The following blog post details the security impact COVID-19 has on enterprise security teams. To learn more about TruSTAR and IBM’s Community effort to track COVID-19 observables, click here.
COVID-19 Themed Phishing Attacks
The impact of COVID-19 is disrupting business operations across industries and across the globe. For the enterprise cybersecurity operators, this is having a one-two punch of a surge of COVID-19 themed adversarial activity as well as increased noise and disruption due to the knock-on effects of remote working policies.
It should be no surprise that we are seeing an increase in attack activity around COVID-19 themed content. Our partners at IBM X-Force IRIS have been tracking COVID-19 themed credential phishing, malicious attachments, malicious links, business email compromise, and related exploit content since January 21st, 2020. In the last 60 days, we’ve seen these activities range from spray-and-pray malspam sporting links to ‘important COVID-19 health advisories’ and dropping popular Emotet or Lokibot malware to more sophisticated and organized activity from APT-36 and TA505 using COVID-19 themed lures to drop Ursnif and Dridex.
This past week, our friends at popular email protection company, Proofpoint, said this about COVID-19 themed lures:
“To date, the cumulative volume of coronavirus-related email lures now represents the greatest collection of attack types united by a single theme that our team has seen in years, if not ever. We’ve observed credential phishing, malicious attachments, malicious links, business email compromise (BEC), fake landing pages, downloaders, spam, and malware, among others, all leveraging coronavirus lures.”
While the increase in activity and susceptibility of an unsettled population will make COVID-19-related activity a focus for enterprise cybersecurity efforts, the knock-on-effects will be as disruptive.
Remote Security Operations
While many of our customers operate globally-distributed security operations teams, some have cultures that are grounded in physical interaction models. If remote working is not in your DNA, learning how to communicate virtually while operating in an increased operational tempo is particularly stressful and prone to disruption.
If your SOC analysts and incident responders are used to managing events and escalations by swiveling around in their chairs, a mandatory WFH policy introduces new workflow and communication gaps. For most in this situation, there is no choice but to try to build the airplane in flight — or as one SOC Manager said, “In addition to keeping up with a higher op-tempo, we’re also trying to write new standard operating procedures with new virtual communication tools and processes on the fly.”
Regardless of whether your security team has a culture of operating remotely, you are undoubtedly dealing with at least some percentage of your enterprise workforce that is adjusting to a remote working environment. This shift has created a different footprint of virtual traffic for most enterprise security teams.
Many front-line security detection technologies, processes, and rule sets are about establishing a baseline view of ‘normal operations’ and then are designed to look for anomalies or deviations from that baseline. With dramatic swaths of the enterprise workforce now conducting work remotely and business functions adjusting to restrictions under COVID-19, the normal pattern of life is being reset and the baseline is a moving target.
This has a double edged sword effect on security operations by creating more anomalous-looking activity, which creates more alerts and what otherwise would have been easily discounted innocuous activity is harder to ignore.
IT & Helpdesk Backlogs
The movement to WFH for large parts (if not all) of your workforce has also created a surge in IT-related help-desk requests that are creating backlogs in queues for IT teams.
Enterprise security folks often depend on their IT compatriots for systems administration of critical secops tools and for taking/implementing last-mile response/remediation actions. With these teams overloaded, security operations are experiencing a slow down in response times to their service requests.
Reducing the Noise - A Community Effort
Increasing operational tempos due to the influx of COVID-19-themed exploits and the knock-on effects of remote work policies have created more ‘cover’ for attack activity of any type.
At TruSTAR, we’re working closely with our partners to help reduce the noise in any way we can. When IBM X-Force asked if we could help them make their proprietary COVID-19-themed reporting and observables more easily available to the community, we didn’t hesitate.
Having no-cost, easily accessible and trusted COVID-19 data means security leaders and operators do not need to spend precious cycles finding or curating this data themselves at this critical time.
We have had hundreds of enterprises access this data in the last 72-hrs through our API, UI, Chrome Browser, and Slackbot. In the spirit of community, other intel providers have reached out to help and contribute their own proprietary COVID-19 data sets.
We are working with them to make this most comprehensive and accessible COVID-19 data set for the community and we will make it available as long as it is needed.
If you need credentials to this data, please go here: www.trustar.co/covid-19 to sign up.
If you’d like to contribute to this data set, please email firstname.lastname@example.org
Thank you to our partners:
- IBM Security
- IBM X-Force IRIS
- Digital Shadows
- And more to come...