The COVID-19 pandemic has seen organizations increasing their dependency on digital tools and shifting the bulk of their workforce to work remotely. This has had a major impact on the cybersecurity threat landscape, with many organizations now facing new cyber threats and challenge
Dealing with a ransomware attack during this situation could be a nightmare scenario. While the basics of protecting your organizations won’t change during this pandemic; there are some additional challenges that should be considered.
Here are three challenges or threats your organization could face during this situation:
- Increase in COVID-19 themed lures that can deposit ransomware in your network. Some current ransomware lures include:
- Information about vaccines, sales of masks and short-supply commodities like hand sanitizer.
- Financial scams offering payment of government assistance or fraudulent donation websites which trick victims into submitting their internet banking details.
- Suspicious links to download technology solutions in high demand, such as video and audio-conferencing platforms.
- Critical updates to enterprise collaboration solutions and consumer social media applications.
- Revision and adaptation of preventative and detective controls to permit more flexible working practices.
- Security team managing incidents in unfamiliar conditions like lockdown or remote working.
Tactics and techniques during COVID-19 related attacks
Here are some common techniques that have been observed during this situation:
- Drive-by Compromise- Attackers gain access to a system by injecting malicious codes.
- Exploit Public-Facing Application- Using vulnerabilities in internet-facing systems or apps, attackers can run an exploit in the form of a bug, glitch or a design vulnerability.
- External Remote Services- Attackers can gain access to an organization’s internal networks by using vulnerabilities in the form of a bug, glitch or by using valid accounts in remote services such as VPN.
- Spear phishing Attachment/Link- Attackers use malicious attachments/ links to infect targeted systems or download malware on the end user’s systems.
- Valid Accounts- Attackers bypass access controls placed on various resources by stealing/reusing credentials of a specific user or service account.
- Masquerading- Attackers use the name or directory of an executable, legitimate or malicious identity to evade defenses.
- Remote Desktop Protocol (RDP) - Attackers exploit poorly secured remote desktop protocols by logging into an interactive session with a system desktop graphical user interface on a remote system.
- Exfiltration- Attackers steal data from networks without being detected by infecting the victim’s system and by encrypting files.
- Data Encrypted for Impact- Attackers execute a malicious program that will attempt to download and execute ransomware from a remote web site on to a victim’s system.
Prevention, Detection & Response for Ransomware Attacks
It is clearer than ever that ransomware isn’t going away anytime soon. Should an incident occur, it is imperative that you keep pace with rapid changes, while being clear on priority actions that need attention for the first 72 hours.
Consider the following steps and practices for your organization during this evolving situation:
- Conduct a thorough Vulnerability Assessment & Penetration Testing (VAPT), especially on external facing resources;
- Conduct Adversary Simulation Exercise (such as Phishing Exercise) that creates real live scenarios/incidents for Blue Team to detect and respond and identify gaps in existing security solutions and processes;
- Conduct interactive red team and blue team training for in-house IT team to improve their practical skills. Playing the role of an attacker can make your team better at defenses;
- Conduct Tabletop Exercise for senior management to be better prepared on critical decision making during such crisis, when it happens;
- Continuously perform Threat Hunting exercise to detect threats/attacks which have gone undetected while using traditional security monitoring solutions;
- Implement Threat Intelligence to existing security solutions with focus on ransomware;
- Conduct Cyber Security Awareness session for employees and third-party contractors on Evolving Cyber Threats;
- Onboard an Independent Cyber Incident Response service provider to be on standby to assist in the event of any cyber incidents to perform containment, digital forensic analysis, remediation and recovery actions.
For more guidance on managing cyber incidences, visit www.kpmg.com.my/CyberResponse