Hackers leverage times of crisis
As I am sure many of you out there are well aware, the Coronavirus (COVID-19) pandemic is in full swing. As a direct result, people have had to adjust their lifestyles significantly, and many organizations have made a rapid shift to accommodate a distributed workforce. As always, attackers are looking to take advantage of uncertainty in the midst of this unprecedented event.
In this blog post, I will outline some of the ways you can protect yourself as the number of Coronavirus-themed attacks increase.
Watch out for COVID-related phishing threats
The most significant cybersecurity threat you'll likely face from the global pandemic is some form of social engineering–most likely phishing attacks trying to convince users to submit credentials to gain access to the latest information on the virus, or convincing users to download and run a malicious document or file in order to gain access to their system.
As human beings, we're naturally curious, and we want more information–especially when a situation concerns us, or our family and friends. Naturally, social engineering seeks to take advantage of this curiosity, and attempts to leverage it for information and access. The ways to defend against phishing attacks and social engineering are many and varied.
Here are some security best practices you can implement
Let's discuss some security measures that will help you defend your assets and co-workers:
Stay informed using official sources
In the case of our current situation, the Center for Disease Control, World Health Organization, National Institute of Health, and the John Hopkins Coronavirus map, are some of the most authoritative sources you should be getting your information from with regards to the COVID-19 pandemic. Getting your information from official sources also has the added benefit of defeating disinformation spreading through social media. Remember to be critical of rumors or statements circulating through social media until they are confirmed (or denied) by official sources.
This is a list of CertStream SSL certificate requests for domains that have some variant of "Coronavirus" or "COVID" in their domain name. Notice how many of them are popping up in a VERY short period of time. As the text file mentions in the comments, not all of these domains are malicious, but none of them–save maybe the .edu and/or maybe the .gov top-level domains–should be considered to be official sources of information.
There is a mind-boggling number of new domains surfacing, surrounding the Coronavirus pandemic. Practically none of them have your best interests at heart.
Have a don't trust, always verify mindset
A lot of phishing lures rely on you either clicking on a link or downloading and running a file if you want more information or access to resources regarding an event.
For example, there were attacks featuring some variant of the John Hopkins Coronavirus map. So long as you have something resembling a modern web browser, the John Hopkins tracker works perfectly fine without the need to download additional software.
Questions to ask yourself when receiving (virtual) information
1.) Is the contact or information coming from an official source?
Who is the data coming from? Check email headers. If it's a social media account, does the organization have an official online presence?
2.) Is it coming from someone you know and trust?
Was it from a friend or a domain that you get email or newsletters from? Looking back at the phishing email listed above, do you know "Dr. Stella Chungong?" Did you solicit any information from them?
3.) Can you reach out to the source directly and confirm its legitimacy?
Let's assume that you do know a Dr. Stella. Can you reach her to confirm she sent you an email with important information attached?
4.) Does the source often send you emails with attachments?
Does it seem odd that this source is tryign to get you to open an attachment? If the party you typically communicate with suddenly changes their method of communication without telling anyone, err on the side of caution.
Limit or avoid emails with attachments
Consider moving to workflows that don't accept–or heavily discourage–emails with attachments.
There are a wide variety of cloud storage options where users and business partners can simply store files in the cloud and allow access to specific users, users with a link, and/or allow the file access to expire after a certain period of time (for instance, LiquidFiles has all of these capabilities, and so much more).
If you train your workforce to not utilize email attachments (or otherwise minimize their use/acceptance from external sources), then you are seriously reducing your phishing attack surface.
Keep your user community educated
Keep in contact with your users, let them know that the amount of Coronavirus-themed malware is on the rise, and provide them with links to official resources they can utilize to learn more as necessary. Discourage the use of other sources, encourage the reporting of suspicious emails, asking users to download files, or visit websites and put in their credentials. Let them know the security team isn't there to punish anyone, but you're there to help protect them!
Remote access recommendations
Many organizations have been scrambling to provide work from home capability to all positions that can be done remotely in order to help support one of the primary efforts that can hamper the spread of this highly virulent disease: social distancing.
In spite of the mountains of pain your user community and technical support staff are sure to be facing in this rapid transition, this temporary pain is absolutely worth it for the safety of not only your workforce, but also their families and the immunocompromised.
All that being said, there are things you can do to make implementing work from home and VPNs a little less painful:
VPN log collection and geographical monitoring
If you aren't already, start collecting VPN logs and start monitoring for 'geographically improbable access,' or login location anomalies.
You can collect VPN logs, and the vast majority of the time, those logs are going to have a source IP address that identifies the public IP address a login attempt came from, as well as a username associated with that IP address so you know who logged in from where. You can use IP geolocation to indicate approximately where the login originated.
What is the relevance of this information? You can use it to determine if a user's VPN credentials have been compromised. How? Let’s try an example:
Imagine you have logs for a few days that show user TinkerTom logging in from Las Vegas, Nevada. Tom logs in every day at 8am (pacific). You also notice that the login source IP addresses are from an ISP's IP address allocation for that region of Nevada.
One day, you notice that there is a login at 2AM from an IP address in Germany, followed by another login at 8am pacific back in Las Vegas. There is no way physically for TinkerTom to make it all the way from Germany to Las Vegas in such a short timeframe. Even if there is, it's highly unlikely for Tom to have traveled that quickly and logged in from those two entirely different geographic locations.
That is why we call it geographically improbable access. There are queries you can run against your VPN logs with Splunk that can detect this kind of anomaly and notify you when it happens. From there, you can perform detective work and ask if TinkerTom took an impromptu overnight round-trip to Germany, and/or if they brought their work laptop with them to log in.
Another (albeit unfortunate) thing to consider in our current situation, is that the geographical location should NOT be changing at all due to the global quarantines and lockdowns in place. Therefore, if you see any logins that deviate AT ALL from an established pattern and location for a particular user, then that should serve as an instant red flag to investigate it further.
VPN Split Tunneling
Unless you want to experience network pain beyond measure, consider implementing split tunneling on your VPNs.
Implementing and configuring VPNs is something of an arduous process. But before we go on, let’s clarify what the difference is between Split vs. Full Tunnel VPNs.
Think of it like this: a split tunnel VPN says "Unless the traffic is destined for an intranet resource that requires VPN connectivity to access, then just forward it to the internet out of whatever network the end user happens to be coming out of."
What that means is all of your user's non-business, non-essential, non work-related traffic is going to be routed out of their local network and directly out to the internet. On the other hand, a Full Tunnel VPN says "grab all of the traffic coming out of this client, forward it through our VPN, and then let the remote network handle routing to the destination from there." Here is an excellent video I found on youtube that illustrates the differences between Split vs. Full Tunnel VPNs.
If time, bandwidth, and the number of connections your VPN concentrators could support (for the foreseeable future) were limitless, I'd say implement full tunnel VPN so that all of your users on the VPN could benefit from your IDS/IPS, Proxy, and/or DLP security measures before allowing that traffic to go elsewhere.
Unfortunately, we live in the real world, and many companies have been thrust into allowing their users to work remotely, and rather quickly at that. A lot of technical support teams are understaffed, the VPN equipment and bandwidth resources are limited, and in some cases, the IDS, proxy, and/or DLP solutions aren't there or are severely limited in the amount of traffic they can handle. As such, it is recommended that you utilize a split tunnel VPN to limit the network load for your very busy VPN equipment, and reduce the overall bandwidth utilization.
We at Hurricane Labs would like to recognize IT staff and technical support for rising to the occasion, helping users around the world transition to safely working from home, allowing us some small measure of success in helping to flatten the curve around the world. We hope that these tips and recommendations will help make the transition a little bit easier, allowing you to remain vigilant in protecting your user community and keeping your services operational. Remember to keep those who do not have the option of working remotely in your thoughts. Please stay safe.