional teams at companies need to be successful.