The sudden and wide-scale transformation to remote and hybrid working changed the digital landscape overnight and introduced heightened risks and new challenges. Well-established procedures were quickly rewritten, best practices rethought, and policies stretched to breaking point.
Business transformation is always a security risk. New technology and working practices need new security measures, but normally this risk is managed carefully, and over time. Unsurprisingly, cyber-criminals were quick to capitalize on the unforeseen nature of the changes brought about by COVID-19, exploiting not only the overnight changes in working practices, but also the general sense of fear and uncertainty, with pandemic-related phishing emails and social engineering playing a key part in changes to the cyber-threat landscape.
All this demonstrated the necessity for companies’ cyber security strategies to be dynamic and adaptive. Just as Charles Darwin discovered, “It is not the strongest of the species that survives, not the most intelligent that survives, but the one that is most adaptable to change!” And indeed, living and surviving in times of COVID is physically, socially and economically tough and requires constant adaptation. We had to see how legacy solutions that rely on hard-coded rules and deny lists struggled in a new threat landscape which rendered many of these rules inappropriate or ineffective. These solutions failed to adapt when attackers sought out new vulnerabilities and new routes into the organization, while producing false positives on the legitimate and necessary changes that were occurring in workforce behaviors and technologies.
Based on observations across its global customer base, Darktrace identified in its 2021 Threat Report four key trends in the cyber-threat landscape. Every stage of the attack lifecycle is explored, from reconnaissance and initial intrusion, through to the final stage of the kill chain: ransomware and data exfiltration. The report details seven real-world cyber-threats that evades traditional, legacy security tools but were detected and investigated on in real time by Darktrace’s AI. In many cases, the threats were neutralized within seconds by Darktrace’s Autonomous Response technology, Darktrace Antigena.
Change brings novelty, and novelty brings opportunity for scammers
The sudden move to remote working forced internal security teams to work at full capacity, racing to roll out essential remote working tools and changes in authentication measures. This provided ample opportunity for spear phishers to impersonate third parties and clients, drafting up convincing and clickable subject lines exploiting the general sense of uncertainty and commotion that characterized those few weeks.
New risks were exacerbated by the relaxing of security controls in order to facilitate non-standard working practices. Employees taking their work computer home with them found themselves suddenly stripped of protection as they traded the office network for home Wi-Fi, with client devices sitting exposed on potentially unsecured networks amongst potentially compromised machines.
In addition, widescale remote working increased the risk of malicious insiders, as data could now be easily taken from a company device over USB within the privacy of their own home. From a company perspective, employee homes are zero-trust environments: confidential conversations are conducted within range of eavesdroppers and intellectual property is visible on screens and monitors in living rooms around the world.
Traditional tools can be easily bypassed
As organizations around the world began adopting new working patterns at a speed and scale that had never been seen before, one word in particular slipped into the lexicon time and time again. Unprecedented—but legacy security tools, by nature, cannot deal with unprecedented. Confined to playbooks and deny lists put together solely from previous attacks, these tools became increasingly redundant once the digital landscape had changed beyond recognition.
Grappling with these new circumstances, employees and IT teams alike increasingly sought workarounds to get their jobs done and ensure business continuity. Pre-existing use-cases and rules that may have been suitable in the past did not apply to new cyber challenges, as organizations realized the need for a more proactive and dynamic approach to detection and response.
Increasing pressure on SOCs
All the above changes and risks created a monitoring nightmare for Security Operation Centers (SOCs) entering into a period of digital unknown. Data flows and topology changed overnight. New technology and services were deployed in record time. Logging formats changed. Security information and event management (SIEM) use-cases that took 12 months to develop had to be scrapped overnight. As working practices continue to change in unforeseen ways, companies need to leverage technology that allows them to continue to operate amidst uncertainty without impeding productivity at this critical time.
For instance, the onset of the pandemic has prompted an explosion in usage of SaaS applications such as Microsoft Teams, Zoom, and Webex which heightened the risks of compromised credentials and insider threats, especially from malicious administrators with privileged access or assiduous cyber-criminals that lead the user to a fake login page.
Phishing emails exploiting uncertainty
The cyber-criminals behind email attacks are well-researched and highly responsive to human behaviors and emotions, often seeking to evoke a specific reaction by leveraging topical information and current news. It is therefore no surprise that attackers are trying to get users to open emails or click links by using COVID-19 news. In fact, a massive surge in spoofing attacks—accounting for 40% of all attacks over the initial lockdown period—has been witnessed by DarkTrace during the past year. 130,000 newly-registered domains relating to COVID were created—with over half of those used for malicious purposes.
Traditional email security tools resort to ‘sandboxing’, which creates an isolated environment for testing links and attachments seen in emails. But most advanced threats now employ evasion techniques like an activation time that waits until a certain date before executing. When deployed, the sandboxing attempts see a harmless file, not recognizing the sleeping attack waiting within.
Resurgence of Server-Side Attacks
Finally, the spinning up of new infrastructure in rapid succession has reinvigorated more ‘traditional’ risks. With companies rapidly deploying VPN gateways and expanding their internet-facing perimeter, this rapidly increased attack surface has paved the way for a surge in more ‘traditional’ brute-force and server-side attacks. With poorly-secured public-facing systems rushed out in record time, companies prioritized availability—inevitably sacrificing some security in the process. Patching vulnerabilities has been as difficult as ever this year and with IT teams over-stretched and many staff members furloughed or laid off, financially motivated actors sought to weaponize these weak points in organizations. (Source: DarkTrace)