Threat Update: COVID-19 |
By Matthew Valites, Cisco Talos
March 26, 2020
The COVID-19 pandemic is
changing everyday life for workers across the globe. Cisco
Talos continues to see attackers take advantage of the
coronavirus situation to lure unsuspecting users into
various pitfalls such as phishing, fraud, and disinformation
campaigns. Talos has not yet observed any new techniques
during this event. Rather, we have seen malicious actors
shift the subject matter of their attacks to focus on COVID
themes. We continue to monitor the situation and are sharing
intel with the security community, customers, law
enforcement, and governments.
What is Talos doing about it?We have observed three broad categories of attacks leveraging COVID with known APT participation in each of these categories:
Talos continues to monitor attacks leveraging COVID themes. We are aggressively detecting and blocking malicious domains, spam and phishing attacks. Additionally, we're sharing information with customers and partners via our AEGIS program, intelligence partnership with law enforcement and government organizations, and the Cyber Threat Alliance (CTA). Customers with a Cisco Talos Incident Response (CTIR) retainer may also receive actionable threat intelligence as it relates to COVID-related information as we uncover it. For customers wanting a more direct engagement, the CTIR retainer can also be used for consultation directly with our intelligence analysts to address concerns about the pandemic-themed attacks as they apply to their environment. We also recommend that our customers review their IR plans and associated playbooks so they are prepared for worst-case scenarios before they happen, and to practice those plans and playbooks via tabletop exercises.
What should users do?Working from home presents its own, sometimes a new set of security concerns. Employees should continue to be wary of unsolicited emails they receive that contain attachments or embedded links relating to the pandemic. Talos has observed an overall decline in the volume of malicious email since the end of January, likely due to a combination of the Necurs botnet takedown, and Emotet's recent spam holiday. That being said, spam and phishing campaigns are significantly increasing their use of COVID themes. This activity is likely to continue until the news cycle changes.
The same precautions employees would otherwise normally take while in the office should be taken while working from home. Lock your screen while away from the device. Use only trusted and secure WiFi access points. Practice sensible data hygiene and keep corporate data on corporate-protected assets. Additionally, avoid using your corporate devices for personal usage.
What should businesses do?Businesses should prepare for the COVID pandemic by focusing on adapting to a new borderless environment. This includes improving IT, visibility, and response controls listed below. Organizations can leverage NIST SP 800-46, which provides a framework for enterprise teleworking and remote access. Additionally, companies should make sure employees are security-aware and can identify, avoid, and report suspected malicious activity associated with the pandemic. Targeted and mature security organizations should track relevant threat actors leveraging the COVID pandemic.
From an enterprise security perspective, Talos recommends the following key areas of enterprise security:
Remote accessDo not expose Remote Desktop Protocol (RDP) to the internet. Use secure VPN connections with multi-factor authentication schemes, such as Cisco Duo. NAC solutions can also be leveraged to ensure that systems attempting to remotely connect to the corporate environment meet a minimum set of security standards such as anti-malware protection, patch levels, etc. prior to granting them access to corporate resources. Continually identify and remediate access policy violations.
Identity ManagementProtect critical and public-facing applications with multi-factor authentication and supporting corporate policies. Verify that remote account and access termination capabilities work as intended in a remote environment.
Endpoint ControlBecause many people may be working from home networks, endpoint visibility, protection, and mitigation using a solution like Cisco AMP for Endpoints, is now more important than ever. Consider whether remediation and reimaging capabilities will work as intended in a remote environment. Encrypt devices where possible, and add this check to your NAC solution as a gate for connectivity.
Data ManagementDo you know where critical data lives, who has access to it, and how that data moves within (and now potentially without) your environment? Organizations must ensure their remote workforce is enabled to share data securely and within policy. Monitor critical data moving outside of policy requirements. Lastly, make sure that your backup strategy considers how to backup off-premise data.
Awareness trainingEducate users regarding spam, phishing, SMS fraud, social engineering, and internal security engagement processes. A comprehensive employee awareness program will help ensure that employees are informed with regards to the proper use of corporate resources, even when working from remote locations. Existing CTIR customers who need additional assistance can leverage their retainers for readiness assessments.
ProcessesReview response plans to identify any single-person points of failure and plan for what happens if that person is no longer available. Additionally, identify operational functions that currently require physical presence (forensics & data acquisition, endpoint re-imaging, etc.) and implement remote-capable workarounds.