As we start to emerge from the coronavirus lockdown, our Head of Threat Intelligence, Mark Slater, provides an insight into the most popular attack types and typical targets, the golden rules everyone should observe when working remotely and courses of defensive action that should be taken.
Is hacking growing due to remote working?
With a large number of people working from home networks which often lack the advanced security devices found within the corporate environment, this has increased the attack surface for cyber criminals to target.
Some workers may be using their own home computers to access corporate data with no guarantee that these devices conform to corporate standards in areas such as anti-virus or security patches. There is a risk an attacker may compromise a home-based worker’s computer and use this as a pivot point to gain access to the corporate network.
IT teams are now having to manage devices accessing corporate data from a large number of different locations and devices over which they have little or no control. Staff numbers in IT teams may be reduced making it more difficult to spot suspicious behaviour occurring, attackers already commonly carry out attacks during quiet periods such as weekends or holidays as they know they are less likely to be detected.
What attacks are proving to be the most popular with attackers?
Phishing emails are by far the most common entry method we see. These are often designed to trick a user into divulging their login credentials for a particular service (e.g. Microsoft Office 365). Once an attacker has obtained these credentials, they will be used to attempt to access corporate data, such as email. Many of these types of phishing attacks lead to an attacker attempting some form of fraud, invoice fraud is a common technique where an attacker will request payment details be changed on a genuine invoice.
The second most common attack we see is against services running within the corporate network which have been exposed to the Internet. The most common of these we see being targeted is the Microsoft Remote Desktop Protocol (RDP) where attackers attempt brute force attacks to try and login to the service by identifying weak credentials. There may be an increase in these types of attacks during the current period as organisations who had previously not offered staff a remote working method have exposed services such as RDP to the Internet to quickly allow access to home workers.
Which industries are proving to be the most likely attack targets?
We see attacks taking place across all types of organisations. Many of these attacks are carried out in an automated manner against a large number of targets with the intention a small number of them will be successful. Some industries, for example, financials, will always face more targeted attacks due to the increased potential gains for the cyber-criminal. No business should assume they won’t be the target of an attack, cyber-criminals will happily ransomware the small business making widgets as they would a nationwide chain of solicitors.
What are your recommended golden rules to help companies, and employees, stay safe?
Educate users on how to spot suspicious emails; a large number of attacks are initiated by exploiting humans, the weakest link in the security chain.
Ensure staff are using strong complex passwords which are unique to each service they login to. Password1 may meet the corporate password complexity policy, but isn’t going to offer much of a hurdle to an attacker.
Where possible enable a Two Factor Authentication (2FA) method on any internet-based services which users log in to. This will offer protection should a user’s login name and password be compromised.
Ensure Anti-Virus is installed and up to date on devices. If a user is using their home PC to access corporate data, verify they have an up to date Anti-Virus product installed, if not offer guidance on installing an Anti-Virus product or utilising in-built products such as Microsoft Windows Defender on Windows 10.
Ensure the latest security patches are installed, this is particularly important for any devices which are exposing services directly to the Internet.
Routers on home networks generally don’t have the same security features as corporate firewalls and may sometimes automatically expose devices on the home network to the Internet via Plug and Play technologies. Historically some brands of home routers have also had serious security vulnerabilities or have exposed a login page utilising default manufacturer credentials. In conjunction with users, it would be possible to identify any such devices which offer a substantial risk.
Patterns of what is classed as normal behaviour will have changed as more staff work remotely. Wherever possible monitor activity and look for suspicious patterns of behaviour, for example, if your users are all UK based look for remote access connections originating from outside of the UK. If your organisation utilises a Security Incident and Event Management (SIEM) these can help to spot these unusual patterns of behaviour.
What other defensive actions should be taken?
Although COVID-19 has caused a huge economic impact for many organisations worldwide, cyber-criminals see this as an opportunity to exploit the situation. Already many malicious email campaigns have been launched using a COVID-19 theme attempting to take advantage of peoples concerns at this difficult time.
Cyber criminals will also attempt to take advantage of the dispersed workforce which has weakened the IT teams’ control over devices accessing corporate data. By following the recommendations listed above, employees can greatly help reduce the risk of falling victim of a cyber attack during the current difficult period.