Cybersecurity attacks have been high on the news agenda during the Covid-19 lockdown, as malicious actors have exploited unprotected systems and vulnerable endpoints on mobiles and laptops to gain access to corporate networks.
Beginning in mid-March, a variety of pandemic themed malware and phishing attacks were unleashed to disastrous effect. Examples included phishing email attachments which, if opened, allowed info-stealers including Emotet, NanoCore and Azorult to be installed and pilfer personal data, log-ins and passwords to get beyond the corporate security perimeter.
There’s no doubt that this rise in activity has been prompted by the promise of the spoils available to cybercriminals from a disrupted and displaced workforce. However, it is also indicative of a general and worrying trend as illustrated by the 2020 survey carried out by Ipsos Mori for the Department for Digital, Culture, Media and Sport (DCMS). This found that amongst over 1340 businesses in the UK who had experienced a breach or attack, there has been a rise in phishing attacks from 72 percent to 86 percent in the last three years.
Playing on human instinct
The particular difficulty of dealing with phishing attacks is that they play on natural human instincts. It is instinctive to open an attachment on an email from a familiar delivery company, or from what appears to be a user’s own bank, or, as happened during the early days of lockdown, from the World Health Organization with updated Covid-19 advice and information. In so many cases the user responds to the urgency of the message, and it may not be an attachment, but a link which appears innocuous, but once clicked on, will deliver its payload. Many victims recognize almost instantly that they have made a mistake, but by then the damage is done.
Working remotely has heightened the risk of succumbing to phishing attacks, along with many other forms of malware, which is evident from the rise in reported incidents. The biggest factor in this is the increased use of home PCs, unprotected laptops, or even mobiles.
Although the DCMS survey was conducted before the pandemic hit the UK, it still found that an average of 53 percent of firms had employees that were using personal devices to carry out work-related activities. While the number of BYOD devices in use had not risen considerably compared with previous years, many companies will have been forced to allow an increased use of BYOD or unprotected endpoint devices from March onwards due to the sudden lockdown.
Reliance on staff to identify attacks
An additional challenge to employees working remotely from home is that the usual reporting mechanisms may have been disrupted and access to IT security assistance is likely to have been more limited. The DCMS study found that while 46 percent of UK firms had reported cyber security attacks in the previous 12 months – some as often as once a week - 63 percent of the most disruptive incidents were discovered by staff members. Relatively few, just 7 percent, were identified through anti-virus or anti-malware programs.
Recognizing the problem of phishing, the National Cyber Security Centre (NCSC) launched the ‘Suspicious Email Reporting Service’ in April, inviting anyone who suspected they had received an illegitimate email to forward it on for investigation. Two months later over a million reports had been received.
The NCSC was able to block many of the phishing attempts, but the kind of reactive detection systems that many organizations use to protect themselves, and their employees, will have proved ineffectual. This includes most standard anti-virus and Endpoint Detection and Response (EDR) solutions, to the extent that the SANS institute found that less than half of cyberattacks were detected by anti-virus software. It said that they were not effective in either slowing down the number of breaches, or even discovering the malware as it dwelled on a network.
The time taken to react is the crucial element. Traditional anti-phishing safeguards are reactive and this means precious time is wasted. Once a suspected phishing page has been reported, it is examined by security experts in order to confirm that it is indeed a phishing page. The site is then added to a blacklist of phishing sites, which subsequently block users from viewing the page and becoming a victim. This process is only triggered once a suspected page is reported, and it takes time, typically 3 or 4 days, before users get protection.
That’s not to say that both EDR and AV solutions have their place, but in the wake of the rise in phishing attacks, it would be more prudent for organizations to adopt a layered approach to security. This provides strength and depth, ensuring that although malware might get through one security measure, it will be prevented by another.
The best approach of course, is proactive so that a new phishing attack can be prevented from the instant it goes live. Phishing pages look to the average user like a real login page. The most successful are those that purport to be from a high-profile brand, or frequently used service – LinkedIn, Twitter, Microsoft, etc. To combat this a digital fingerprint is created of these typical target login pages. When a user surfs the internet, specialist software designed to combat phishing compares each page they visit against the set of digital fingerprints. If there’s a match i.e. a particular page resembles one of the fingerprinted pages, it can be checked to see whether it’s genuine. If it fails this check, it is flagged as a phishing site and is blocked from loading. This technique works from the instant a new phishing attack is launched, and is therefore proactive in the sense that it does not need prior knowledge of the phishing attack before it is effective.
With the safety of the corporate perimeter still a distant reality, the vulnerability of employees working from home remains acute. Organizations need to be ultra-aware of the dangers they face as phishing attacks continue to evolve and become smarter and more insidious. Protecting precious data and the specific applications that handle the data is crucial so solutions designed specifically to do that must be considered. Standard software is no longer enough.
Dave Waterson, CEO, SentryBay