Blog COVID-19 Intelligence Briefing: What Happens Next?

COVID-19 Intelligence Briefing: What Happens Next?

TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding the COVID-19 pandemic. This briefing is part of a larger COVID-19 OSINT Project to track and share vetted observables related to COVID-19 phishing and malware exploits. You can request access to this OSINT Community here.

Below, we have edited and condensed parts of the panel Q&A. To view the full webinar and hear more about the latest intelligence surrounding COVID-19, click here.

COVID-19: What Happens Next?

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

Nick, what are you seeing as far as what's next?

Nick Rossman, Research & Operations Lead, IBM X-Force IRIS Intelligence:

I think what we're looking for next is what are the enterprises going to do? On the defensive posture, are you prepared to operate your SOC virtually, are you getting data in your environment to the right people who need it, even when you're in virtual?

I think, strategically as we see the landscape, there are a lot of brewing, consistent conflicts. US-Iranian tensions in particular. How does COVID-19 start to change that? As oil prices decrease do some of those actors get more desperate?

In a view of US-Chinese tensions, as this blame about who is responsible for COVID-19, what information is true, what's viable? How does that start to impact the cyber actors we all look for on the espionage side with those groups? So, it's almost like COVID-19 becomes another strategic layer around the globe in these persistent conflicts that brew and we see on the cyber side.

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

Maurits, where are you seeing this going in the next days, weeks, months? How long are we in this for?

Maurits Lucas, Director of Intelligence, Intel471:

My entirely personal opinion is we're going to be here for a little while. Suddenly, we're all changing how we work. We're at home, we're working from home, so we need remote access, organizations are switching more to cloud services and opening their networks up so people can remotely access it. We're using tooling to work together virtually more, so stuff like Zoom, et cetera.

It's a whole new way of working that some people have been doing for a while, lots of people have been talking about it, but that has suddenly been accelerated. I think for larger organizations, that is the seismic change that is now suddenly being foisted upon them.

Your work life and your personal life start bleeding into one another much more. So can you keep work and your personal life completely separate or are you going to be installing some additional software on the bring-your-own-device laptop to be able to run these two things concurrently? What are the new threats? What are the corresponding controls that organizations need to deploy on that?

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

Adrian, are we going to look back in 12, 24 months and see the way attack patterns have changed as a result of COVID or the way this threat has impacted the landscape? Are we going to look back and say that was a blip on the radar and it's sort of back to business as usual, either if you are a defender or an adversary? Or will there be really sustainable changes and a bit of a paradigm shift and, if so, where?

Adrian Nish, Threat Intelligence Lead, BAE Systems:

Optimistically, we will get back to business as usual, hopefully not too far in the future. The advice I would give to people is, make sure you're watching what all of the changes were on your networks to enable home working because it's very easy to get back to business as usual and just forget about that. Of course, the bad guys will continue to be scanning and looking for opportunities and if they find them, even months down the line, they will exploit them. I think it is going to be rich pickings for the bad guys for months to come because of this.

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

I want to highlight here the intel that our partners have shared has been instrumental in curating a corpus of data for the community. We've made that data available on TruSTAR through a variety of different mechanisms. This is not just about having the right intel, but how do you actually get it into your operational workflow.

So we've got the data available on the TruSTAR platform in an enclave that has been open sourced. What we've got on TruSTAR is a curated corpus from our partners. There's about 70 reports, 70,000 or so indicators that have been vetted, again, by these partners. It's been interesting to see how the types of malware have evolved in the last two months, less about particular types and more about how the variability has expanded.

So with that, let's take a couple questions from the audience.

How does endpoint device security change if the device is in the office or at home? Do we need to take a zero trust approach regardless of the device's location? Adrian, comments on zero trust and endpoints and the office or corporate verus at home?

Adrian Nish, Threat Intelligence Lead, BAE Systems:

It depends if they're corporate assets or personal devices that are being connected. Certainly, with corporate assets, I'd expect you got a secure VPN, you've got a hardware token, and an RSA key to access that VPN. If people are connecting to home wifi, there should be no choice but to connect over the VPN for that, that's just standard best practice for corporate devices.

If they're bring-your-own-device, it's a bit trickier. If there's any kind of temporary accesses set up, again, just make sure those are properly monitored, properly logged, and that they're torn down afterwards, they should only be used for as long as they're needed.

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

Maurits, where are these attackers from? Any trends?

Maurits Lucas, Director of Intelligence, Intel471:

In general, I think most of them are from the usual kind of hot spots. Russia, Eastern Europe and other countries are certainly represented there. The actual truth is that the cyber underground stretches all over the place, and all of the groups or factions there that want to be involved in this have jumped on the bandwagon.

Patrick Coughlin, Co-Founder & CEO, TruSTAR Technology:

Maurits, how long do you expect the COVID-19 related campaigns to persist?

Maurits Lucas, Director of Intelligence, Intel471:

I think this is going to go on for a while. Years later there will still be conspiracy theorists and someone will come up with one that's, "You won't believe what the actual truth behind..." I mean I think Area 51 can move over for COVID-19. So this is going to be with us for a long, long time.

To watch the webinar in its entirety, click here. For more information on joining the COVID-19 OSINT Community, click here.

TruSTAR Intel Workflows Series: Shifting from App-Centric to Data-Centric Security Operations We recently introduced API 2.O featuring TruSTAR Intel Workflows. This blog series will explain our motivations for building this feature, how it ... Read More
How to Get the Most out of Your Community Plus Toolkit TruSTAR is the Intelligence Management Platform that powers some of the largest ISAC/ISAO threat intelligence exchanges in North America.  Read More
Announcing TruSTAR Phishing Triage & New Intelligence Scoring Capabilities Today TruSTAR has launched Phishing Triage, a new suite of features designed to automatically ingest, extract, normalize, prioritize, and take action ... Read More