The COVID-19 pandemic has presented a host of new, unique challenges for security teams across the world, writes By Fabian Libeau, EMEA VP at RiskIQ. The digital revolution happened quickly, but with the outbreak of COVID-19, it has suddenly gone into hyperdrive.

Indeed, personnel, which are being forced to work from home, have dispersed entire businesses and their operations, and moved the perimeters of their organisation’s digital attack surfaces with them all over the globe - widening the protection gaps.

The inevitable decline in security

As a result, security protocols have completely changed in a matter of weeks - firewalls, data loss prevention (DLP), and network monitoring are far less effective than they were a few weeks ago. Attackers now have far more access points to probe or exploit, with little-to-no security oversight, and are exploiting the global anxiety around the outbreak. Indeed, there has been a surge of attacks in recent weeks - and they continue to increase in volume each day. Meanwhile, IT is feverishly standing up new systems, new access, and new channels and likely succumbing to human error, such as critical misconfigurations.

To mitigate these threats, cybersecurity communities not only need to work together, pool their resources and enable one another to defend their organisations during this period of uncertainty and heightened danger, but it also requires immediate action by security teams.

COVID-19: the rising threat

Criminals have always found success using disasters and global epidemics in cyberattacks - such as Ebola, Zika and SARS - and COVID-19 is no different. Bad actors have developed a distinct pattern with the only significant difference being improvements to attack tools. They execute layered attack campaigns, first with phishing and social engineering to infect users with malware, then taking over the entire system with ransomware or other forms of malware. With COVID-19 now a top concern worldwide, that pattern is continuing. 

The UK National Cyber Security Service (NCSC), which is part of the Government Communications Headquarters (GCHQ), recently reported that it has removed more than 2,000 online coronavirus scams last month and also launched a ‘Cyber Aware’ campaign to combat cyber security threats.

The coronavirus scams taken down include 471 fraudulent shops, 555 malware distribution sites set up to cause significant damage to any visitors, 200 phishing sites seeking personal information - such as credit card details - and 832 advance-fee frauds, where a large sum of money is promised in return for a set-up payment.

According to RiskIQ’s analysis, it has also seen a spike in threat infrastructure related to the COVID-19 pandemic that attackers are using to social engineer victims. When analysing its spam box feed for the time period of 18th April to 20th April 2020, the company analysed 315,508 spam emails during this period containing either ‘corona’ or ‘covid’ in the subject line. There were 20,997 unique subject lines observed during the reporting period. The spam emails originated from 10,734 unique sending email domains and 18,274 unique SMTP IP Addresses.

Having intelligence around COVID-19, particularly the cybersecurity challenges, organisations are already facing amid the pandemic, will help inform the decisions of security teams who face new requirements during these unprecedented times. While cybersecurity communities must come together to ensure businesses are able to effectively discover unknowns about their environment and investigate threats, there are also a number of considerations security teams must take into account in order to put their best foot forward in fighting this pandemic.

1. Be prepared for a boost in shadow IT

Shadow IT refers to applications and infrastructure that are created and managed without the knowledge of the enterprise's IT department or security team. As businesses stand up new external assets to enable customers and a remote workforce - including websites, web portals, mobile apps, and more - security officers must ensure that they are continually tracking them all. Having a running, continually updated inventory of everything connected to the organisation outside of the firewall will be crucial because attackers will be looking for them, too. Knowing their targets’ defences are spread thin, they will search for unknown, unprotected and unmonitored digital assets. After all, it just takes one for them to get access and move laterally across an organisation’s network.

2. Remote access points must be located and identified

The benefit of working remotely is that employees can get their work done from anywhere, due to the increased interconnectedness of modern technology. Yet, while it is possible to work from home, proper network security for remote employees is just as important as a secure network within the office building. It is essential that security teams are able to scan for access points across an organisation’s network quickly to know who has access and where it is coming.

3. Try and pinpoint configuration errors

With the sudden need for most workforces to work remotely, with as little loss in productivity as possible, IT teams are standing up new systems quickly - but this can come at a cost. Indeed, they might make sure all the patches are applied but, at this pace, they are likely making mistakes. It is important that businesses have a full inventory of systems associated with the organisation so that they can scan them for misconfigurations and help build a secure external network that gets business done outside the office. 

4. Find and secure cloud assets and services

Remote workforces will leverage the cloud more than ever. As more things are stood up to the cloud and moved there in the coming weeks, it will be crucial to have a full inventory of cloud assets to determine ownership, as well as what’s potentially accessible to attackers, such as orphaned, abandoned and shadow IT. 

5. Detect malicious, rogue assets

Bad actors are taking full advantage of the global anxiety over COVID-19 and the confusion and challenges it is causing businesses. Scams, phishing, and malware campaigns that leverage brands and impersonate business infrastructure to fool customers and employees will run rampant if left unknown. Organisations must have situational awareness of these attacks, and access to internet-wide visibility to detect new infrastructure targeting them so they can neutralise the threat before it causes damage. 

6. Prepare the WFH-force

With the rise in cybercriminals targeting employees working from home, there are a number of actions employees should be taking to keep themselves and their company safe. Whether it is ensuring passwords are secure, making sure that employee Wi-Fi routers are secure, or defining a strategy if a security breach were to happen, these steps will all best prepare remote workers. It’s also important to make sure that any VPN solutions are patched and up-to-date. Last year, the NCSC reported that Advanced Persistent Threat (APT) actors were exploiting vulnerabilities in multiple enterprise VPN solutions. Attacks on vulnerable VPN solutions will likely increase apace with the growth in usage.

There is no time to waste - and visibility is key

Without ensuring network and computer system security, employers run the risk of breaches for both their remote employees and their corporate headquarters. What’s more, since COVID-19 has encouraged a surge by cybercriminals looking to use this time of uncertainty to launch attacks, a lack of security is especially critical now.

By reviewing and continuously monitoring their external attack surface, organisations will gain visibility into digital risks that can be proactively addressed. When brands understand the anatomy of their attack surface - or, in other terms, what they look like from the outside-in - they can begin developing a digital threat management strategy that allows them to discover everything associated with their organisation on the internet, both legitimate and malicious, and gain an accurate view of the risks and exposures in our new, ever-expanding digital world brought on by COVID-19. However, bringing the massive scope of an organisation’s attack surface into focus is no easy task.

For businesses, most of their attack surface is comprised of assets belonging to three categories. First are the legitimate assets, which belong to companies under the purview of their IT and security teams. Second asset of the attack surface are those spun up by partners or employees without the knowledge of the IT and security teams, which are known as Shadow IT. Third, is a rapidly growing category known as ‘rogue assets,’ which attackers create to mimic legitimate businesses to target their customers in the wild. These phishing sites, fake mobile apps, and command and control servers are nearly impossible to detect at scale with traditional tools.

Education and technology to fight the pandemic

With the new reality of people working from home and increased digital engagement across multiple platforms and channels, more users are sitting outside the perimeter than ever before - along with an increasing number of exposed corporate digital assets - and so are the majority of the malicious actors, all looking for opportunities to exploit global pandemics such as COVID-19. As such, cybersecurity communities not only need to come together to help educate on the vulnerabilities and risks associated with COVID-19, but companies across the globe must adopt security technologies and strategies that encompass the current situation.