How COVID-19 transformed the threat landscape in the region, and what organizations should do to mitigate the risks.
In its annual mid-year roundup report, Trend Micro found COVID-19 related threats as the single largest type of threats in the first half of 2020.
Cybercriminals shifted their focus from January through June 2020 to take advantage of global interest in the pandemic. The risk to businesses was compounded by security gaps created by a completely remote workforce.
Within just six months, Trend Micro blocked 8.8 million COVID-19 related threats, nearly 92% of which were spam delivered via emails.
CybersecAsia discussed the findings with Nilesh Jain, Vice President, Southeast Asia and India, Trend Micro, for insights into the threat landscape for South-east Asia and India.
How has the COVID-19 pandemic changed the threat landscape? What are some findings from the Trend Micro mid-year roundup report most pertinent to the S E Asia and India region?
Nilesh Jain (NJ): We’ve seen how cybercriminals zero in on public and private sector organizations whose staff are working from home. The rationale is that remote workers are less likely to be able to defend themselves from ransomware and social engineering attacks, while they also provide a useful stepping-stone into high-value corporate networks.
In just six months (January – June 2020), we blocked 8.8 million COVID-19 related threats globally, nearly 92% of which were spam delivered via emails. Cybercriminals shifted their focus from January through June to take advantage of global interest in the pandemic.
In Singapore, a total of 172,611,589 email threats were detected during the January to June window. Compared to the first half of 2019, malware detections in Singapore increased by 70% in the first six months of 2020. This really puts things into perspective, doesn’t it?
Moreover, cybercriminals are increasingly looking to steal sensitive data before they encrypt it, even as they’re more likely to fetch a higher ransom for their efforts than they do from a typical consumer, especially if the remote employee’s data is covered by cyber-insurance.
Why is cloud security especially important during these times?
NJ: Phishing at its heart is a confidence trick. Like I mentioned earlier, attackers use a technique known as social engineering to manipulate the victim into doing their bidding. Usually they achieve this by spoofing their email so that it appears as if sent by a legitimate entity, like a bank, an insurance provider, a popular technology company, or even a friend. It could look as simple as your bank contacting you saying you need to urgently update your details to avoid extra charges.
The fact is, email gateway or built-in security for cloud email services is no longer enough to protect organizations from email-based threats. Detections from Trend Micro Cloud App Security reveal how a massive number of threats still manage to slip past these filters and why a multilayered approach is necessary.
Here’s a real-life scenario. For one organization with approximately 80,000 Office 365 users, Trend Micro Cloud App Security detected over 550,000 high-risk email threats after they passed through Microsoft’s native email security filter. That means an average of nearly seven high-risk malicious emails per individual. Majority of the threats were phishing URLs, which is not unexpected given the size of the company.
Organizations should consider multilayered solutions with machine learning to analyze and detect any suspicious content in the message body and attachments of an email, or in PDF documents.
Stealthy threats evade detection by hiding between security silos. What are some of these security silos, and what are their repercussions on organizations and their security teams?
NJ: Traditionally, organizations have supported a best-of-breed approach when it comes to cybersecurity, where they utilize multiple vendors for different areas of security. A large enterprise could use 50 – 100 security applications on average.
This array of solutions may ironically lead to gaps in visibility. While many security products provide visibility into alerts and activity, each product only collects/provides data as relevant and useful for its function. Integration between security products can enable data exchange and consolidation, but the value is often limited by the type and depth of the data collected and the level of correlated analysis possible. This means there are gaps in what you can see and do. Stealthy threats can evade detection by hiding between these security silos.
Using multiple security vendors also means that IT and security teams are often overwhelmed with alerts getting triggered by different solutions. According to a 2020 study by Dimensional Research, large enterprises more than 10,000 employees deal with more than 1,000 security alerts per day. This deluge of alerts often spells low job satisfaction and talent shortage in this field.
With little means to correlate and prioritize the sheer volume of alerts, even the most skilled analysts struggle to quickly or effectively weed through the noise to find the critical events. Without a contextual view of threats lurking in the environment, threats go undetected which consequently raises the risk and consequence of an attack.
Thankfully, these security silos can be broken down by using a solution that collects and correlates detections and deep activity data across multiple security layers such as email, endpoint, server, cloud workloads, and network. By correlating threats across the organization, security teams will receive fewer, more meaningful, and richer alerts prioritized by severity for them to action on.
Ransomware has evolved over the past few years to be more personal and less opportunistic. Why is this so?
NJ: The older modus operandi of ransomware operators usually involved sending spam mail to the masses in the hopes of luring random individuals to click on links or download attachments. Because it’s a spray-and-pray technique, the cybercriminals aren’t usually aware of the identities of their victims.
It’s different today – the modus operandi has given way to targeted campaigns that use vulnerabilities, weak applications, or stolen credentials to break into a company’s system. Following which, malicious actors deploy ransomware to hold the valuable files/ data ransom. It’s more personal in nature because the threat actors pinpoint their exact targets and take time to research them before striking.
We’re also seeing the endpoint being targeted less with ransomware actors. Rather, attacks are laterally moving within an organization to find critical systems that will allow them to increase their chances of the organization paying the ransom.
The reason is simple: money. Instead of opting for small amounts spread over a large number of victims, a targeted approach is more lucrative. Current malicious actors are demanding heftier ransoms from targets they know are more likely to pay, such as healthcare companies and local governments.
What are some key best practices for organizations in the region to mitigate against the above threats?
NJ: Remote workers can take the following straightforward steps to mitigate the risks posed by ransomware:
- Be cautious of phishing emails. Take advantage of company training and awareness courses such as simulation exercises if offered.
- Keep your home router firmware, PCs, Macs, mobile devices, software, browsers and operating systems up to date on the latest versions – including remote access tools and VPNs (your IT department may do some of this remotely).
- Ensure your home network, PCs, and mobile devices are protected with up-to-date network and endpoint AV from a reputable vendor. (The solutions should include anti-intrusion, anti-web threat, anti-spam, anti-phishing, and of course, anti-ransomware features.)
- Ensure remote access tools and user accounts are protected with multi-factor authentication if used and disable remote access to your home router.
- Disable Microsoft macros – a small program that is often written to automate repetitive tasks in Microsoft Office applications – where possible. It is a typical attack vector in phishing campaigns where an attacker sends emails and attempts to convince the user to open the attached file and run the malicious macro
Always remember: If a message, product, service, or proposition sounds too good (or bad or urgent) to be true, it most probably is.