Ray Espinoza
The COVID-19 outbreak has not only caused global disruption, it has also changed the cybersecurity threat landscape. We are observing changing patterns of behaviors from threat actors and noticing waves of coronavirus-related cyberattacks.
To be clear, this trend is not unique to the global pandemic. Hackers have typically preyed on victims shortly after disasters or high-profile events around the world. Over the course of my career, I’ve led some of the world’s best security teams at companies like Cisco Systems, Proofpoint, and eBay. I’ve responded to hundreds of security incidents and fended off attacks from the world’s most nefarious threat actors. From firsthand experience, I’ve observed malicious actors exploit human emotions for financial gain. Notable global disasters such as the 2004 Indian Ocean earthquake and tsunami, the mass shooting events in Las Vegas, and the Zika virus outbreak have all been used as lures. Today, COVID-19 is not off-limits.
As threat actors continue adapting to exploit the coronavirus pandemic, the global workforce continues to change dramatically. With much of the world order to practice social distancing, an unprecedented number of people are working remotely, many for the first time. Companies are rushing to provision laptops to employees with desktops, deploy collaborative software, and implement VPN infrastructure to access internal tools. So if you were a hacker, what would this opportunity look like for you?
Attack methods logically exploit changes in the global environment. Mass working over remote connection leads to mass remote login activity. This activity is mostly over private, insecure machines with user accounts that have recently been set up for remote access — therefore making remote login credentials an easy target for attackers.
Since Italy declared a state of emergency on January 31, 2020, information security professionals have recorded an escalation of cyber attacks in Italy reflecting this pattern. Breach protection company Cynet tracked a spike in phishing attacks in the last month in Italy, while non-quarantined countries withstood an unwavering number of attacks.
Cynet has also observed an escalation of malicious log-in events. Notice the clear spike as orders to shelter-in-place were implemented in early February. Further review of the graphs reveals a closer relationship between malicious login-events and phishing attacks, indicating that they are both related to remote credential theft.
Remote work typically takes place on personal devices that usually lack protection. There has consequently been an uptick in email-based attacks.
Cynet observed that only 21% of attacks included an explicit link that executes a malicious file. Most of the email-based attacks were more advanced with weaponized documents attached.
Cyber attacks are intensifying in the United States and globally. In mid-March, the Department of Health and Human Services fended off a distributed-denial-of-service attack. Many are also encountering SMS-attacks posing as CDC alerts, which we expect to see proliferate as the crisis intensifies nationally. Spear-phishing emails continue to spread malware. Many COVID-19 tracking websites and phone apps have been infected with malware and ransomware. Concern over cyber attacks against hospitals has heightened.
In fact, a Czech hospital conducting COVID-19 tests was hit with a cyber attack in March, forcing the hospital to shut down its IT infrastructure. More COVID-19-related cyber attacks will surface in the weeks and months ahead, but this is not a reason to panic, as there are a host of additional measures you can take to boost your security in this new environment. Here are three that we’ve implemented at my company:
#1: Integrate guards against COVID-19 threats into your existing security monitoring playbooks. You may be tempted with knee-jerk reactions to increased risk, but it’s important to take a step back and think about how you can integrate new measures that account for changing tactics into your current security monitoring strategy. For example, our managed security service provider is monitoring connectivity outside of regional areas where we have connections and tracking any unusual login patterns. If you’re over-indexing in a way that is disruptive or detracts from important elements of your security program, you’ll encounter a new set of issues, trading one problem for another.
#2: Don’t underestimate the power of employee training. Security awareness has gone a long way in training our employees about these threats, particularly with identifying phishing lures. We host regular threat briefings, where we educate our employees about potential threats our organization is facing and how we can each remain vigilant to reduce those risks. In addition, we require our employees to use a VPN and enforce two-factor authentication on all remote connections. Small changes in employee behavior can have an outsized impact on the company’s security posture, so it’s important to bring your entire workforce along and encourage security to be everyone’s responsibility
#3: Leverage open-source threat intelligence resources. Our internal team has specific roles and responsibilities when it comes to maintaining our security, but increased activity from threat actors requires additional support. Finding actionable threat intelligence is key in proactively blocking opportunistic attackers who look to take advantage of brand new VPN infrastructure. Many threat intelligence providers are sharing information directly with the public, while open-source intelligence remains a valuable resource to make sure our bases are covered. Proofpoint’s threat intelligence offering, Emerging Threats, provides a great example of sharing free COVID-19 related intrusion protection system (IDS) signatures. If you already use a threat intelligence provider, they may be able to provide more immediate guidance.
The recent spike in cyber attacks is not anomalous or unpredictable. Cyber security professionals will monitor and continue to protect against threat actors during this global crisis. We urge you to remain vigilant, use secure infrastructure from your employer if applicable, and report anything suspicious. Your company’s ongoing threats will persist, so consider COVID-19-related attacks to be another threat to incorporate into your playbook. But above all, remain calm and stay aware. This too shall pass.
Comment