3 minute read 21 Apr 2020
Teenager doing home work on computer

Seven ways to keep ahead of cyber attackers during COVID-19

By Kris Lovejoy

EY Global Consulting Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.

3 minute read 21 Apr 2020

As we adapt to mass teleworking and potentially a reduced workforce, the risks to enterprise cybersecurity continues to evolve.

As we continue our focus on how opportunistic cyber attackers are using COVID-19 as a theme to target users with sophisticated phishing messages, we must now assume that some of that activity will be successful.

The massive increase in phishing and other targeted activities related to COVID-19 poses a poignant long-term risk. Technology and business leaders need to begin to actively address these risks to protect the enterprise from a long-term perspective. Many of the campaigns currently in progress have frequently been associated with known threat actor groups specializing in business-disrupting ransomware attacks.

Opportunistic shifts 

The popularity of remote conferencing services such as Zoom, WebEx, Slack and others have skyrocketed recently as millions of students, businesses and everyday people across the world are required to work and entertain from home during the pandemic. This has not gone unnoticed, cybercriminals are now exploiting the spike in usage by registering new fake domains and developing malicious executable files endeavoring to deceive people into downloading malware on their devices, related to the platforms, or harvesting their usernames and passwords.

Specifically, in the recent days, over 1,700 new ‘Zoom’ domains have been registered since the onset of the pandemic, with 25% of the domains registered in seven days alone.This type of attack will continue to propagate across the globe and will inevitably be mimicked by multiple groups across many of the relevant platforms. In 2009, threat actors engaged in similar phishing campaigns fraudulently impersonating the Center for Disease Control (CDC) during the H1N1 flu, luring users with news about vaccination programs.2 Similarly, in 2014 threat actors capitalized on the Ebola virus outbreak with phishing campaigns and embedded malware links.3

The old is the new, new again

Many COVID-19 email scam campaigns, some of which have been evading typical email security technologies, began in early February and the activity continues to increase across the globe. While seemingly benign for the moment, the continued heightened fear over the virus lures many users to ‘risky clicks’ in search of new information about the spread, or the purchase of goods or services to lessen the impact, or in altruistic turn donate to relief or a cure for COVID-19. This environment gives cybercriminals a plethora of avenues to download and install known malware like ‘Zeus4, Trickbot, and Emotet’5 all precursors of wider ransomware attacks through old fashioned social engineering. 

While certain ransomware groups have pledged to stop attacking hospitals and other healthcare delivery organizations, but have continued to attack and affect organizations unabated,6 while others continue to disrupt healthcare operations.7 These attacks, regardless of motivation, become highly disruptive to the operations of any organization especially given the currently distributed nature of IT operations and support. Experience with ransomware attacks has shown a dwell time, or the time from the initial attack to the actual ransomware execution, to be measured in weeks or months, leaving organizations potentially waiting for the other shoe to drop.

With the observation of a surge of phishing attacks and ransomware precursors in the wild, organizations need to prepare for a potential future deluge of operational disruptions and or data loss.

A risk paradigm shift

As expected, we are seeing a surge in teleworking from companies across the globe. The challenge that most are facing is how to maintain the same level of cybersecurity while employees are required to work from home. To address these challenges, security compromises are being made to meet the demand, including allowing the introduction of non-secure assets and platforms. Examples can include bring your own device (BYOD), cloud applications, and teleconferencing solutions.8   

This new reality can impact current detection and response capabilities. Most current incident response (IR) and disaster recovery (DR) plans were not designed for such an increased remote workforce. Many of the on-premise security tool sets may not be present on all assets and services used from home, including end-point detection and response (EDR), network monitoring, firewalls, DLP (Data Loss Prevention) and sometimes certain authentication controls.  

The threat predictions made several weeks ago are quickly becoming a reality with threat actors continuing to exploit the uncertainty and publicity of the pandemic. The impact of such attacks is significant and will continue to amplify due to disruption of workforce, communication, and coordination.9

Enterprises must continue to employ multi-faceted risk mitigations and bolster their people, process, and technology to defend against the continuously evolving threats.

As we continue to adjust to the present reality, here are some further recommendations in addition to those previously published (COVID-19: Five steps to defend against opportunistic cyber attackers):

  1. Understand your enterprise remote connectivity and authentication capabilities (i.e., remote desktop, VPN [Virtual Private Network], LANDesk, WebEx, etc.). Be thoughtful of potential workarounds which employees might be using to do their work and keep in mind insecure use of these technologies is the easiest path for an attacker.

  2. Assess and implement new security analytics models to account for privileged activity and use of new administrative tools and services.

  3. Review current email security controls with consideration of current remote work force posture. Utilize current controls provided by your email provider to the fullest before looking to purchase additional services or technologies.

  4. Assess the current visibility of assets and network traffic to identify what has changed with regards to workforce relocation. If gaps exist, consult with your team to determine the best approach to regain visibility and security.

  5. Update and test your incident response and disaster recovery plans to ensure they are applicable to the current state of your workforce. Update your external incident response provider and consider an additional external provider if a more appropriate response time is needed.

  6. Test the ability to recover from your backups in a timely manner with a keen eye to ensure your organization is backing up all the data it needs in a format that is accessible yet secure to prevent both explicit or inadvertent tampering or corruption.

  7. Review, update and recommunicate cybersecurity training to all employees. Ensure that the latest threats to your organization and employees are highlighted.
  • Additional recommendations

    1. Centrally manage and promulgate robust teleworking solutions to empower and enable employees, customers, and third parties.
    2. Leverage role-based rather than location-based identity and access management solutions, analytics, and controls.
    3. Establish second-factor authentication for formerly in-person processes, such as manual phone calls, a system of shared secrets, or other authentication controls relevant to the formerly in-person process.
    4. Provide links to official resources for pandemic-related information to avoid the spread of disinformation within your organization.
    5. Establish formal and transparent channels for corporate messaging to highlight what the enterprise is doing to address this pandemic.

    You can read the full article including the recommendations here.

Summary

Opportunistic cyber attackers continue to use COVID-19 as a theme to target users with sophisticated phishing messages. We must now assume that some of that activity will be successful. This article highlights seven recommendations for cybersecurity teams to consider, to help strengthen their organization’s cybersecurity.

About this article

By Kris Lovejoy

EY Global Consulting Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.