The dangerous infection that has engulfed all countries has already ceased to be the number one newsbreak in the media. However, the reality of the threat continues to attract the attention of people, which is successfully used by cybercriminals. According to Trend Micro, the topic of the coronavirus in cyber campaigns is still leading by a wide margin. In this post, we will talk about the current situation, as well as share our view on the prevention of current cyber threats.
Some statistics
Map of distribution vectors used by COVID-19 branded campaigns. Source: Trend Micro
Spam mailings remain the main tool of cybercriminals, and despite warnings from government agencies, citizens continue to open attachments and click on links in fraudulent emails, contributing to the further spread of the threat. The fear of contracting a dangerous infection leads to the fact that, in addition to the COVID-19 pandemic, we have to deal with a cyber pandemic, a whole family of βcoronavirusβ cyber threats.
The distribution of users who clicked on malicious links looks quite logical:
Distribution by countries of users who opened a malicious link from an email in January-May 2020. Source: Trend Micro
In first place by a wide margin are users from the United States, where at the time of this writing there were almost 5 million cases. In the top five in terms of the number of especially gullible citizens, Russia was also among the leading countries in terms of cases of COVID-19.
Pandemic of cyberattacks
The main topics used by cybercriminals in fraudulent emails are pandemic delivery delays and coronavirus-related notifications from the Ministry of Health or the World Health Organization.
The two most popular subject lines for scam emails. Source: Trend Micro
Most often, Emotet, a ransomware ransomware that appeared back in 2014, is used as a βpayloadβ in such letters. The Covid rebranding helped malware operators increase the profitability of their campaigns.
In the arsenal of covid scammers, one can also note:
- fake government sites for collecting bank card data and personal information,
- informer sites on the spread of COVID-19,
- fake portals of the World Health Organization and the Centers for Disease Control,
- mobile spies and blockers that masquerade as useful programs to inform about infections.
Attack Prevention
In a global sense, the strategy for dealing with a cyberpandemic is similar to the strategy used in the fight against conventional infections:
- detection,
- response,
- prevention,
- forecasting.
It is obvious that the problem can be overcome only through the implementation of a set of measures focused on the long term. The basis of the list of measures should be prevention.
Just as social distancing, washing hands, disinfecting purchases, and wearing masks are suggested to protect against COVID-19, phishing monitoring systems, as well as intrusion prevention and control tools, can help prevent a successful cyber attack.
The problem with such tools is a large number of false positives, which require huge resources to process. Significantly reducing the number of notifications about false positive events allows the use of basic security mechanisms - conventional antiviruses, application control tools, site reputation assessment. In this case, the department responsible for security will be able to pay attention to new threats, since known attacks will be blocked automatically. This approach allows you to evenly distribute the load and maintain a balance of efficiency and safety.
Tracing the source of the infection is essential during a pandemic. Similarly, identifying the starting point for the implementation of a threat in cyberattacks allows you to systematically protect the company's perimeter. To ensure security at all entry points to IT systems, EDR (Endpoint Detection and Response) class tools are used. By capturing everything that happens at the endpoints of the network, they allow you to restore the chronology of any attack and find out which node was used by cybercriminals to penetrate the system and spread over the network.
The disadvantage of EDR is a large number of unrelated alerts from different sources - servers, network equipment, cloud infrastructure and email. Exploring disparate data is a time-consuming manual process, during which you can miss something important.
XDR as a cyber vaccine
To solve the problems associated with a large number of alerts, XDR technology, which is an evolution of EDR, is designed. The "X" in this abbreviation stands for any piece of infrastructure to which discovery technology can be applied: mail, network, servers, cloud services, and databases. Unlike EDR, the collected information is not simply transferred to SIEM, but is collected in a universal storage, in which it is systematized and analyzed using Big Data technologies.
Block diagram of interaction between XDR and other Trend Micro solutions
This approach, compared with the simple accumulation of information, allows you to detect more threats through the use of not only internal data, but also the global database of threats. At the same time, the more data is collected, the faster threats will be detected and the more accurate the alerts will be.
The use of artificial intelligence makes it possible to minimize the number of alerts, as XDR generates high-priority alerts enriched with a wide context. As a result, SOC analysts can focus on notifications that require immediate action, rather than manually checking each message by calculating relationships and context. This will significantly improve the quality of forecasts of future cyber attacks, which directly affects the effectiveness of the fight against a cyber pandemic.
Accurate prediction is enabled by collecting and correlating different types of detection and activity data from Trend Micro sensors installed at different levels within an organization - endpoints, network devices, email, and cloud infrastructure.
The use of a single platform greatly facilitates the work of the information security service, since it receives a structured and sorted by priority list of alerts, working with a single window for presenting events. Rapid identification of threats makes it possible to quickly respond to them and minimize the consequences of them.
Our recommendations
Centuries of experience in fighting epidemics shows that prevention is not only more effective than treatment, but also has a lower cost. As modern practice shows, computer epidemics are no exception. Preventing the infection of a company's network is much cheaper than paying a ransom to extortionists and paying contractors compensation for unfulfilled obligations.
Most recently, to get a decryptor for your data. To this amount, it is worth adding losses from the unavailability of services and reputational damage. A simple comparison of the result obtained with the cost of a modern security solution allows us to draw an unambiguous conclusion: the prevention of information security threats is not a case where savings are justified. The consequences of a successful cyberattack will cost the company much more.
Source: habr.com