COVID-19 A biological hazard goes digital Examining the crisis within the crisis @charlvdwalt Charl van der Walt – Head of Security Research OrangeCyberdefense.com
COVID-19
A biological hazard goes digital Examining the crisis within the crisis
@charlvdwalt
Charl van der Walt – Head of Security Research
OrangeCyberdefense.com
With thanks
▪ Security Research Center (SRC)
▪ Computer Emergency Response Team (CERT)
▪ (Malware) Epidemiology Lab
▪ OSINT Unit
▪ CyberSOC
▪ Advisory & Architecture
▪ Global CISO Office
▪ Global CTO Office
Structure
3 April 14, 2020
What we’ve been
seeing
(Re) assessing your threat
model
The nature of a
pandemic
Responding to the crisis
1. The nature of a pandemic
September 26, 20194
Pandemos
pan·dem·ic | \ pan-ˈde-mik
o an outbreak of a disease that occurs over a wide geographic area and affects an exceptionally high proportion of the population : a pandemic outbreak of a disease.
o occurring over a wide geographic area and affecting an exceptionally high proportion of the population.
“OneThird”
An emergency situation that forces companies to…
IT crisis
Adapt rapidly
Work remotely
Collaborate virtually
Protect vulnerable
users
Respond to elevated threats
Do more with less
What we’ve been seeing
2.
September 26, 20198
www.orangecyberdefense.com
April 14th, 2020
Bird’s eye view of a crisis
April 14, 20209
Home IT is insecure
Remote access is a target
Users are more suspectable
Attackers have pivoted
Health systems and data are targets
The perfect lure
The perfect lure
998
13551056
1006
1440
1099
1853
0
200
400
600
800
1000
1200
1400
1600
1800
2000
20/3 21/3 22/3 23/3 24/3 25/3 26/3
Registered domains linked to COVID-19
The perfect lure
0
50
100
150
200
20/3 21/3 22/3 23/3 24/3 25/3 26/3
Number of potentially fraudulent e-mails transmitted by the CERT customers
www.orangecyberdefense.com
April 14th, 2020
The perfect lure
13
Watering hole attackhttps://securityaffairs.co/wordpress/99446/cyber-crime/coronavirus-map-delivers-
malware.html
Malware adapts
Malware adapts
www.orangecyberdefense.com
April 14th, 2020
Malicious mobile applications
16
Malicious Mobile Applicationshttps://labs.bitdefender.com/2020/03/android-apps-and-
malware-capitalize-on-coronavirus/
Home IT attacked
Corona virus themed malware via hacked home router
https://www.zdnet.com/article/d-link-and-linksys-routers-hacked-to-
point-users-to-coronavirus-themed-malware/
Cease fire?
Fake news
Old crime, new crime
https://www.vice.com/en_us/article/y3m4b7/hackers-twitter-accounts-advertising-face-masks-coronavirus
HHS and federal networks are functioning normally at this time.
“
Geo-political escalation
Geo-political escalation
Kwampirs malwarehttps://www.documentcloud.org/documents/6821580-Kwampirs-PIN-20200330-001.html
OSINT Unit Our Epidemiology Lab assesses that patents for
vaccines and COVID-19 quick detection tests are at
high risk of being targeted
Image from FireEye
Geo-political escalation
Virtual Queuing
https://www.thesun.co.uk/money/11276203/boots-shoppers-queue-
hour-website/
Internet under strain
Video conference concerns
3. (Re)assessing your Threat Model
September 26, 201926
But what are the real threats?
Emerging threat model
Mitigating factors
https://www.bleepingcomputer.com/news/security/hackers-struggle-morally-and-economically-over-coronavirus/
Mitigating factors
www.orangecyberdefense.com
April 14th, 2020
Bird’s eye view of a crisis
April 14, 202034
4. Responding to the crisis
September 26, 201935
www.orangecyberdefense.com
April 14th, 2020
36
Thinking straight
High-Level Recommendations
Don’t panic. Take the time to
improve
Hope for the best, plan
for the worst
Talk sense to your people
Stay in touch with
your partners
Check your suppliers
Prioritize
Priorities
1. Establish emergency response procedures and systems.
2. Establish a security support hotline.
3. Review backup and Disaster Recovery (DR).
4. Equip your users with the info they need to make good
decisions.
5. Provide secure remote access.
6. Establish visibility over remote endpoints.
7. Consider malicious mobile applications.
8. Consider patching and hardening of remote endpoints,
including mobile.
9. Review your insurance policy.
10. Prepare to return to the office.
Establish incident response procedures and systems
Principle
Take some time to facilitate a
planning session with key
IT and security role-players to
consider your response
capabilities in the event of a
suspected compromise or
breach.
ConsiderDo you have a clear policy and
plan for how you would deal
with a ransomware incident?
Equip your users with the info they need to make good decisions
Principle
The better educated and
equipped they are to recognize
and counter cyber-threats, the
better it will be for your overall
security posture.
ConsiderEquip and educate users,
rather than scare or punish.
Review backup and Disaster Recovery
Principle
Take some time to review the
state of your backups and the
readiness of your data and
Disaster Recovery processes.
ConsiderThink about home workers
and the data they may be
working with locally?
Establish a security support hotline
Principle
Providing a contact for users to
speak to someone rationally
about attacks they may
suspect, or about their own
systems and behaviors, could
be a powerful tool for reducing
the level of anxiety and indeed
improving your security
posture.
ConsiderDo you have the capacity to
deal with the volume?
Provide secure remote access
Principle Provide secure remote access.
Consider
▪ Authentication is a higher
priority than confidentiality
▪ MFA or smart password
policies
▪ Make sure you secure DNS
▪ Manage your security
devices
Establish visibility over remote endpoints
Principle
With users now working
remotely on a large scale,
enterprises without robust
EDP/R capabilities may find
themselves flying blind through
the eye of a crisis.
Consider
▪ Microsoft Sysmon
▪ Commercial EDPR
▪ Other options, e.g. VPN &
GRR
Consider malicious mobile applications
Principle
Organizations should plan their
mobile device security on the
assumption that unknown third-
party applications
downloadable by users should
not be trusted.
Consider
▪ Ship your users corporate
devices
▪ Mobile Device
Management
Consider patching and hardening of remote endpoints, including mobile
Principle
Once the other priorities we
discussed in this section have
been addressed, effort should
be invested into considering
how remote user endpoints
might be patched.
Consider
▪ Specific patches that make
user endpoints less
exploitable are the primary
concern right now
▪ Maybe your users can help?
Review your cyber insurance policies
Principle
We recommend that businesses
invest some effort in reviewing
and reconsidering the
appropriateness of their cyber
insurance policies.
Consider
▪ Act of War and Pandemic
clauses
▪ Is your moral and ethical
policy on paying
ransomware aligned?
www.orangecyberdefense.com
April 14th, 2020
September 26, 201947
Resources
▪ White paperhttps://orangecyberdefense.com/global/white-papers/covid-19-a-biological-hazard-goes-digital/
▪ The threat of cyber-attacks on healthcarehttps://cyberdefense.orange.com/en/2020/03/20/the-threat-of-cyberattacks-on-healthcare-establishments-during-the-covid-19-pandemic/
▪ Infographichttps://orangecyberdefense.com/global/white-papers/cheatsheet-basic-advice-in-a-nutshell/
A lesson to learn
We live and work in an inter-connected, inter-dependent world.
We must think beyond the single-dimensional risk we are addressing for
our business and consider the impact of the secondary and tertiary
effects on the broader economy when breaches and compromises
happen.
Recognize that what’s bad for society generally, is bad for us as
businesses too.
www.orangecyberdefense.com
April 14th, 2020
Thank you!
49
@charlvdwalt
Orange Cyberdefense