As many enterprises grapple with the sudden shift to an entirely remote workforce, bad actors are looking to take advantage of users’ unfamiliarity of their new working conditions. The types, volumes, and sources of threats have evolved rapidly in recent weeks. Hackers often use current events and fear to create a sense of urgency, eliciting users into opening attachments and clicking links. This past Wednesday, March 24th, ReliaQuest experts dove into hacker tactics and ways to protect against these in the second webinar in our series.
Common Hacker Tactics in a Remote Workforce
One method hackers are using is sending phishing emails seemingly with relevant information regarding Coronavirus. Phishing campaigns entice recipients with information regarding how to protect from the coronavirus with an attachment, such as Microsoft Office documents, or link to malware. Variants such as Emotet or Lokibot can be the final delivered payload, but other ransomware, trojan, or bot variants are common. Successful execution can result in a disruption of business critical systems, credential theft, or crypto mining.
In the last couple weeks, the number of domains registered with Coronavirus related terms has spiked with ~1000 registrations a week since Early Feb, according to Check Point Research. Hackers use fake information sites, including fake coronavirus maps, to solicit for personal information and use browser exploits to inject malware directly to users’ systems. One common malware seen with fake coronavirus maps is AZORult, a family of spyware that steels data like login credentials and banking information, and acts as a command-and-control to download additional malware.
Protecting Newly Remote Users
During the webinar, we discussed detection methods for recognizing these types of tactics with the added challenge of gaining visibility to remote systems. With many enterprises leveraging SAAS solutions, often remote users will not be on a VPN accessing corporate applications or data. This also means their traffic is not passing through traditional preventative security solutions such as NGFW/IPS nor leveraging internal DNS.
While some enterprises may elect to push all users into a full VPN to regain elements of visibility and control, the additional capacity and expense will not be a common option.
The webinar covered different solution types around areas such as:
What types of communications provide optimal awareness and education? While many users may have temporarily worked at home previously, they will be unfamiliar and perhaps initially uncomfortable working from home fulltime. Security is in an ideal role to provide guidance, set expectations, and create awareness for the threats they may encounter.
How can existing technology be utilized more optimally with your remote users? How can Endpoint Protection Platforms (EPP) or Endpoint Detection and Response (EDR) be fully leveraged for host intrusion prevention, threat detection, and forensic investigation?
How can vulnerabilities be recognized and managed across remote systems?
Unfortunately, the baselines either gathered through machine learning or from manual daily analysis are no longer valid. How can new norms be established?
ReliaQuest believes security is a team sport, so we are sharing use cases, automation plays, and threat intel research powering our GreyMatter platform to help protect your organization. Sign-up for our Rapid Response Resources Series to receive specific use case queries to optimize in your SIEM, attack overviews, and recommended automation plays.