Subscribe

Staying safe while working remotely

Issued by Trellix
Johannesburg, 18 Mar 2020

The demand for remote working as a result of the COVID-19 pandemic will invariably place pressure on organisations to ensure the availability of corporate resources in geographic locations outside of corporate control. Such demands go beyond the provision of additional capacity, with potentially remote working policies and security awareness assets in urgent need of updating and communication.

These demands are being required against the reported backdrop of cyber criminals and potential nation states continuing and even leveraging the global crisis for their own personal gain. Without respite, many cyber criminal groups appear to be continuing attacks against many sectors, including healthcare.

Furthermore, there are even those threat actors actively using concern related to COVID-19 as a lure to invoke user behaviour. This post is not intended to be exhaustive and will be updated as we make more resources available to enable organisations and users to stay safe and connected.

Threat landscape

We have identified and reviewed multiple reports related to the criminal use of COVID-19 as potential bait, whether that be phishing e-mails, domains, malware, etc. While its use is not unexpected, with criminals always trying to leverage large events to their advantage, it is disappointing to see at a time when the world needs to come together that there are those who have scant regard for the sense of community. Our subsequent focus at this time is to attempt to determine whether any geographies are specifically being targeted. The chart below maps our visibility of the targets for all known (at the time of writing) threats leveraging COVID-19.

Figure 1. Targeted COVID-19 related threats by country
Figure 1. Targeted COVID-19 related threats by country

As we see, the geographic dispersion of “targets” is relatively wide and includes many countries we typically see on the list of broader phishing targets. However, there are some anomalies, in particular, Panama, Taiwan and Japan. This requires us to undertake further analysis, but does suggest that certain campaigns may be targeting specific countries.

It is equally important to add that this landscape is changing daily, with more threats being identified and included as part of our detection across the entire product portfolio (where appropriate). Moreover, the McAfee Advanced Threat Research (ATR) team is undertaking deeper analysis into the findings to understand why certain countries are receiving more threats related to COVID-19 than others, as well a deeper dive into sector analysis. We will regularly report any relevant details and, of course, share all IOCs with the wider community to ensure we all remain safe. As we continue to hunt for further threat artefacts, we will make our findings available through this forum.

Working from home threats contextualised

All over the world, large numbers of people are rushed to work from home unprepared, sometimes even from their personal devices. Often, these devices are not maintained with proper security measures and possibly leave organisations open to various attacks.

Over the past year, we have published several articles on how targeted ransomware attacks are fuelling the increased demand in the underground for compromised corporate networks. One often-used criminal access method is through “commodity malware”, such as banking malware and info-stealers. The criminals are actively sifting through thousands of logs hoping to find corporate network or remote management credentials.

Commodity malware is often focused directly at consumers, so accessing corporate networks from possible pre-infected personal machines without adequate security measures creates a much larger attack surface for cyber criminals. This increases the risk of an organisation falling victim to a potential breach and ransomware lockdown.

Figure 2. A screenshot of the popular KPOT info stealer, part of an underground advertisement to sell stolen credentials. (notice the malware collects VPN, RDP and Mail credentials)
Figure 2. A screenshot of the popular KPOT info stealer, part of an underground advertisement to sell stolen credentials. (notice the malware collects VPN, RDP and Mail credentials)

Just like we are all fighting to flatten the COVID-19 curve by social isolation and washing our hands, we should aim to flatten the cyber attack surface of our organisations by having proper cyber security hygiene by using multi-factor authentication, VPNs and robust end-point security software.

Remote working

Employees working from home will need clear guidance on acceptable security practices from an organisational perspective:

  • Remote working policy guidance: While many organisations may employ wider guidance on cyber security/privacy guidance within their organisations, there will likely be employees unaware of the expectations for remote working. Equally, this may also apply to security expectations; therefore, any such policy must be reviewed but also effectively communicated to a wider group of employees now working from outside the organisation’s offices.
  • Asset classification: With a larger set of the workforce now working from home, previously inaccessible information assets will need to be available for remote use. Subsequently, enhanced security measures will be necessary to ensure that information is only made available to those with a clear need to know.
  • Strong authentication: With passwords ubiquitous, and two-factor authentication now commonplace, ensuring the appropriate level of authorisation for key assets is in place will be critical.
  • Awareness: All of the processes and technology deployed within an organisation can be simply undone by a lack of awareness. Ensuring all employees are made aware of the potential risks of connecting remotely is critical. It is especially important to be aware of cloud services authorised for work purposes and extra vigilant for targeted phishing e-mails.
  • VPN access: The term untrusted network is rarely a consideration when working in the office; however, with so many employees connecting from externally located environments there is the potential for certain networks to be untrusted. While many will not be venturing into public spaces to limit social contact, there is no assurance that the connection every employee is connecting from is secure. Therefore, leveraging a VPN will be imperative, and indeed organisations may want to enforce certain assets only being accessible via the VPN.

Secure mobile working

Here are some key considerations for those responsible for enabling secure remote working capability:

  • Protecting against accidental data loss. Data encryption is fundamental to good device security hygiene and essential for enabling secure mobile working. Ensure that you have situational awareness of the end-user security controls and can quickly report on the status when the inevitable question comes down from the CISO.
  • Providing an equivalent level of threat prevention. While on the office network or VPN, end-user devices enjoy a defence in-depth capability. However, do they have that same protection when not on the VPN? Using anti-malware solutions that employ cloud-based behaviour analysis and threat intelligence combined with cloud-based Web security can help ensure an equivalent level of security both on and off the network.
  • Secure cloud collaboration. Many employees will need to leverage cloud-based services such as Microsoft Teams and WebEx to collaborate both internally and externally. Ensure you can apply your corporate DLP policies to those cloud-native applications and that your users are fully aware of the authorised collaboration tools at their disposal.
  • Secure cloud access. Attackers will leverage spear-phishing e-mails with coronavirus themes and watering hole attacks from compromised Web sites to target workers and prey on the situation. Reduce the attack surface by tightening Web security policies and block access to risky cloud services.
  • Phishing incident response. You will not be able to prevent everything, so having a balanced security capability with detection and response is important. Security operations should review incident response procedures for phishing, deploy cloud-based EDR for rapid identification of compromised remote end-user devices and ensure users know how to submit suspect e-mails to the SOC.

Conclusion

A wealth of good advice and information is freely available, including the Security Awareness Work-from-Home Deployment Kit[1] from the SANS Institute, which provides “multiple assets that address everything from securing a home network to best practices when working remotely to identifying social engineering attacks”. While the need to enable access as quickly as possibly is understandable, there are those hoping to exploit this urgency for their own personal gain.

Additional resources

We will continue to make resources available to further enable secure home working, as well as insights into the threat landscape from this blog.

Please register for the Webinar detailing adaptable security for flexible working environments here: https://mcafee.zoom.us/webinar/register/WN_AeXoyA-tT_eUFZ2_NvhpSA

https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit

Share

Editorial contacts

Alison McDonald
PR Connections
(+27) 11 468 1192
Alison@pr.co.za
Amy Bunn
McAfee
Amy_Bunn@McAfee.com