Skip to main content

Q&A: How SOCs have been coping during the pandemic

(Image credit: Image Credit: Wright Studio / Shutterstock)

Since the start of the Covid-19 pandemic, Security Orchestration Automation Response (SOAR) company, SIRP, has been capturing the changing patterns of security alerts on their platform. Data taken from the Security Operations Centers (SOCs) of eight enterprise customers – each equipped with an average of 20 different security tools and receiving before the pandemic approximately 10,000 alerts a day – reveals some interesting results.

In this Q&A, Faiz Shuja, Co-Founder & CEO, SIRP Labs discusses the findings and analyses what they mean.

What were the key threat patterns seen by your platform during the pandemic?

Our research findings focus on four key areas to compare what happened before and during the global pandemic: the number of significant alerts, the top five significant alert types, unique phishing emails detected, and the malware types detected.

There was a significant dip in alerts detected in March when the lockdown in the UK started. The reason behind this was two-fold. First, the situation was uncertain, and systems were being configured for remote working environment during the pandemic. Second, the number of attacks fell as cyber criminals had to figure out how to exploit the “new normal”, i.e. more people working remotely, having a greater reliance on the internet, and potentially not being as secure.

Once “new normal” was adapted and threat actors adjusted their techniques, tactics and procedures (TTPs), we saw a massive uptick in alerts in April – three times normal levels.

What are the new TTPs threat actors are using against business?

During the pandemic, threat actors have concentrated their efforts on brute force and phishing attacks. In February to April, phishing attacks roughly doubled while the presence of malicious URLs in emails was even higher, with April levels being nearly six times greater than February. 

Brute force attacks, where threat actors try various usernames and passwords until the right combination is found, were also higher in April compared to February. These were attacks against application servers, firewalls, VPNs, and remote access servers.

Why the change?

Threat actors know that the sudden shift in working habits has made both systems and people more susceptible to certain types of attack. For instance, they will exploit people’s desire to find out information or to help by sending them Covid-themed emails with malicious URLs. Attackers taking advantage of current events is nothing unusual, such as Christmas-themed scams in December, but Covid has presented a unique opportunity with its mix of isolation, uncertainty and fear.

There are also more people accessing work files and systems from outside the network. It elevates the importance of remote user authentication techniques at a time when resources for scrutinizing credentials are under strain. As such, threat actors believe brute force attacks are likely to be more successful.

While many businesses have tried to reduce the brute force threat by adding two-factor authentication on virtual private networks (VPNs), threat actors have realized this and have increased their efforts against them accordingly. Our research showed a 60 percent increase in VPN attacks in April compared to the previous three months.

What about internal threats?

Internal threats have dropped significantly as the workforce is dispersed remotely and must access the network externally. Employees are no longer being treated as insiders, they are have become privileged outsiders. Moreover, they are not accessing local network and systems as before. Instead, their access is more likely to be restricted to only the specific services required for their job.

More widely we are seeing an increase in state-sponsored APT attacks as nations look to take advantage of the perceived weaknesses of others, or to steal or destroy their Covid research. For instance, the UK and US believe that actors sponsored by the likes of China, Russia and Iran have attempted to steal coronavirus data from universities, pharmaceuticals and research institutes.

Specifically, the University of California San Francisco was forced to pay a $1.14 million ransom to hackers after they encrypted servers used by its School of Medicine.

Elsewhere, in Australia, Prime Minister Scott Morrison took the unusual step in June to warn the nation that state actors were increasing their attacks on all areas of government and industry.

What can be done to defend against this rise in attacks?

Businesses are starting to roll out the sorts of systems and controls needed to better protect a remote workforce. They are implementing VPNs and restricting user access so that they can only use those tools and files necessary for their job-role. Further, stricter password policies and even 2FA have been put in place. Yet these will only go so far.

Those in the security operations center (SOC) dealing with alerts manually are being overwhelmed. Even before the pandemic there was a severe shortage of cyber security professionals. Lockdown has added extra strain. Cybersecurity analysts are working remotely, potentially reassigned to other tasks to shoulder the workloads of colleagues who have been furloughed. Not only is this incredibly stressful for the SOC team, but it also inevitably results in a higher proportion of alerts going unchecked.

One way organizations look to ease the strain on their SOC is to introduce automation that can respond to these alerts through a range of playbooks. Each playbook provides an agreed-upon process for handling a security incident, based on the knowledge and experience of security professionals. One of the popular playbooks is for phishing analysis. This playbook will stipulate that if an email looks like it contains malware it can be sandboxed for analysis and given a risk score. If that score indicates that there is malware present, the email is blocked and deleted. With automation, this only takes a few seconds to complete.

Of course, playbooks often need to be re-written to take account of the TTPs threat actors have adopted during Covid. This further illustrates how CISOs and their teams face constant pressure to stay one step in front of attackers.

Faiz Shuja, Co-Founder and CEO, SIRP Labs

Faiz has 16+ years of experience in designing, implementing, and managing secure technology infrastructures. He is currently Co-founder & CEO for SIRP, a risk-based Security Orchestration, Automation and Response (SOAR) platform.