It is important to note that recently identified COVID-19 themed attacks and attacks exploiting other crises are often not novel attacks. Attackers are repurposing well-understood attack vectors and manipulate the fear and curiosity of users to achieve their goals.
Phishing and drive-by compromise attacks hoping to capitalize on crises, like the COVID-19 pandemic are already well-documented. These attacks have similar attributes including:
- Malicious websites with young domain names including the terms “COVID” or “coronavirus”
- Emails containing malicious links, such as links to fake Office 365 login sites
- Attachments with well-known malware, such as Emotet, Agent Tesla, Trickbot, and Lokibot
Phishing attacks are among the most common attacks used by threat actors today. The good news is there are opportunities to detect and defend against this type of activity throughout all phases of the attack. Specifically, you can detect the email itself through:
- Collection and analysis of email tracking logs (e.g., Office 365 Message Tracking Logs, etc. ) against lists of keywords likely to be included in the email (e.g., COVID-19, coronavirus, donate, pandemic, outbreak, etc.). AI Engine rules, WebUI Dashboards, and investigations can all be used for this purpose.
- PRE-BUILT CONTENT | WebUI Dashboard: External Observations: Quickly identify any interesting (operational) or suspicious (security) patterns from external traffic.
- PRE-BUILT CONTENT | WebUI Dashboard: COVID-19: Quickly identify any interesting (operational) or suspicious (security) patterns with “COVID” or “Coronavirus” in the Command, URL, or Subject fields.
- Integration, through the LogRhythm Threat Intelligence Service, of threat feeds to detect known phishing email addresses.
- Collection and processing logs of other security products that provide detections of phishing emails.
You can employ similar approaches to detect drive-by compromise:
- Collect and analyze URLs and domain names via web proxy, firewall, and IDS logs against lists of keywords and young domains relevant to COVID-19.
- Integrate threat intelligence feeds to detect known malicious URLs.
As always, the opportunities for detection increase as you onboard and process more logs to provide more vantage points into the SIEM for analysis. Opportunities for detection also increase the better you understand your environment.
Additionally, don’t forget that user awareness training can significantly reduce the impact of phishing and drive-by compromise in your environment. LogRhythm provides free security awareness posters for download at any time.
If a user falls for the bait and clicks on a malicious link or opens a dangerous attachment in the email, you can detect the activity via logs from antivirus, EDR, firewall, and IDS log collection and analysis. Additionally, MITRE techniques related to malware activity can be monitored. Examples include:
- Multiple: Scripting
- Initial Access: Spearphishing Attachment
- Execution: PowerShell
- Multiple: Remote File Copy
- Initial Access: Drive-By Compromise
If an attacker succeeds in gaining valid credentials via an attachment or link, you can still detect unusual user behavior in your environment with LogRhythm’s User Entity and Behavior Analytics (UEBA) module via AI Engine rules. These rules include:
- Abnormal Origin Location
- Blacklist Location Auth
- Concurrent Auth Success from Multiple Locations
- Auth After Dispersed Failed Auths
- Failed External Auth From Multiple Hosts
To learn more about the LogRhythm UEBA module, what rules are available, and how to install, check out the Module Guide.
Many companies, including LogRhythm, have mandated that employees work from home in the interest of social distancing. For most organizations, having all employees work remotely is an abrupt shift in normal network operations and may present challenges to business continuity. These challenges could manifest as:
- Resource constraints (e.g., the number of available VPN licenses, the number of simultaneous users that can be supported on the Citrix server farm or the bandwidth of the internet connection to the data center)
- Functional constraints (e.g., the company has no VPN capabilities or Citrix Server farm)
When faced with these challenges, you may have to make concessions to security to keep the business running. For example, you may need to open the firewall to inbound RDP or allow users to use personal cloud services to collaborate on documents. If you are forced to make concessions, make sure you put measures or policies in place to mitigate risk. When changes are made to security policies under short timelines, there is a higher probability that mistakes will be made, and attackers will attempt to capitalize on those mistakes.
Many organizations also have some level of adoption of cloud services and may expand their reliance on those services during this period. If this is the case for your organization, you can help keep your data secured by monitoring access to and usage of those resources. Pay attention to any possible system misconfigurations, such as excess permissions.
You can detect unintended consequences or misuse of configuration changes through several log source types, including network monitoring logs, firewall logs, and vulnerability scanners. It will be easier to distinguish suspicious and unauthorized network traffic in known environments with clear acceptable use policies.
To assist in monitoring and understanding network traffic, LogRhythm’s Network Detection and Response (NDR) module can be used in conjunction with network monitoring log sources, such as LogRhythm NetMon. AI Engine Rules within the module include:
- Compromise: Blacklisted Application
- Exfiltration: Unauthorized Cloud Service
- Compromise: Inbound RDP/VNC
To learn more about the LogRhythm NDR module, what rules are available, and how to install, check out the Module Guide.
During a global crisis, compliance is likely not the first thought on your mind. While some frameworks have been given limited exemptions during the COVID-19 pandemic, such as the US Department of Health and Humans Services order for HIPAA, many still require continuous compliance.
The great news is that LogRhythm has prebuilt solutions for both healthcare- and privacy-related compliance in our Health Care Compliance Automation and GDPR modules. These provide comprehensive security frameworks that help to protect patient and consumer data, as well as improve your organization’s security posture — at no additional costs.
These modules contain several important capabilities that will help you maintain compliance and enable you to take on threat actors looking to exploit the COVID-19 hype. These capabilities include:
- Quick and easy integration with your existing Electronic Health Records (EHR) software
- Prebuilt AI Engine rules and alerts mapped to HIPAA, HITECH, and GDPR controls
- Highly customizable and flexible visualizations via dashboards
- Fast and granular customization capabilities to fit your organization’s unique IT environment and policies
- Robust case management features and automation playbooks to enhance security workflow
- Predefined reports to easily document evidence of compliance
Whatever the global situation, bad actors will continue to pursue their nefarious goals. As your security partner, LogRhythm can help you keep your organization secure during this difficult period. With extensive prebuilt content and an integrated platform, LogRhythm has your back so you don’t need to scramble or find the budget for add-on solutions.
Stay tuned for additional posts from LogRhythm Labs with deep dives into the detection techniques discussed in this article.
Contributors to this blog include the following members of the LogRhythm Labs team; Dan Kaiser, Brian Coulson, Andrew Hollister, James Carder, and Kyle Dimmit.
Have you developed any detection content or work-from-home security strategies that you would like to share? If so, leave a comment below!