The last few months have brought drastic and long-lasting changes to the business world. Indeed, for a great many people it’s fair to say the workplace may never be the same again. From a cyber security perspective, the landscape has undergone a rapid shift as both attackers and defenders adjust to the new normal of widespread remote working.
Analysing data processed by several of our customers’ Security Operations Centres (SOCs) amounting to an average of 10,000 security alerts per day, we have noted several key trends in how threat actors have continued to change their attack tactics. While many organisations had the resources and processes at hand to adapt to these new attacks, other companies must work quickly to automate and strengthen their defences to keep pace. In this piece, we will explore four key lessons from our research and how organisations can adapt to respond to future crisis events to protect their data, systems and networks.
Lesson one: Winds of change brought calm before the storm
Somewhat surprisingly, we actually saw a drop in the volume of attacks in March as the lockdown took effect and most companies either sent their workforces home or shuttered their operations. There were two potential reasons according to which side of the fence – attacker or defender – you sat. From the business side, many companies reconfigured their systems according to the technology and processes needed to support staff working from home. This meant for a short time there were fewer opportunities for threat actors to launch attacks. Meanwhile, the criminals were also adjusting, as they redefined their tactics to take advantage of the new landscape.
Unfortunately, this lull was only temporary. As we entered April and both organisations and their antagonists settled into the new normal, we saw a drastic spike in activity. In fact, the volume of attacks we detected increased to three times the normal pre-COVID amount. The lesson here is that organisations need to know they can cope efficiently with sudden surges in the volume of security alerts should a Black Swan event like COVID-19 ever strike.
Lesson two: A workforce turned inside out
In an interesting twist, our data appeared to show a complete absence of insider threats during the COVID lockdown. Of course, this does not necessarily mean that malicious employees saw the error of their ways – although the threat of furlough or lay-offs could well be a factor in ensuring best behaviour. The most likely explanation is that the switch to mass remote working means everyone is treated as an outsider and so their activity is logged differently. To counter this, it’s recommended that firms put in place measures to determine the context of security alerts. This will allow them to differentiate between suspicious activity generated by genuine outsiders and notifications triggered by abuse of insider privileges.
Lesson three: Fertile phishing conditions
As the volume of attacks began to swell, the new threat landscape started to take shape. At the height of the pandemic our systems registered an explosion in phishing attacks, a well-established technique for executing social engineering scams on unsuspecting workers. We saw the number of incidents double in the period February to April alone. The use of malicious URLs also saw a huge jump to almost six times the levels seen in February.
Phishing attacks, such as those containing links to bogus news updates or fake deals on medical equipment, are the perfect way to prey upon the hunger for information and the fears of a multitude of newbies suddenly alone and working from home. Outside the purview of their IT and security teams, ordinary workers were vulnerable and cyber criminals sensed an opportunity to turn things to their advantage.
The rising tide of security alerts caused by phishing activity was also a problem for security teams whose resources were frequently stretched and geographically dispersed by the crisis. In short, the COVID-19 crisis is a wake-up call for SOCs that have held back on automation. Too many are over-dependent on manual processes and have no quick way to tell between genuine threats and false positives.
Lesson four: The force is strong
Our systems also witnessed a large increase in brute force attacks which were up 60 percent in April compared to the previous three months. The goal was to crack the username/password combination on various network assets including application servers, firewalls, VPNs and remote access servers. The unprecedented number of people working from home proved an attractive target for cyber criminals seeking to brute force their way into VPN connections. Other online assets such as web applications, websites and email servers were also attacked. Faced with this onslaught organisations are crying out for security measures that give them a clear view of the nature and severity of every alert. Only then will they be better able to make informed decisions about incident response priorities.
Half-office, half home: the new normal is hybrid
As lockdown restrictions ease, organisations are preparing for a return to the office, only too aware that a new COVID-19 wave may be just around the corner. It seems likely that for the foreseeable future a hybrid of office and home working will become the new normal. This presents security risks of its own. In battling against security threats on two fronts – rising attack volumes and increased vulnerability of remote operations – businesses can ill-afford to miss alerts or waste precious time investigating false-positives. The best way to manage this fast-changing and increasingly sophisticated threat landscape is with process automation.
SOC teams need a clear, holistic picture of the thousands of disparate alerts coming from different security solutions in order to make informed decisions about which threats to act upon. A risk-based approach categorises threats in terms of their severity and context which leaves the security analysts free to focus on the most dangerous threats without the risk of others being overlooked.
With automated responses taking care of most common alerts, security analysts have more time to focus on investigating high risk alerts.
As both the nature of the workplace and the threat landscape continue to change, companies would do well to adopt security strategies and solutions capable of evolving rapidly to help them keep pace.
Author: Faiz Shuja, Co-Founder & CEO, SIRP Labs