On 20th March 2020, ENISA (the European Union Agency for Cybersecurity) published an article calling for vigilance from both companies and individuals, following scam attempts that are capitalising on the COVID-19 healthcare crisis. Various organisations such as ANSSI (the National Cybersecurity Agency of France), the NCSC (National Cyber Security Center), and CISA (Cybersecurity And Infrastructure Security Agency) are warning that hackers are taking advantage of the COVID-19 crisis to multiply the volume of scams (phishing, identity fraud, impersonation of healthcare organisations, etc.), and propagate malware (ransomware, Trojan horse viruses). The latter have sometimes been attributed to experts in APT (advanced persistent threat) groups.
Although remote working is becoming more widely available, a lot of companies have been overwhelmed by the ongoing healthcare crisis, because they have needed to give the vast majority of employees a remote working solution. To deal with the urgency of the situation, teams have done their best to make this possible, while trying to manage the associated cybersecurity risks. Unfortunately, at a time where cybersecurity attacks against companies are skyrocketing, it has been hard for IT managers to have any peace of mind recently. Here are a few actionable recommendations that can be implemented quickly and easily, so you can sleep easy.
To address the main risks, we are basing our advice on the ATT&CK framework proposed by Mitre, which references the different tactics, techniques and procedures used by hackers to succeed in their attempts. The following ATT&CK matrix compiles our observations, and establishes the most commonly-used techniques for gaining access to an IT system. We are trying to offer basic mitigations for 9 out of these 11 techniques, so that you can reduce risks. The matrixes we list are offered as an example to illustrate proposals, and under no circumstances do they exclude a risk analysis adapted to suit your sector, infrastructure or specialism.
Anticipate Attacks Using Empowerment
To combat these emerging threats, it is undoubtedly important to make users aware of threats, so that they are vigilant. Empowering users and giving them responsibility by involving them in the IT system security process is a proven way of improving how you adopt best practices among employees.
For a long time, IT security stayed in the hands of experts, while the technical principles for accessing an IT system were based on social engineering. By raising awareness of cybersecurity risks, giving employees the means to flag potential threats (suspicious emails, fake LinkedIn profiles, receiving parcels that have already been opened, etc.), and explaining how these escalations can contribute to the overall security of an IT infrastructure, you will draw more user attention. To increase their involvement in a global process, and show them the importance of the role they have to play against security threats, we recommend showing them a process that demonstrates how vital their actions are.
There is another technique that has worked well at OVHcloud for a number of years — periodically sending test phishing emails to employees to measure their level of responsiveness against scams, and using this as an opportunity to raise further awareness of what to look out for.
Concretely, these actions have a positive effect on the large number of potentially actionable hacking techniques.
Limit Exposure For The IT System
This is a universal rule to protect against the unexpected — keeping exposure to a strict minimum for IT systems, by configuring a firewall to close off all non-essential exposed services. An open port is a door that hackers can use to access and overwhelm an infrastructure.
The urgency of setting up a remote working policy has driven some teams to open RDP (Remote Desktop Protocol), SSH (Secure Shell) and SMB (file sharing) services directly on the Internet, so that employees without VPN can connect, too. In the meantime, while they set up a working VPN, it is vital to limit the exposure of these services to employees only, e.g. by configuring trusted IPs in the firewall, in order to block any robots that might be continuously scanning the Internet. RDP and SMB protocols are still the most vulnerable (Remember Wannacry, or the BlueKeep vulnerability, for example).
When the VPN is set up, tell your users to set strong passwords, and if possible, set up two-factor authentication.
These actions have a positive effect on:
Detect Unusual Behaviour
Asking users to configure a strong password is one thing, but it is hardly feasible to rely on this basic tip for an organisation’s overall security. This is why it is important to complement these measures with detection mechanisms.
Whether or not we are talking about SIEM (Security Event Management), the principle is the same — it involves detecting unusual activity. And this starts with detecting strong signals. Is a user logging in during the night, or on the weekend? Is a user connecting via an unusual or unauthorised ISP?
You can also monitor the use of machines during non-working hours, to detect unusually intensive CPU usage that may indicate an infected machine (crypto-mining, ransomware, etc.).
Did you know
You can use the BGP announcements via the
pyasn open-source tool offered by the Delft University of Technology to enrich IP data.
The Sysmon tools are also very helpful in order to monitor your Windows environments.
Even if it is overly reactive, the detection is very important for limiting damage. In 2019, the global median intrusion detection time was 56 days.
These actions have a positive effect on:
To conclude, the recommendations we have listed in this blog post enable you to reduce the risk of falling victim to quite a few techniques used by hackers to gain access to your IT system. As a reminder, it is important to adapt these actions to suit your sector, infrastructure and users. But above all, it is important to protect against all kinds of viruses. To do so, you could also have a look at the Defence in Depth measures to avoid an attacker moving latteraly.
Head of Computer Security Incident Response Team