The COVID-19 coronavirus outbreak remains a volatile risk to global health, and in turn has led to roiled financial markets all over the world. We still don’t exactly know how this epidemic will continue to spread, or how it will ultimately affect the international economy. However, experience with past outbreaks and recessions suggests that attackers will soon be looking to see how they can exploit the uncertainty and hardship of the moment for their own gain. It is worth taking a step back to explore how the cybersecurity landscape might rapidly change over the next few months, and what actions organizations can take to protect themselves now.
Imminent Disruption: Cybersecurity in the Time of Coronavirus
Last week, one of Silicon Valley’s most prestigious investment firms, Sequoia Capital, sent a memo to its portfolio companies warning about the impact they expect the novel coronavirus to have on the world’s economy. The memo hearkened back to a similar notice that the firm sent in the leadup to the 2008 financial crisis, which advised their portfolio companies to prepare for worsening economic conditions to minimize their effect on employees and businesses. The bearish market is beginning to also remind us here at Illusive Networks of how the Great Recession impacted the nature and severity of cyberattacks. There are a few ways that we expect the threat landscape to evolve as the global economy plunges deeper into a downturn:
- A Non-Linear Increase in Cyberattack Frequency
Criminal activity, especially theft, tends to increase in challenging economic times. A UN study evaluating crime patterns during the 2008-2009 economic crisis found that there was a correlation between economic downturns and increases in physical crime. By the same token, cybersecurity analysts such as Gartner’s Avivah Litan and the U.S. Cyber Consequences Unit’s Scott Borg were reporting an uptick in cybercrime indicators as the Great Recession was taking root, including an increase in fraud attempts, identifiable pockets of laid-off engineers migrating from legitimate computer work to cybercrime, and an explosion in new malware strains. As nation states and criminal organizations closely monitor shifts in resources to secure data and systems, and political tensions increase due to the economic strains of coronavirus response and control measures, expect more cyberattacks, especially if potential attackers are confined by quarantines or curfews and seek malicious activities for their idle hands.
- Changing User Behavior Creates A More Volatile Attack Surface
To limit the spread of coronavirus, many organizations are either compelling employees to work from home or offering the option of telecommuting. Working remotely is a convenient and ultimately necessary solution for containment. However, it is also straining IT departments that are now distracted, as they are not used to the load of so many employees working remotely. This opens up new risks that will expand the potential attack surface of the organization, as they are less able to focus on security priorities. More remote employees also mean more potential for human error, such as clicking on phishing links or falling for social engineering schemes that would have been less likely to happen if employees had been physically present at the office. Ad-hoc telecommuting policies without the time for a proper security rollout to underpin them will almost certainly open the door to more threats.
- Increased False Positive Alerts at Security Operations Centers (SOCs)
All those newly telecommuting workers will be exhibiting behavior that is novel for the security solutions that monitor user activity. Expect non-linear growth in logs, data analysis and alert volume as both AI- and rule-based behavioral analysis systems encounter a blizzard of new anomalies, traffic patterns and user activity that they are not accustomed to seeing but ultimately turn out to be benign after investigation. Systems programmed to identify and alert about activity that is unexpected in the context of regular user behavior already generate false positives more than half the time in the normal course of business, and an even higher percentage of false positives should be expected as business practices change in response to changing health and economic conditions.
- Insider Threats Will Rise as More Disgruntled Employees Are Laid Off
Reductions in the workforce made due to worsening economic growth prospects will likely lead to more insider attempts to exfiltrate and sell data on the black market for revenge and profit, especially among IT staff that has highly specific knowledge about their former employer’s networks and their potential vulnerabilities. However, this is not just a matter of ex-employees; as current workers take on increased workloads and IT staff are forced to do more with fewer resources, they are likely to feel increased stress and burnout, which will lead to more temptation to leverage their privileged knowledge for illicit gains.
Security Hand Sanitizer: Good Cyber Hygiene that Limits Coronavirus Vulnerabilities
There is no way around it: the economic and social impacts of coronavirus will affect us all if they haven’t already. It doesn’t mean everyone or even most people will suffer the worst consequences, but shocks to global economies and disrupted routines will have far-reaching effects that need to be prudently prepared for to prevent worst-case scenarios that were unthinkable just a few weeks ago. The case is no different when it comes to cybersecurity. Budget cuts, skills and hardware shortages, and supply chain interruptions are probably inevitable. Nevertheless, focusing on the right priorities to keep your security operations resilient and reinforced in the face of a constantly changing threat landscape will help ensure that organizations can weather this particular storm over the next few months without enabling more attacks. There is still a window of opportunity to prepare, and here are a few simple actions that should be carried out right now to improve defenses no matter how this unpredictable situation continues to develop:
- Educate Your Employees About How to Stay Vigilant
Your organization already has (or should have) encouraged employees to take simple steps to prevent the spread of coronavirus, and are probably washing their hands at an unprecedented rate to do their part. Remind your employees that they are also the first line of defense against attackers who will attempt to take advantage of this highly disruptive time. Now might be a good moment to lead a refresher course about security best practices for your employees, especially if they are temporarily working remotely. Motivate your employees to be careful about opening emails and attachments, managing credentials, updating software, locking devices, and avoiding potential social engineering attacks.
- Harden Your Attack Surface against Sideways Attacks
When attempting to move laterally after a breach, attackers often use cached credential and connection information unintentionally left on endpoints to get closer to the critical data they want to steal. Much of this unnecessary connectivity results from ordinary and authorized activity, such as when credentials are inadvertently captured in a browser’s history or domain admin credentials are retained in the system memory after a remote support session. Identifying and removing this high-risk and ultimately unnecessary connectivity can greatly reduce attacker dwell time and movement after breach, even if they somehow manage to get past the perimeter.
- Look for Tools that Enable SOCs to Do More with Less and Reduce Alert Fatigue
With false positives making up more than half of alerts, and changing circumstances contributing to the generation of more alerts than usual, alert fatigue becomes a greater risk. This is especially true if the knock-on economic effects of coronavirus force SOCs to downsize and for each individual agent to take on more investigations with fewer resources and solutions to help them. Organizations should immediately implement filtration tools and systems that can reduce false positives before the SOC needs to investigate them, improve triage and prioritization of incoming alerts, and speed up response times to the alerts that truly matter.
- Invest in Technologies such as Deception that Avoid Generating A High Volume of False Positives
Alternatives to broad-based anomaly detection are now commercially viable and can operate on a grand scale up to hundreds of thousands of endpoints. Probabilistic behavioral and AI-based approaches have a long track record of false positives and low-quality alerts that are often ignored since they are constantly going off and have proven ineffective at dependably protecting against malicious insiders and advanced external attackers. Deception-based cybersecurity’s deterministic approach spreads inescapable deceptive data all over a network, and on every endpoint. Notifications with full forensic reporting are only sent when threat actors engage deceptive elements, which are exclusively hidden where attackers would be seeking to leverage them in an attack. No more guessing based on analytics and algorithms – deception provides a way to separate the wheat from the chaff and focus on the threats that truly need attention.
Want to learn more?
Illusive Networks stands ready to assist organizations to strengthen their security even as coronavirus and the associated economic downturn creates increased uncertainty. Our experts are available on short notice, and can offer an immediate and free Attack Risk Assessment that can reduce your organization’s attack surface, identify and stop the slow-and-low sideways attacks typical of nation states and organized criminal gangs, and speed up triage, investigation and mitigation of the latest threats.
Speak to the Illusive security team – Schedule a Demo
View our on-demand webcast, Scenes from the New Normal: Cybersecurity in Uncertain Times.