As precautions to slow the spread of COVID-19 disrupt organizations, especially the rapid conversion of their normally on-site workforce to remote roles, the potential for cyber threats and vulnerability to attacks is greater than ever. Organizations without heightened preparedness could experience breaches, exfiltration of financial or business data, broad disruption of productivity, and ransomware.
Adding to the complexity is an end-user workforce that is hyper-focused on both personal and professional preparedness for everything related to Coronavirus/COVID-19. From vendors reducing operations, the potential for SLAs being altered due to reduced staff, and freelance staffer payments, attackers know that email boxes are still their best bet for gaining access to an end-user’s machine. This access could potentially propagate across an organization’s networks.
The global pandemic is not only forcing workers to re-evaluate and reprioritize, it’s allowing hackers to find new ways to profit off their attacks. Here are several suggestions that could help to combat and prevent a major breach:
Update Firewalls to Blacklist Sites/Domains – As the creation of new URLs is easy and fast, hackers are setting up sites that appear to be news or informational resources about the real-world Coronavirus/COVID-19 threat. Updating firewalls or other website blocking solutions can help. If there’s an option to blacklist sites manually, it’s good to check in with trusted threat reporting sites to get new updated URLs to block. Forbes has published a good list that can serve as a starting point.
Another effective way to stay ahead of hackers is with a heuristic URL-based approach to detect phishing attempts.
Assume Executive Email Spoofing – Given that it’s a relatively easy task to determine the names and email addresses of C-suite executives at any company, hackers are already spoofing emails that appear to be from executives with messages that might seem related to Coronavirus updates. Communicate this heightened activity and risk with your employees. Have them double check email addresses and links before responding or clicking.
Look Out for Anomalous Network Activity – If your teams are more remote than ever, looking at network activity, both east-west and north-south, is as important as ever to detect malware or threats that are creeping between on-premises servers or between endpoints when connected to a network.
Communicate Increase in Hacking Attempts – When attempts do occur, assume that attackers will try again and again. It is helpful to inform employees to know that while the security team is very capable of tackling many threat events, letting employees know when volume attacks happen can keep future threats at the top of their minds. Designating a security team member to be the conduit to inform end-users can significantly improve prevention. In some organizations, this might be done by an internal communications team based on their guidelines.
Mobilizing SOC Operations – As larger organizations with a security operations center (SOC) often require that team members be on-site to manage data, networks and security, there are new challenges in the age of the Coronavirus. While not every SOC team can mobilize, SOC managers might already be working on “plan b” solutions to minimize SOC operations through virtualizing assets and decreasing the amount of on-site SOC operators at a time or other options. SOC managers and their teams that have been given the mandate from their CISO or C-suite to fully mobilize may have to decrypt traffic, alter access or shift resources, update passwords, troubleshoot remote operations, check VPNs and enable remote operations. Each step increases the possibility of a successful attack. Designating a person or team to monitor and evaluate each task in the list to mobilize can reduce the margin for error.
Document, Document, Document – As all SOC teams know, documentation is a requirement and a useful activity. Given the chance that team members might get ill or have to care for sick family members, SOC managers should ask critical team members to document tasks that had not been previously captured, or document tasks altered due to recent changes.
Minding Threat Gap Areas – SOC teams typically know where they’re more vulnerable and advanced threat actors are increasingly aware of, or have tools to test, those vulnerabilities. Identifying and mitigating those gap areas quickly or paying extra attention to those areas can significantly reduce the potential for such threats.
Keeping these suggestions in mind can help team leaders focus their teams on the potential work to be done to decrease cyberthreat risks within their organizations, and improve operations when they’re finally allowed back in the SOC again. If increasing your organization’s cyber threat detection is part of your upcoming goals, reach out to BluVector to hear more about how our advanced threat detection solution can help.