Insights and Included Content to Protect Your Organization During Times of Crisis

Remote work

In times of crisis and uncertainty, nefarious threat actors have always preyed on the public and worked to exploit the situation for their benefit. The COVID-19 pandemic is no exception, as attackers have begun to masquerade and disguise common cyberattacks in the fog of the crisis. This a global emergency also prompted organizations to respond and transition large portions of their staff to remote work, void of the typical corporate perimeter protections. These shifts have presented security teams with additional challenges that are difficult for even the most extensive business continuity and disaster recovery (BCDR) plans to test for and prepare.

If you are a LogRhythm customer, you already have the tools necessary to detect and mitigate attacks working to exploit a crisis, as well as meet the challenges of a remote workforce. In this blog, LogRhythm Labs highlights the capabilities and content included in the LogRhythm Platform that you might find valuable in times like this and beyond.

This blog will cover several of the trends that LogRhythm Labs’ has seen related to the COVID-19 pandemic, how each relates to common attacks, and how you can leverage existing prebuilt content to detect and respond to familiar attack scenarios. Keep an eye out for several subsequent blogs and more prebuilt content throughout the coming weeks produced by LogRhythm Labs.

Current COVID-19 Trends

Recent cybersecurity articles about COVID-19 revolve around two themes:

  1. Social Engineering Attacks: Attackers are using COVID-19 as a pretext to entice users to visit malicious websites and open dangerous email attachments.
  2. Remote Workforce: The shift to a remote workforce presents new opportunities for attackers to exploit.

Figure 1: COVID-19 themed phish containing links to a malicious site

Figure 1: COVID-19-themed phish containing links to a malicious site

It is important to note that recently identified COVID-19 themed attacks and attacks exploiting other crises are often not novel attacks. Attackers are repurposing well-understood attack vectors and manipulate the fear and curiosity of users to achieve their goals.

Phishing and drive-by compromise attacks hoping to capitalize on crises, like the COVID-19 pandemic are already well-documented. These attacks have similar attributes including:

  • Malicious websites with young domain names including the terms “COVID” or “coronavirus”
  • Emails containing malicious links, such as links to fake Office 365 login sites
  • Attachments with well-known malware, such as Emotet, Agent Tesla, Trickbot, and Lokibot

Phishing attacks are among the most common attacks used by threat actors today. The good news is there are opportunities to detect and defend against this type of activity throughout all phases of the attack. Specifically, you can detect the email itself through:

  • Collection and analysis of email tracking logs (e.g., Office 365 Message Tracking Logs, etc. ) against lists of keywords likely to be included in the email (e.g., COVID-19, coronavirus, donate, pandemic, outbreak, etc.). AI Engine rules, WebUI Dashboards, and investigations can all be used for this purpose.
    • PRE-BUILT CONTENT | WebUI Dashboard: External Observations: Quickly identify any interesting (operational) or suspicious (security) patterns from external traffic.
    • PRE-BUILT CONTENT | WebUI Dashboard: COVID-19: Quickly identify any interesting (operational) or suspicious (security) patterns with “COVID” or “Coronavirus” in the Command, URL, or Subject fields.
  • Integration, through the LogRhythm Threat Intelligence Service, of threat feeds to detect known phishing email addresses.
  • Collection and processing logs of other security products that provide detections of phishing emails.

You can employ similar approaches to detect drive-by compromise:

  • Collect and analyze URLs and domain names via web proxy, firewall, and IDS logs against lists of keywords and young domains relevant to COVID-19.
  • Integrate threat intelligence feeds to detect known malicious URLs.

As always, the opportunities for detection increase as you onboard and process more logs to provide more vantage points into the SIEM for analysis. Opportunities for detection also increase the better you understand your environment.

Additionally, don’t forget that user awareness training can significantly reduce the impact of phishing and drive-by compromise in your environment. LogRhythm provides free security awareness posters for download at any time.

If a user falls for the bait and clicks on a malicious link or opens a dangerous attachment in the email, you can detect the activity via logs from antivirus, EDR, firewall, and IDS log collection and analysis. Additionally, MITRE techniques related to malware activity can be monitored. Examples include:

To learn more about the LogRhythm MITRE Module, what rules are available, and how to install, check out the Module Guide.

If an attacker succeeds in gaining valid credentials via an attachment or link, you can still detect unusual user behavior in your environment with LogRhythm’s User Entity and Behavior Analytics (UEBA) module via AI Engine rules. These rules include:

  • Abnormal Origin Location
  • Blacklist Location Auth
  • Concurrent Auth Success from Multiple Locations
  • Auth After Dispersed Failed Auths
  • Failed External Auth From Multiple Hosts

To learn more about the LogRhythm UEBA module, what rules are available, and how to install, check out the Module Guide.

Work-from-Home Considerations

Many companies, including LogRhythm, have mandated that employees work from home in the interest of social distancing. For most organizations, having all employees work remotely is an abrupt shift in normal network operations and may present challenges to business continuity. These challenges could manifest as:

  • Resource constraints (e.g., the number of available VPN licenses, the number of simultaneous users that can be supported on the Citrix server farm or the bandwidth of the internet connection to the data center)
  • Functional constraints (e.g., the company has no VPN capabilities or Citrix Server farm)

When faced with these challenges, you may have to make concessions to security to keep the business running. For example, you may need to open the firewall to inbound RDP or allow users to use personal cloud services to collaborate on documents. If you are forced to make concessions, make sure you put measures or policies in place to mitigate risk. When changes are made to security policies under short timelines, there is a higher probability that mistakes will be made, and attackers will attempt to capitalize on those mistakes.

Many organizations also have some level of adoption of cloud services and may expand their reliance on those services during this period. If this is the case for your organization, you can help keep your data secured by monitoring access to and usage of those resources. Pay attention to any possible system misconfigurations, such as excess permissions.

You can detect unintended consequences or misuse of configuration changes through several log source types, including network monitoring logs, firewall logs, and vulnerability scanners. It will be easier to distinguish suspicious and unauthorized network traffic in known environments with clear acceptable use policies.

To assist in monitoring and understanding network traffic, LogRhythm’s Network Detection and Response (NDR) module can be used in conjunction with network monitoring log sources, such as LogRhythm NetMon. AI Engine Rules within the module include:

  • Compromise: Blacklisted Application
  • Exfiltration: Unauthorized Cloud Service
  • Compromise: Inbound RDP/VNC

To learn more about the LogRhythm NDR module, what rules are available, and how to install, check out the Module Guide.

Other Considerations

Compliance

During a global crisis, compliance is likely not the first thought on your mind. While some frameworks have been given limited exemptions during the COVID-19 pandemic, such as the US Department of Health and Humans Services order for HIPAA, many still require continuous compliance.

The great news is that LogRhythm has prebuilt solutions for both healthcare- and privacy-related compliance in our Health Care Compliance Automation and GDPR modules. These provide comprehensive security frameworks that help to protect patient and consumer data, as well as improve your organization’s security posture — at no additional costs.

These modules contain several important capabilities that will help you maintain compliance and enable you to take on threat actors looking to exploit the COVID-19 hype. These capabilities include:

  • Quick and easy integration with your existing Electronic Health Records (EHR) software
  • Prebuilt AI Engine rules and alerts mapped to HIPAA, HITECH, and GDPR controls
  • Highly customizable and flexible visualizations via dashboards
  • Fast and granular customization capabilities to fit your organization’s unique IT environment and policies
  • Robust case management features and automation playbooks to enhance security workflow
  • Predefined reports to easily document evidence of compliance

In Summary

Whatever the global situation, bad actors will continue to pursue their nefarious goals. As your security partner, LogRhythm can help you keep your organization secure during this difficult period. With extensive prebuilt content and an integrated platform, LogRhythm has your back so you don’t need to scramble or find the budget for add-on solutions.

Stay tuned for additional posts from LogRhythm Labs with deep dives into the detection techniques discussed in this article.

Contributors to this blog include the following members of the LogRhythm Labs team;  Dan Kaiser, Brian Coulson, Andrew Hollister, James Carder, and Kyle Dimmit.
—————————————
Have you developed any detection content or work-from-home security strategies that you would like to share? If so, leave a comment below!
—————————————

[1] https://www.csoonline.com/article/3532825/6-ways-attackers-are-exploiting-the-covid-19-crisis.html

[2] https://blog.malwarebytes.com/social-engineering/2020/02/battling-online-coronavirus-scams-with-facts/

[3] https://www.zdnet.com/article/state-sponsored-hackers-are-now-using-coronavirus-lures-to-infect-their-targets/