The new ‘normal’
In recent weeks, as the world grapples with increasing uncertainty and new working environments, cyber criminals have been extremely active. They are busy masquerading as trusted officials to launch phishing attacks[1] (more on these attacks here[2]) and exploiting weaknesses in remote-work applications.[3] For some companies, the odds that an attack is successful are increasing as organizational resilience and security awareness continue to be stretched.
While the number of cyber-attacks is increasing, the amount of intelligence surrounding these novel attack vectors is growing too. Several bodies issued comprehensive advisories helping to ensure individuals and organisations remain cyber resilient throughout the pandemic. These advisories include: the NCSC and U.S. Department of Homeland Security (DHS) advisory[4] and Interpol’s list of cyber threats.[5]
Leveraging government guidance and intelligence
Given the increasing volume of attacks, it is more important than ever that companies proactively manage their cyber security. For many companies, engaging in a proactive search for attackers within their networks – a process known as “threat hunting” – is a smart addition to security practices. During this process, security professionals search for known indicators of compromise (IOCs) such as unusual traffic or malicious websites employees may have visited. There is a wealth of recent government guidance and intelligence outlining malicious COVID-19 related cyber activity and IOCs which these companies can leverage when engaging in threat hunting for COVID.
For example, the NCSC and DHS advisories provide specific lists of domains known to have been leveraged in recent phishing campaigns which are useful when identifying email-based attacks. However, these lists are non-exhaustive and utilizing only these resources could lead to a false sense of security. As the NCSC guidance notes, attackers are also using existing malware in conducting those attacks. During these exercises, locating evidence of phishing emails is only a first step. The difficulty is searching for evidence that an attacker has compromised the network, which requires the use of robust threat hunting practices, not just the deployment of domains from the recent guidance.
Realizing the benefits of a proactive defense
Just like the legitimate businesses they seek to exploit, emerging intelligence indicates attackers are changing their operations to adapt to the current climate, in ways that may become permanent. Eric Friedberg [6] recently stated that since January 2020, the time between attackers gaining access to a network and deploying ransomware has greatly decreased from weeks or months to just days. This acceleration in deployment places significant emphasis on shifting security postures from a reactive to proactive stance – reviewing the threats and risks posed to organizations through capabilities such as threat hunting. In many cases, early detection can mean the difference between a temporary delay in business productivity with minimal financial cost or a full-blown cyber attack with significant business interruption, data loss, and potentially regulatory involvement, all with severe financial implications.
Finally, it’s important to use the guidance to review organizational preparedness. Phishing has always been a leading source of cyber threat. In 2018, some sources reported, 32% of data breaches involved phishing activity[7]. Hence, it is beneficial for organisations to ensure their employees are well trained to identify phishing attempts quickly and efficiently. Executing large scale phishing exercises is an effective way to train employees to recognize threats and avoid them. Read more about recent social engineering attacks and COVID-19 here.
Cyber criminals were exploiting digital vulnerabilities long before the coronavirus outbreak and they will continue to do so in the future. Performing regular threat hunting exercises and investing in employee cyber awareness training are not just short-term cyber risk strategies. These practices – defenses against common attack vectors – will help increase cyber resilience long after this period of uncertainty ends. Dealing with emerging cyber security issues, as a consequence of COVID-19, offers an opportunity for organisations to test and put in place measures that can increase cyber risk maturity and work towards providing long term benefit.
If you or your business have reason to believe that you have been compromised, contact Aon to help you identify and mitigate the risk to your organization.
Authors: Zainab Ali Majid and Dylan Brown
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
[1] https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/
[2] https://www.aon.com/cyber-solutions/thinking/social-engineering-attacks-and-covid-19/
[3] https://www.ncsc.gov.uk/news/citrix-alert
[4] https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf
[5] https://www.interpol.int/en/Crimes/Cybercrime/COVID-19-cyberthreats
[6] https://www.bloomberg.com/news/articles/2020-04-08/how-finastra-survived-a-ransomware-attack-without-paying-ransom
[7] https://www.thesslstore.com/blog/20-phishing-statistics-to-keep-you-from-getting-hooked-in-2019/
