The COVID-19 pandemic has greatly affected our lives in many ways. Mandatory quarantines, closure of businesses, and social distancing have become a staple of the current world climate. Cybersecurity, network defense, and computer incident response have likewise been significantly affected. This blog describes how COVID-19 has impacted cybersecurity incident responders. Computer incident response teams (CIRTs) and security operations centers (SOCs) have had to adjust, malicious actors have attempted to use the pandemic to their advantage, and threats to end-users have changed in our new telework-focused environment.
Cybersecurity First Responders – the Human Element
The pandemic has significantly impacted incident responders – the analysts working in CIRTs and SOCs analyzing data, reviewing alerts, and addressing security incidents. Incident responders are often deemed “essential” and continue working full time, in contrast to employees who are permitted to telework or work reduced hours during stay-at-home and safer-at-home orders. In some cases, incident response work cannot be performed remotely, so incident responders must continue working at customer sites. Many responders are showing a strong commitment to their organization and/or customer missions by working in an office environment while observing the necessary precautions for social distancing.
One mitigating factor for security staff is that many organizations are seeing a significant decrease in user network activity. This is very likely due to reduced staff hours and reduced access to some enterprise resources. Since one of the hardest things responders face is combating poor security awareness and risky security practices in end users, this has taken some of the pressure off; the number of cases related to user activity has thankfully decreased.
User Behavior Changes
Novetta’s incident responders have observed the following changes in end-user behavior on customer defended networks:
- Increased use of social media sites and an increased number of social media-related security events from phishing and social engineering attempts
- Massively increased use of video teleconferencing sites/services and related vulnerabilities and information leaks from these services
- Increased browsing of COVID-19 news articles and virus tracking sites, leading to browser-based attacks from malicious websites hosting fake news and maps
It’s possible that users of these customer defended networks don’t feel the same level of vigilance about using safe online practices while working remotely – being physically in an office may provide a different “secure” mindset.
The “New Normal”
A major challenge for incident responders is that the baseline for normal network activity has completely changed. Users are now working remotely, using different services, doing more personal browsing on their work computers, and generating a different volume of network traffic and events. Before COVID-19, security teams had an established baseline for this network activity. They used this baseline to create monitoring rules, set up detection alerts, craft specific dashboards, and investigate anomalies that fall outside the baseline. With the near-full migration to remote activity, however, the number of false-positive alerts has skyrocketed, and many more events look like anomalies. For example, some security-conscious users have their own personal VPN services for secure browsing, and these VPN services have diverse geographic exit points. If these users connect to an organization’s network from a foreign location not commonly seen, this could raise an alert that needs to be investigated.
Security teams now have to create new baselines and adapt to the “new normal.” Gradually, as COVID-19 subsides, they will have to adjust their baselines as organizations reconstitute and move to operating models that blend remote and onsite.
Cyber Threat Actors Adjust Tactics
Malicious actors are using the pandemic to their advantage, as they do for many major world events. People engage with things that are interesting and relevant to them, and COVID-19 is relevant to everyone. As the first cases were being reported in the United States, we observed numerous phishing email campaigns. The first wave of emails simply used the same phishing templates and malicious links and attachments, but included content about the pandemic. An example email subject line might be “New COVID-19 infection map shows extent of virus.” Initially, a number of these were more successful than generic phishing attempts seen on a weekly basis. The most successful lures continue to be simple and plain, offering a link to tracking maps showing the spread of COVID-19. The embedded malicious websites attempted to drop an assortment of adware, spyware, or ransomware.
By roughly mid-April, phishers adjusted their tactics and took advantage of the increased use of streaming services by people staying at home. Responders started seeing a new wave of phishing emails, SMS messages, and social media posts offering free trials for Netflix, Disney+, and other popular services. Another evolution of phishing happened after the introduction of the CARES Act legislation, as emails used crafted lures relating to how to get stimulus money. Many of these phishing attempts included the same malicious content as previous phishing attempts, just slightly re-branded.
As has been the case for years, phishing has been the most prevalent threat during the pandemic. With the drastic effect COVID-19 has had on the daily lives of people and their need for information, these phishing campaigns have snared more victims than previous ones.
An Opportunity for Threat Hunting
A silver lining to the new operating environment is that it presents a rare opportunity for cyber threat hunting. With the reduced level of user activity on many networks, there’s less network noise and generally benign “chatter” in which malicious software and communications can hide. With the noise level lowered and user activity no longer having the same baseline, now is the perfect time to hunt for potential compromises that might already be present in networks. Most advanced adversaries like to blend into the noise, but with this sudden change in the environment, detecting these can be easier. For example, automated malware infections or implants designed to beacon out and automatically exfiltrate collection information stand out even more now as anomalous behavior.
Looking Forward
While there are new challenges introduced by the pandemic, the general approach to cyber defense has changed very little. Our playbook for reacting, containing, and investigating incidents remains primarily the same. Modifications have been made to accommodate the remote climate, and response times have increased in certain situations, but the methodology has largely stayed the same. Staying fluid and being willing to adapt to these new requirements has allowed incident responders to continue to succeed in their mission to defend their networks. Security teams will continue to incorporate lessons learned into their defensive approaches to protect networks and staff against evolving threats.
Acknowledgements:
The author thanks Amanda Satterwhite, Brittany Argirakis, and Mark Kitchin for their contributions.
Learn more about Novetta’s COVID-19 capabilities.
