Since January 2020, zscaler claims “an increase of 30,000% in phishing, malicious websites, and malware targeting remote users[.]” Providing an alternative metric, Infosecurity-Magazine reported that phishing alone soared 600% since the end of February 2020. Covid-19 was, at least in part, the catalyst. More importantly, businesses, individuals, and municipalities must determine the targets, the tactics, and the potential defenses.
Generally, everyone can, is, was, and will be the subject of a cyber-attack. But, there are currently two primary targets of both nation-state and unaffiliated criminal cyber-attacks: (1) Critical infrastructure elements; and (2) Intellectual property holders – these two categories overlap in several areas of industry. Most notably are the energy & chemical sectors (separated by DHS), the food and agricultural sector, and the healthcare and public health sector.
The Energy and chemical sectors include oil companies, power companies, the natural gas industry, and the affiliated and related industries such as pharmaceuticals for prescription drugs, rubber for tires and heavy equipment, and consumer products such as cleaning supplies. The energy sector also provides electricity to households, businesses, and governments – absent which, almost nothing can function.
The food and agriculture sector is dependent on the chemical and energy sector to feed and water crops, as well as process raw materials and distribute food to grocery stores nationwide. This sector represents 1/5th of the U.S. economy and relies upon patented formulas for the efficient growth and harvesting of plants and grains, as well medicinal products for livestock.
The healthcare and public health sector is more important than ever with the creation, refinement, and testing of Covid-19 treatments and vaccines.
The general tactics remain the same: phishing and ransomware. However, the methods used to promote these tactics are evolving.
New Domains: As reported by DarkTrace, bad actors that use email phishing tactics are purchasing and using new domains, en masse, that are free of bad metadata. Most security software flags bad emails by reviewing the sender’s IP address, domain, and any attachments, looking for known indicators of “bad” links. Absent any red flags, the email passes through security and is received by the inbox. By creating a new domain, with no history attached to it, the bad actor can trick the security system into believing that an email is from a reliable source, free from affiliation with a known bad actor.
Big Game Hunting with Targeted Individual: rather than simply blast every antiquated VPN associated with a hospital and then release malware, these bad actors know exactly which entity they want to target and whose credentials they need to infiltrate properly. Here is a scenario: Bad Nation State wants to steal trade secrets from a U.S. Chemical Company. Bad Nation State identifies the Chief Technology Officer from a Sarbanes-Oxley Act filing or press release and studies him. They find his wife’s Facebook account, and through her postings, Bad Nation State poses as another individual, befriends her through a neighborhood association group, and sends her messages with pictures and memes featuring mutual interests. Each time wife opens an image or file from Bad Nation State, it releases malware into the device being used. CTO uses wife’s iPad to check his company email and Bad Nation State captures his credentials, giving itself unlimited access to any file within the company without detection.
Deepfakes: fake audio and video recordings that utilize artificial intelligence to look and sound incredibly real to spread misinformation or create fraud, such as impersonating an executive in issuing commands.
In addition to the standard advice of requiring software patches, multi-factor authentications, passphrases instead of passwords, and daily data back-ups, additional recommended defenses are as follows:
Strictly forbid BYOD policies for anyone with a network administrator account. These individuals need separate cell phones, computers, and tablets that are not permitted to be used by anyone except the individual and a designated IT specialist from within the company.
Strictly forbid certain applications on company equipment – absolutely no gaming, social media sites, or geolocation-enabled applications.
Enact company policies that permit VPN access only from company-issued equipment and devices.
Consider augmenting security and anti-virus software with artificial intelligence software as a second or third-line defense to detect cyber threats.
For changes to company policies, enlist a cybersecurity attorney to assist with reviewing current employment contracts and revising them to reflect best practices regarding permitted equipment use.