Meeting the Security Challenges of a Global Pandemic

March 23, 2020 • Monica Todros

The COVID-19 global pandemic has set us all back on our heels, as we make adjustments to our day-to-day lives and prepare for what is yet to come. The situation is evolving quickly, and when it comes to security, there are a number of concerns — starting with the massive shift for many to working from home. Add to that the general feeling of unease that comes with so much uncertainty, along with threat actors who are all too willing to take advantage of the situation.

Allan Liska is a threat intelligence analyst at Recorded Future, and he returns to our show with some practical advice for staying safe and protecting your organization during this time.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 151 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

The COVID-19 global pandemic has set us all back on our heels, as we make adjustments to our day-to-day lives and prepare for what is yet to come. The situation is evolving quickly, and when it comes to security, there are a number of concerns — starting with the massive shift for many to working from home. Add to that the general feeling of unease that comes with so much uncertainty, along with threat actors who are all too willing to take advantage of the situation.

Allan Liska is a threat intelligence analyst at Recorded Future, and he returns to our show with some practical advice for staying safe and protecting your organization during this time. Stay with us.

Allan Liska:

This is a unique situation. We’ve been through massive technology mobilizations before. For example, the year 2000, when that flip happened, there was an all-hands-on-deck approach to addressing the problem. But this is a completely different problem, because instead of bringing everybody together, we’re basically separating everybody, often for the first time, which is creating a lot of unprecedented problems.

Dave Bittner:

And how do you see those playing out? What are some of the things that are top of mind for you?

Allan Liska:

Well, we’re seeing a couple things. Obviously, we know that attackers have ramped up their use of coronavirus- or COVID-19-themed lures in their email, and they’ve been highly successful with that. I’ve read statistics from DomainTools, that one campaign in Italy they were tracking, got a 10 percent click-through rate, which is unheard of, for any sort of phishing lure. And it’s because people, they don’t know what’s going on, they don’t have enough information, they’re glued to their TV sets, and they’re fascinated by this.

Well now we take the same thing with a newly-minted remote workplace, and we’re seeing the same kind of activity ramp up. So we’re really dividing this into two kinds of threats, technical exploitation and organizational exploitation. And the reason we’re doing that is that we’re seeing both kinds of attacks on the rise.

So when I talk about technical exploitation, a lot of the common telework applications, such as Zoom, Citrix, Slack, Skype, have long been targeted by threat actors looking for vulnerabilities, or taking advantage of existing vulnerabilities to exploit. But when those applications primarily resided behind your corporate firewall, they weren’t as big of a threat.

Now we’ve moved everybody outside of the corporate firewall, and often on their own home computer. So if you’re an organization that didn’t have a telework policy before, you may have sent employees home and said, “Okay, connect in with your laptop or your home computer, instead of using the corporate network.” So not just outside of the corporate firewall, but outside of the corporate endpoint control, et cetera. So we’re definitely seeing a rise in those kinds of attacks. We’ve been tracking that over the last 90 days, and it’s definitely risen.

But then also, phones are being targeted as well. We know that, of course, when we talked about COVID-19, there was the CovidLock ransomware, which purported to be a coronavirus map application for Android, and turned out it was ransomware. But we also know that there’s more and more Android malware that looks to steal things, like Google authenticator codes. And many organizations rely on Google authenticator for two-factor authentication. So we wind up seeing a growth in that kind of activity.

And then we also see direct attacks against VPNs. So we’ve seen, very specifically, a rise in DDoS attacks against VPN providers. So we’ve noticed that. And then the government Cybersecurity and Infrastructure Agency, CISA, also released a brief on the rise in these attacks. We know that ransomware actors, such as REvil, have been looking to attack pulse VPN connections, in order to gain access. So that technical access of the home user, because of this extended telework that’s going on, means that these actors could now have direct access into corporate networks that they may not have been able to get into before.

Dave Bittner:

In terms of the actual infrastructure itself, thinking about our connectivity at home, we’ve got all of these people who are suddenly making use of their home internet connections during the day, many of them using relatively high bandwidth applications, everything from conferencing things, those sorts of things. I imagine that we’re seeing a bump up in things like Netflix and YouTube. Has there been anything that you all have been tracking, or any indication that the basic infrastructure of the internet itself is under strain, or does it seem like we’re able to handle the shift in traffic?

Allan Liska:

Interestingly, for the most part, I haven’t seen anybody complain about internet infrastructure. In fact, many internet providers have, during this period, have actually lifted their bandwidth cap that they may have. So I know Spectrum has, Comcast has, and a few other providers around the country, have actually lifted bandwidth caps. So I think we’re okay. It’s one of the nice things about having gone to a largely fiber infrastructure. I think we’re probably okay, in terms of bandwidth, for most locations. What will be interesting is how rural providers adapt, especially ones that are relying heavily on wireless rural technologies, because that doesn’t have the same capacity that fiber infrastructure does.

Dave Bittner:

Right, right. I think also about if we have to shift to having kids learning from home. I know we’ve got colleges that are already well underway with that. How do you deal with that digital divide, of some kids having access to that, and maybe not everyone having it. I can’t help thinking about the old rural electrification program. Do we need something like that for internet connections?

Allan Liska:

So I know in my school district in Northern Virginia, they’re making mobile hotspots available, free of charge, to families that don’t have internet connections at home. Now, obviously a mobile hotspot isn’t going to provide the same level of connectivity as fiber, but it still gives students who need it access. And I realize that in Northern Virginia, we have the money to be able to do that. And a lot of poor school districts won’t be able to do that, which unfortunately will continue to highlight that digital divide between different parts of the country.

Dave Bittner:

So if I am that person at my organization who is in charge of keeping things secure, and suddenly I’m faced with a huge percentage of my workforce working from home, they are outside of my firewall. They’re outside the moat. I can no longer pull up the drawbridge. How do I prioritize handling that shift? What sorts of things should I be working on?

Allan Liska:

Well, and that leads directly to the second point in this, is that organizational chaos is ripe for abuse by threat actors. So as you say, you may be in charge of implementing how do I do a remote workforce. And normally, this is something that you’d have months, or even a year to plan out, and go on, and get implemented. You’ve had to do this in a week. There are going to be mistakes. There are going to be holes. There are going to be problems that people run through, and that is going to create other problems.

Obviously, you’ll have support problems, because you’ll have an overwhelmed support staff that is suddenly fielding 10, 20 times more calls than they normally do. You’ll also have employees that have trouble getting things set up, and so they may try to do workarounds, which means you could expose sensitive data.

So let’s say that my boss needs me to get them a document, and I can’t get the VPN working to upload it to the shared file server. So I say, “Fine, I’m going to send this over to you on Google Drive, using my Gmail account.” And the same password I use for Gmail, I also used for Marriott, and that was exposed in a breach. And now, with password reuse, somebody has access to my Gmail account and can get those sensitive documents, or I put it in the wrong place, or I used the wrong permissions, so I allow anybody to access it, et cetera. So there’s all kinds of potential problems there.

And then, as with the COVID-19 example, because of all the confusion and uncertainty, employees may actually be more likely to click on a phishing email, especially one that purports to be from your IT team, because right now you’re probably expecting a lot of communication from your IT team. So you get an email that says, “VPN instructions. Open this word document.” So you open it, and it turns out you’ve installed something malicious on your desktop, that now connects in. So those are some of the problems that will certainly pop up.

The best thing that you can do, to answer your original question, is have a very well-documented plan, that’s communicated as early as possible, and then have backup plans if those don’t work. So in other words, send out to your newly-minted workforce, “Here are the steps you need to do to get connected. Only follow advice that comes from this specific email address. Ignore anything that is [email protected], or anything like that.”

So warn people that these may be coming. And then have a backup plan also listed, in that if for some reason, you can’t get this to work, and you can’t get the support, and it’s a high priority item, these are the acceptable backup options, and these are the precautions that you need to take. So you do need to be adaptable in security and IT right now, understand the real-world problems that people are having, and give them paths to be able to continue to do their job securely. Because everybody wants to continue to work. I don’t see very many people taking this as an opportunity to use it as extra vacation time, or whatever. And so you want to give them the tools they need to do their job, and feel confident that they’re doing it in a secure way.

Dave Bittner:

I think for a lot of organizations, this has been a bit of a wake-up call, in terms of their planning for adversity. For example, I know at our organization, when we were getting together, the leadership team, and talking about possible scenarios, one of the things we realized was that we were really designed around one person getting sick, and having someone to be able to fill in for them. And we really hadn’t thought through how deep the bench is? What happens if half your team isn’t available? Maybe they’re sick, maybe they’re taking care of someone who is sick. We were happy to have that realization before we needed to have it, but I would imagine that’s a conversation that’s going on all over the place right now.

Allan Liska:

Oh, absolutely. And one of the things that I recommend is, if I’m in IT and security right now, I am actively recruiting employees that have some level of technical savvy. In every department, there’s that one person that knows the infrastructure really well, but they’re not part of the IT or security team, and they’re the go-to person if you need the video conference figured, or you need to connect to your printer. You reach out to them before you reach out to the printer.

I recommend reaching out to those people, and effectively deputizing them, and saying, “Okay, you’re going to be a point of contact officially for security.” Give them everything they need to be empowered to help people out. And they can help answer a lot of these questions, and you can even point them out and say, “Hey, if you have an immediate question, and you can’t get a hold of IT, see if you can reach out to so-and-so. She might be able to help you with some of these things and get started.”

Dave Bittner:

What about some of the human factors here? I mean, as you and I are recording this, I think it’s fair to say we’re still at the leading edge of things here in the United States. We don’t have that many people who are, for a variety of reasons, unavailable. And as we shift into that mode, should it happen, there’s going to be a human toll. There’s obviously the people who are sick, but also there’s going to be an emotional toll on all of us. Do you have any words of wisdom, or thoughts on, from a leadership point of view, dialing in expectations of your workforce?

Allan Liska:

That’s not really my area of expertise. I can tell you some of the things that we’re doing to help with a lot of these is, have a clear outline of what the policy is for taking time off if you need it. Encourage people to take time off. Even though we’re working from home, encourage people to shut things down at the end of the day. Turn off Slack, turn off email, all of those things that keep you connected to the office, so you can get that separation.

I know we’ve set up a weekly meditation, remote meditation meeting, where you can just sit and be quiet with everybody for a few minutes. And we’re doing a lot of fun things as well, sharing, “Hey, what books do you want to read?” Or having Cribs, where everybody shows off what their workspace looks like, or whatever it is they want to do.

Dave Bittner:

Right, right. We’ve been sharing pictures of our pets with each other.

Allan Liska:

Yeah, right. Sharing pictures of your pets, that’s another great one. All of those things that will help encourage employee morale, because we’re going to need to keep morale up. That’s really important, to keep people working. Honestly, to keep them away from 24/7 news, and all those other things, that if you’re watching that obsessively right now, which I know a lot of us are, that doesn’t help your mental state.

Dave Bittner:

Yeah. I want to wrap up with you by touching on one of the sort of, I don’t know how to describe it, an oddball bit of news that came through from, this is courtesy of the folks at BleepingComputer, that some of the ransomware gangs have agreed to stop attacking health organizations during the pandemic. I guess, thanks?

Allan Liska:

I saw that, and my reaction was, we know there was a huge uptick in ransomware attacks in Italy over the last few weeks, focusing on coronavirus-themed phishing. So I feel like it’s somewhat disingenuous. Okay, great. Maybe you’re not attacking healthcare organizations, but you’re still taking advantage of people that are going through probably the worst time ever in their lives, by trying to steal money from them when the economy’s already in a complete free fall. So from my perspective, you don’t get any sympathy. And if this weren’t a PG-rated show, I’d have much … You can check my Twitter feed for my unfiltered thoughts on this particular level of outreach.

Dave Bittner:

Yeah, fair enough. Fair enough. All right. Well, Allan Liska, take care of yourself, my friend. Thanks for taking the time for us, and I look forward to chatting with you again soon.

Allan Liska:

It’s always a pleasure to chat with you, and same to you. Take care of yourself. And I like following you on Twitter, because you’ve got all kinds of fun things to keep me distracted.

Dave Bittner:

All right. Our thanks to Recorded Future’s Allan Liska for once again joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

The Essential Skills of Evaluating and Communicating Risk

The Essential Skills of Evaluating and Communicating Risk

May 25, 2020 • Monica Todros

Our guest is IT risk analyst James Dawson James provides advice to global organizations on the...

Making the Framework for Threat Intelligence Easy

Making the Framework for Threat Intelligence Easy

May 18, 2020 • Monica Todros

Our guest is Chris Cochran, threat intelligence and operations lead at Netflix, and co-host of the...

Planning for Resilience Amid Global Cyber Threats

Planning for Resilience Amid Global Cyber Threats

May 11, 2020 • Monica Todros

Our guest is Adeel Saeed, veteran cybersecurity expert, technologist, and former CISO at State...