Cyber actors have shown us during the pandemic that they will let no opportunity go by without trying to take advantage. We've seen them prey upon the fear and concern around COVID-19 with phishing attacks, and capitalize on security weaknesses as organizations switched to remote work scenarios. And it's had a significant impact on security professionals' roles — a recent survey from (ISC)² found that 81% of respondents said their job function had changed during the pandemic.
The upside of this is that there are lessons to learn from the types of attacks and attempts that have occurred that will help prepare organizations for the future.
Capitalizing on Panic
The easiest, fastest way to exploit a target is through social engineering attacks — they are fastest to spin up and have the highest rate of return. What we've seen during the pandemic underscores this. From the point of view of social engineering, panic has been a key way for bad actors to capitalize on the situation.
Many of the phishing campaigns we've seen have targeted hospitals, manufacturers of medical equipment, and health insurance companies. Attackers have taken advantage of the shortages of medical equipment and supplies, gaining traction amid the misinformation and fear. A major theme has been to make it look as if these emails and texts come from organizations such as the World Health Organization or the Centers for Disease Control, knowing that these are important organizations everyone is familiar with.
Regardless of whatever technological security measures are in place, the human psyche is always the weakest link — the easiest to exploit — in any security system. In fact, human error and negligence is involved in the majority of security breaches. When humans are facing emotional, physical, and financial distress, they become even more vulnerable to cybersecurity risks.
The Who, What, and Where of Attacks
Most of the attacks we've seen during the pandemic are being delivered via email, so typically they are mass spam campaigns. In fact, in March alone, FortiGuard Labs recorded a 131% increase in viruses — no surprise given that email attachments contain infected and malicious content.
Some attacks have been very targeted, and some accidental and distributed denial-of-service (DDoS) too. While the DDoS can be caused by attackers, the sheer volume of use that's resulted from the move to remote work has also been a factor. Almost everyone is now connected to the Internet for the bulk of the day, whether it's for work or recreation (streaming media, browsing, playing online games, etc.). These devices are often the most unsecured on the network and can be exploited and hacked; attackers can use them as a springboard into corporate laptops in some situations.
The email threats have largely been conducted with the intent of delivering malware to a system. Ransomware has also seen an uptick, with most targeted at critical infrastructures. Bad actors using ransomware know a company is more likely to pay the ransom when the critical infrastructure their business relies on is affected. That's always a reality, but in these times of increased concern around business continuity, it's even more the case.
One thing that's interesting to note is that we haven't seen a lot of shift in terms of innovative or novel techniques and tricks. While approaches have certainly been sophisticated, bad actors have tended to rely on old standards (such as social engineering and ransomware). That's because if the old tricks still work, they aren't likely to change tactics until they see their success rate dropping. Cybercriminals are leveraging well-known advanced attack techniques and layers of obfuscation — which means they have a decent likelihood of breaking into networks and should be treated accordingly. Again, it all goes back to the heightened sense of fear and anxiety that the pandemic has ushered in. Bad actors are all too aware that when people's guards are down, they may not be practicing best-in-class cyber hygiene.
The importance of due diligence cannot be stressed enough. Some might argue that too much caution can be counterproductive, but it's certainly less counterproductive than having your entire company shut down because someone didn't double and triple check before clicking that file.
Cybersecurity user awareness training continues to be crucial. Cyber hygiene isn't just the domain of IT and security teams — everyone in your company needs to be given regular training and instruction on best practices for keeping individual employees and the organization as a whole safe and secure. Having a robust email security solution with a sandbox can also stop these threats at the network perimeter — for example, not allowing these to propagate and reach the user's email inboxes.
Even as businesses and operations start to open up around the globe, certain social distancing measures will continue to be in place. Similarly, organizations and individuals should continue to practice "cyber distancing." Keep your cyber distance by staying wary of suspicious requests, unknown attempts at contact and unsolicited information, and be the protector of your information, networks and health.