(Credit: Unsplash)
This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.
Author: Leonardas Marozas, Security Research Lab Manager, CUJO AI
- The pandemic has created a new set of opportunities for cybercriminals.
- From remote working to phishing scams, we need to rethink our approach to cybersecurity across the board.
- Here are three areas on which we should be focusing.
Fear and a sense of urgency are some of the most powerful vectors of human exploitation when it comes to cybersecurity, and this was clearly visible in the first days of the COVID-19 pandemic.
It all began in March with scams and phishing efforts related to the COVID-19 emergency, such as impersonations of authority figures like the WHO and other global and governmental institutions. The start of the pandemic also clearly showed how unpreparedness around protecting home users and remote workers can strike back.
The pandemic has definitely changed the world, and that includes cybersecurity. While reflecting on the past three months in a post-pandemic world, three specific highlights emerge.
Have you read?
Challenges in a post-pandemic world
During lockdown, people at home started spending far more time online than before. Our data shows that the volume increased by 20% for the average household in March through May. This would suggest a resulting increase of entities generating internet traffic, but surprisingly there was a decline of almost 50% in the number of new devices appearing in end-users’ homes, since users stopped buying unnecessary equipment. Public behaviour and quarantine recommendations for isolation together with halted or slowed postal operations added to the overall decline (See figure below).
Corporations and small and medium-sized enterprises (SME) had to quickly adapt their business processes to fit the new ‘all-remote’ reality. Businesses had usually prioritized uninterrupted service delivery over the security of remote workspaces and devices, which meant people began working from home protected only by consumer-oriented solutions (or not protected at all).
Accessing corporate resources remotely through virtual private networks (VPN) has traditionally led to stricter remote access policies; however, the shift to remote work has resulted in more permissive VPN access policies, which is creating security risks that indirectly compromise corporate networks.
And although new device growth has slowed, the most recent data suggests it has returned almost to its previous volume. The growing number of internet of things (IoT) devices in home networks and the lack of security can create opportunities for access by outsiders. When we add together diverse home environments with loose security policies, shared wifi passwords, IoT and quickly-built infrastructure to ensure uninterrupted business continuity, we get to the point where a single vulnerability or misstep in configuration can open the door to malicious actors.
New waves of more complex malware that use devices or users as proxies in order to reach more valuable assets in corporate networks are some of the biggest potential threats in the post-pandemic world. The situation is also very convenient for advanced persistent threats (APT) or industrial espionage actors planning targeted attacks against selected victims. And while we are listing future problems, ensuring home networks are secure while also remaining segmented and transparent for regular family users is a challenge of the highest importance.
AI: Closing the gap between real time and reactive threat intelligence
While numerous protection schemes have proved to be useful and effective in certain situations against known attack vectors and threats, one of the biggest challenges is to cope with the unknowns. AI is one of the vehicles that can be used to close the gap between knowledge-based threat detection and protection and unknown or rapidly changing threats. While collected intelligence and knowledge are usually the indisputable source of truth for protection, they are currently mostly successful in stating the known: a certain threat has happened (now or before) and here is how to protect against it.
One example of how AI is used in rapidly changing pandemic and post-pandemic landscape is in recognition of uncategorized or unlabelled websites with illicit intentions that are related to the usual triggers, such as fear. According to MarkMonitor, there are more than 100,000 COVID-19-registered domains. Our AI analysis of uncategorized websites that were accessed by people over a period of 50 days shows that for between 20% – 35% of websites contain content which, while not directly dangerous, is at least misleading or shows signs of possible illicit intent.
While threat intelligence is a source of confirmation for threat actor maliciousness, AI usage will foresee potential maliciousness in actors before they are known or registered in knowledge bases. And while there are certain well-defined policies in place (the principle of least privilege, for example), there may be few to no problems here. However, in a world with mixed rights and rules regarding remote work – or at least in ensuring that risks do exist (and not only in disaster recovery drills) – AI has great capabilities to overcome and help solve numerous challenges.
What is the World Economic Forum doing on cybersecurity
The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.
Platform activities focus on three main challenges:
Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.
The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.
For more information, please contact us.
Post-pandemic tendencies among emerging threats
Over the previous months, the cybersecurity community has observed numerous attack vectors that use a COVID-19 theme either as bait or as a way to conceal malicious activity from easy identification and detection. Therefore, as COVID-19 infections now seem to be decreasing in some countries, changes in the most common attack patterns are inevitable. However, it seems that these changes are not inspired by attempts to quickly and easily exploit the pandemic theme (as in the beginning, when threat actors swiftly created scam campaigns), but by using sophisticated and well-developed campaigns at carefully chosen times.
The cybersecurity community has lately become aware of numerous attempts to mimic informational applications, and that malicious activities can occur underneath a good-looking infection map or fictitious ‘infection radar’. In other words, such apps act as remote access trojans (RAT) in users’ devices. When a RAT is installed on a device, the threat actor is not only able to capture and manipulate sensitive data but can also perform a whole range of spying activities. Even though such campaigns have been observed worldwide, it seems that attempts to launch these kinds of attacks increase only in specific regions and only when that region experiences another surge of COVID-19 infections. In other words, threat campaigns directly correlate to the number of infections and public perception of the pandemic – when people are more anxious, threat actors increase their exploitation of the COVID-19 theme.
It is expected that as long as COVID-19 is eradicated in at least one region (as an epidemic) and until the general public becomes less anxious about the threat it poses, we will likely still see a variety of even more sophisticated cyber-threats using COVID-19 as a cover for performing malicious activities.
It’s so interesting that the shift to remote work has resulted in more permissive VPN access policies, but that makes sense. I would have guessed it was the other way around. I had noticed on Google Trends that there has been a surge this year in demand for VPN judging by the number of organic queries. Daniel Agnew wrote a post for Namecheap that observed a spike earlier this year when many places were locking down, and then another bumb in the last two months.