Work From Home Is Complicating Cybersecurity Investigations

Share This

Coronavirus distancing has meant remote investigations, virtual coordinating and a lag in response time, experts say.

With a large swath of the population working from home, the job of detecting, containing and deconstructing cyber attacks has become more complex, and is likely prolonging companies’ response time, experts say.

Moving workers outside office firewalls and onto home Wi-Fi networks—and in some cases, onto personal devices—has limited some companies’ ability to respond to intrusions during the pandemic. Outside teams hired to help investigate breaches face extra steps in remotely accessing the data they need for investigations.

The damage will disproportionately fall on businesses whose cybersecurity teams were tethered to physical offices, relying on on-premise defenses and cybersecurity hardware, said Augusto Barros, a security and risk analyst for Gartner Inc. But given the economic downturn, investing in new threat-detection tools and more flexible security teams could be a harder sell at cash-strapped companies, he added.

“It’ll make a bad problem worse,” Mr. Barros said. “Those that did their homework on improving incident response [before the pandemic] will be in a far better position.”

Law enforcement agencies around the world have warned public and private organizations that cyber threats were increasing as the coronavirus spread across continents. Delays in responding could also hamper subsequent police investigations, which increasingly rely on private firms to gather and share evidence, said Craig Jones, director of cyber crime at Interpol.

“If we don’t get it right, then the cyber criminals are going to be able to do it again and again and again and again,” he said.

Some cybersecurity investigators have changed their approach in response to the new status quo.

Before the pandemic, Redpoint Cyber, a subsidiary of New York-based accounting and advisory firm Anchin, Block & Anchin LLP, did roughly 85% of its work at clients’ offices, Chief Operating Officer Tab Bradshaw said. The proportions have flipped: about 95% of the incident-response team’s work is now offsite, he said. The company works mainly with small or medium-size businesses.

Redpoint designed an internal forensic tool to collect data from devices remotely, and invested in cloud-based software that allowed for penetration testing, or simulated cyber attacks, via the cloud, Mr. Bradshaw said. Even so, coordinating through virtual meetings, coupled with a surge in ransomware designed to cover attackers’ tracks, has slowed down forensic analysis, he said.

“Incident response, by nature, is always easier on-site,” Mr. Bradshaw said. Security teams have better visibility of computer networks and better access to hardware inside centralized offices, he said.

Slow internet connections can also handicap security crews if they need to take a forensic image of an entire device, said Christopher Scott, global remediation lead at International Business Machines Corp.’s incident-response team, X-Force IRIS. Glacial upload speeds can stretch the process out for several days, he said.

“This is without taking into consideration additional delays that may occur if your connection drops at any time and you need to restart at certain points,” Mr. Scott added.

Faced with the cumbersome reality, larger cybersecurity firms and their deep-pocketed clients might speed up investments in forensic software that helps pinpoint information for investigators and can anticipate abnormal behavior using machine-learning, experts say.

Companies and cybersecurity vendors have long worked together in person to piece together data points into a coherent story on what went wrong. That collaboration is less fluid on phone calls and videoconferences, said Charles Carmakal, chief technology officer of cybersecurity firm FireEye Inc.’s consulting arm, Mandiant.

“The downside is the sharing of information is not as immediate as it could be if you’re there face to face,” he said.

Lag time at each stage of the process can add up, experts say, and the effect of that cumulative slowdown will likely grow more acute this summer.

Hackers often lay low as they hunt for valuable information, lurking inside networks for weeks or months before security teams spot them. This “dwell time” could mean that companies might soon start discovering attackers who infiltrated their systems during the worst of the pandemic chaos in March and April, Mr. Carmakal said.

“It’s usually around three months or so that an attacker has access to organizations before the organization detects it,” he said. “We’re getting to be right around that time.”

Write to David Uberti at david.uberti@wsj.com

Join Our Newsletter & Learn

Get our latest content delivered to your inbox.