As many countries enter their second full month of Covid-19 lockdown, its impact on the threat landscape and enterprise cybersecurity is starting to become clear. I spoke to several experts a few weeks back for an Infosecurity Magazine news feature on the topic.
Some of the key challenges facing organisations are in enabling secure remote working en masse without impacting productivity.
“The fact that employees are transitioning to working from home is the key risk. All these employees are now working in new environments using technology and processes they are not used to, something bad guys will take advantage of,” SANS Institute director of security awareness, Lance Spitzner told me.
“All of this change creates an environment where it is very simple for bad guys to take advantage of and trick people working from home for the first time. They don’t have all the security technology protecting them at home that they normally would at work.”
The SANS guide to secure home working advises users to: be suspicious of any emails trying to create a sense of urgency to click through or enter info; take steps to protect home Wi-Fi (change default passwords and restrict access); create strong passwords on any websites; ensure all devices are running the latest software; and don’t let family and friends use work devices.
Proofpoint’s senior director of threat research and detection, Sherrod DeGrippo, agreed that users are at the frontline when it comes to tackling Covid-19 cyber-threats.
“We recommend that organisations prioritise a people-centric approach to security that protects all parties (their employees, customers, and business partners) against these threats, including layered defences at the network edge, email gateway, in the cloud, and at the endpoint, along with strong user education,” he told me.
“Users should be encouraged to approach all unsolicited emails with caution, especially ones that request the user to act, like downloading/opening an attachment, clicking a link, or entering credentials.”
Restricting users according to least privilege policies is also a must-follow best practice, as hackers go after VPN log-ins to directly access data and applications, DeGrippo added. In fact, there have been widespread reports of cyber-criminals targeting remote access infrastructure; not only via phishing emails and brute forcing but also exploiting unpatched vulnerabilities. Microsoft has warned of APT-like behaviour from many well-known ransomware groups, which are targeting hospitals.
Time to automate?
However, aside from the uptick in Covid-themed phishing, which is delivering crypto-jacking malware, ransomware, info-stealers and more, the pandemic has forced IT security teams to work in different ways. Michael Armistead, co-founder and CEO of Respond Software, argued that SOCs and security departments are faced with both minor and meta challenges.
“Making sure practitioners can perform their jobs remotely with adequate bandwidth and communication platforms, and have the ability to act on security incidents will be a challenging undertaking for many firms,” he told me.
“I believe many of those tools and platforms are in place … but you just never know how well they will work in practice if an organisation is now distributed for the first time. Still, I’d count these very real and very practical issues as minor because they can be solved in relatively short order.”
In fact, research emerging suggests that security teams are struggling. A global poll by industry body ISACA found that only around half (59%) of members feel their cybersecurity team has the right tools and resources at home to perform their job effectively. Tellingly, just 51% are highly confident that these teams are ready and able to detect and respond to rising volumes of threats. A separate study from (ISC)² revealed that nearly half (47%) of global security professionals have been taken off some or all of their typical tasks to support other IT-related jobs, like WFH. A third report, from Barracuda Networks, ominously suggested that 41% of firms have actually cut IT security budgets to save money during the crisis.
In fact, investments in specific technologies could be a smarter way of reducing costs and improving security outcomes during the crisis, according to Armistead.
“The situation screams out for automation to relieve the pressure on people to sift through mountains of data and to act quickly,” he said. “SOCs and IT security teams need to look at their processes and procedures in light of the distributed workforce. Do they make sense and how quickly can issues be resolved?”
The immediate future remains uncertain, but if remote working is to become more widespread as the pandemic recedes, IT and security leaders better adapt to the new reality fast.
Last week, the world’s oldest travel agent, Thomas Cook, collapsed, leaving around 150,000 holidaymakers stranded. But the demise of one of the UK high street’s best-known brands didn’t just end up costing the government, which had to foot the bill for repatriation. It resulted in another opportunistic phishing campaign of the sort that often follow major news events.
In this case, reports soon emerged of consumers targeted with phone calls and emails purporting to come from ‘refund agents’ who just needed their bank/card details in order to reimburse them for their holiday. I spoke to some security experts to find out how far brands are exposed to such campaigns, and what they can do about it. The consensus is that communication with customers is key.
“Organisations and users are at their weakest, post-incident, when it comes to fraud. As we’ve seen time and time again, hackers almost immediately distribute phishing attempts to try and capitalise on an incident,” Proofpoint cybersecurity strategist, Adenike Cosgrove, told me by email. “The repercussions are huge: it will affect customers as well as financial institutions dealing with the aftermath, as their contact centres are inundated with calls from concerned consumers.”
The primary impact of such scams is on customer confidence and trust in the brands they do business with, according to Gemma Moore, director at security consultancy Cyberis. However, they’re almost impossible to stop, she told me.
“What brands can do is manage their customer communications closely and ensure that their customers are well-briefed about how the brand will communicate with them and under what circumstances,” Moore continued.
“Brands can work to educate their customers to treat communications with a sceptical eye. Many banks, for example, regularly remind their customers that they will never contact them asking for sensitive information like card details by email or telephone. Ultimately, vigilance is the best defence for people who are targeted in this way and brands can help this by maintaining clarity.”
Banks add confusion
So, organisations need not only to have a clear communications strategy but also to remind customers what this is, so that any phishing attempts that deviate from the norm will be easier to spot. With the Thomas Cook incident, however, UK banks added to the confusion by texting their customers with messages containing links and phone numbers to call. Some recipients understandably believed these to also be phishing attempts, especially as some claimed not to have even bought a holiday with Thomas Cook recently.
Once again, transparency and consistency is key to keeping customers safe.
“How the banks communicate is key. There is an argument that they should not use text messages as SMS phishing is rife and would potentially confuse consumers,” said Cosgrove.
Brands must not only try to mitigate the impact of attacks on consumers, of course, but also attempts to phish their employees, which could lead to serious data breaches, ransomware infection or other threats. At the same time, and backed by a global cybercrime economy built on stolen data and dark web sites, cyber-criminals are constantly evolving their tools and tactics to trick both employees and consumers.
One technique gaining in popularity is “angler” phishing, where fraudsters set up Twitter accounts masquerading as brands’ customer service operations. They monitor complaints from customers and then jump in to hijack the conversation, often requesting additional personal info and financial details from the victim.
“Another key trend we are seeing is an increase in domain fraud, where criminals leverage domains to target a known brand or company by sending phishing campaigns that look like genuine communication,” Cosgrove explained.
“Recent research shows that 96% of organisations found ‘lookalike’ domains posing as their brand, with registrations of fraudulent domains growing by 11% last year.”
This is where brand and domain monitoring services could come in handy, although as with any cyber-threat, defence-in-depth is recommended. Phishing campaigns are relatively easy to launch and have a decent success rate, so don’t expect any major change in tactics anytime soon. Ultimately all organisations can do is educate their customers about the dangers, create clear, careful communications policies, and closely monitor abuse of their brands and domains online.
The Domain Name System (DNS) is one of the least understood but most crucial parts of any IT environment. Although it’s operated via a global network of servers under the control of ISPs, non-profits, registries and others, attacks can strike to the heart of any organisation. DDoS, phishing, malware downloads, C&C communications and even data exfiltration can all take place via DNS channels.
Because it’s always on and running in the background, converting domain names to IP addresses so users can surf the web, it’s a great conduit for attackers. But that also makes it a useful place to gain advanced insight and control. I spoke to a range of industry experts on the key challenges and opportunities facing firms.
A new favourite
DNS attacks are becoming increasingly popular with nation state hackers. Sea Turtle and DNSpionage campaigns over the past couple of years have targeted Middle Eastern governments and military organisations. They typically compromise key DNS servers, and change the queries stored in them to enable man-in-the-middle phishing attacks designed to secretly steal important passwords. Part of the problem, according to Nominet’s head of IT security, Cath Goulding, is that the protocol is decades old.
“DNS was designed nearly 50 years ago. The people who created it could not possibly imagine the threats that we face today,” she tells me via email. “The advanced malware that we see could not be conceived 50 years ago, so DNS was not designed to defend against it. Humans simply can’t manually monitor the amount of data that passes through it, so we must rely on algorithms and machine learning to keep us safe.”
Gary Cox, technology director for Western Europe at Infoblox, adds that DNS is increasingly being targeted by hackers as other avenues are blocked.
“DNS has become more and more popular as a result of other security gaps being filled – by things like next-gen firewalls, IDS/IPS systems, highly capable endpoint protection going well beyond just basic Anti-Virus,” he explains to me. “New attack vectors are continually explored and exploited, and the latest twist from a DNS perspective is that DNS over HTTPS (DoH) is now being used to circumvent DNS security controls.”
According to DNS pioneer and Farsight Security CEO, Paul Vixie, services like DoH “are well intentioned but policy-ignorant, and many threats to the user or to the rest of the user’s network are able to bypass security controls when the user bypasses the local name service.”
Another example of a DNS bypass attack which has garnered an increasing number of headlines over the past year is DNS rebinding. In this attack, hackers first get victims to click on malicious links or online adverts, with rebinding techniques enabling them to bypass the network firewall and use the victim’s browser as a proxy to target any devices on this network. It’s predicted that this type of attack could become increasingly popular in compromising IoT endpoints.
What can we do?
So how can IT security leaders hope to mitigate the risk of a DNS-based attack? After all, with the DNS servers themselves usually out of their control, there’s a limit as to what they can do, right? Well, yes and no. Goulding argues that by using analytics services that search DNS traffic, organisations can turn the ubiquity of DNS to their advantage, using it as an early warning system to spot and block attacks before they’ve had a chance to impact the organisation.
“Utilising a DNS monitoring tool is the first step to mitigating the DNS risk,” she explains. “And while not every firm can afford high-level DNS protection, taking steps to ensure staff education is crucial, too. For many workers, they might not be clear what is and what isn’t a malicious link or malicious add. Ensuring staff have the tools they need to work out what might be malicious and what not be malicious will ensure company safety.”
ISACA board director, Asaf Weisberg, adds that DNSSEC should be rolled across the industry “to strengthen authentication in DNS, by using a DNS Zone’s private key to digitally sign the DNS data, and allowing the resolver to confirm the validity of the DNS data through a corresponding public key that is being retrieved as part of the DNS query.”
However, efforts thus far have been poor. It’s claimed that less than 20% of DNS stakeholders have adopted the specifications – a figure ICANN wants improving urgently. Without this kind of cross-industry response, DNS could remain a security blind spot for organisations for many years to come.