Securing Your Remote Workforce, Part 1: Detecting Phishing Scams Disguised as Updates

With more teams working remotely, the shift to meeting and collaborating online in a cloud-based work environment is a learning curve for most security organizations. We have heard many of our customers ask how Exabeam can help manage this change. We would like to offer our help in making this new environment as secure and productive as it should be by publishing a five-part blog series on common issues security teams face with remote workers: phishing detection, VPN monitoring, malware detection, remote access monitoring and device policies.  

Contending with a larger attack surface

A change of this scale has increased the attack surface for most organizations. It also creates new opportunities for malicious adversaries to leverage the high levels of public interest in COVID-19 for their attacks. In this post, we look at how cyber criminals are building out phishing and other targeted malware campaigns and successfully executing them for financial gain, notoriety or theft of IP for competitive advantage.

Why phishing?

According to the 2019 Verizon DBIR, phishing is still the number one attack method behind data breaches. Phishing is essentially a form of social engineering where threat actors are looking for ways to trick victims into clicking on something malicious in an email, whether it’s a link or an attachment. The more compelling and realistic the content, such as the urgency of information during the pandemic, the more likely the recipient is to click on it.

Phishing is just the entry point and can lead to malware infection, lateral movement across the network, account takeover, identify theft and more.

Hidden in a steady stream of communications and updates

Working in a new environment in the home with family can be distracting. And the deluge of communications from CEOs, HR, products and companies marketing to employees about remote work, schools, health best practices, and other updates creates a perfect storm for people to fall victim to well-crafted phishing emails disguised as official communication from corporate and other related organizations. Additionally, many working professionals have found themselves in a situation where their kids may be home from school, which leaves them splitting attention between work and home lives. This may further reduce the attention being paid to the email communications they are receiving and increase the likelihood of falling victim to attacks.

In a sophisticated phishing email, the urgency and call to action are very clear. Using an official-sounding mailing alias or one that resembles popular companies or products the victim may be familiar with, threat actors can hide in the flood of information and leverage these pandemic-themed emails as an entry point into a corporate network by way of compromising the recipient. 

Who might be doing this?

Threat actors take advantage of topical subjects for a variety of reasons.

• Nation-state actors seek to sow misinformation and panic by leveraging the urgency for getting the most up-to-date information about the pandemic 
• Threat actors seek direct access to people’s credentials, personal information, or payment card information
• Cyber criminals look to breach corporate networks through phishing targeted at employees while hidden in the increased stream of inbound traffic 

A recently discovered phishing campaign that researchers call “Vicious Panda” was deployed by an advanced persistent threat (APT) group that used the pandemic theme to infect victims with a previously unknown malware. Researchers detected two suspicious rich text format (RTF) files targeting the Mongolian public sector. A custom and unique remote-access trojan (RAT) was executed once a phishing email was opened. The malware then took screenshots of the device and cataloged a list of files and directories and downloaded files.

In another case, cyberattackers took advantage of people searching for information about COVID-19 and created a weaponized coronavirus map app that infects victims with a variant of the information-stealing AZORult malware. The online map shows an image of the world depicting viral outbreaks with red dots of various sizes, depending on the number of infections and cited Johns Hopkins University’s Center for Systems Science and Engineering as its supposed data source. 

The weaponized coronavirus map app citing fake data from Johns Hopkins University’s Center for Systems Science and Engineering. Image credit: SC Magazine

An unprecedented challenge for security teams

In the rapid shift to a fully-remote workforce, security leaders must find a balance between productivity and security.  Unfortunately, at the same time, manually configuring rules and defenses capable of handling these new conditions could take weeks. Luckily, some security approaches, such as those that make use of machine learning or behavior analytics can automatically adapt to the environmental changes of this new working structure, and thus alleviate the heavy lifting for security teams. The advantage of behavior analytics is its ability to baseline normal activity for the users and machines in an organization and then automatically find deviations from that normal activity that may indicate compromise. This allows an organization’s security controls to adapt to changes in the business environment and automatically adjust as these conditions become the new normal. 

By taking away the effort involved in rewriting or re-configuring rules and the time to stitch all activities together, security ops teams can focus on dealing with the threat as opposed to trying to do the heavy lifting of reconfiguring the technology to do so.

Behavioral analytics in action

Behavioral analytics can help identify a number of abnormal circumstances which may be indicative of a phishing attempt, including:

• Abnormal attachments
• Abnormal volume of incoming/outgoing emails for a user/group/organization
• First time/abnormal domains for a user/group/organization
• Abnormal volume of domains for a user/group/organization
• Abnormal email countries of origin for a user/group/organization 
• Abnormal emails to countries from a user/group/organization

For example, the screenshot below shows abnormal email activity from a domain kyenergy.com. 

Figure 1: An abnormal email anomaly shown in a machine-built incident timeline.

Step 1: Re-educate employees on phishing

Since behavioral analytics deals with monitoring user behavior, a good first step is to re-train employees to try to first mitigate risky behavior. With employees getting numerous updates on the latest health and new travel policies related to COVID-19, it is also important to train them on the security implications of this new situation. This is essential in keeping both individuals and companies protected. 

Taking advantage of the numerous communications, recently the number of phishing emails ostensibly from companies’ trusted business partners and public organizations is increasing. Enterprises will need to consider incorporating advice on identifying these scams into these updates.

These prevention tips may seem like common sense for your employees, but reframing them in how they relate to the pandemic can make them top of mind, thus more effective:

• Ignore unprompted emails that request an urgent response
• Check sender email addresses and domains
• Pay close attention to spelling/grammatical errors
• Hover over links to check their destination before clicking
• Don’t open attachments unless they are expected
• Use additional caution for unrecognized senders

If an email looks even mildly suspicious, employees shouldn’t interact with it. It’s essential to validate the message and content directly with the company/website the email purports to be from, instead of interacting with the email sender. 

Step 2: Improve your email security posture

To leverage behavioral analytics to detect phishing scams, it is important to collect email, authentication, cloud, proxy, VPN and endpoint logs. Exabeam partners with a variety of technologies to aggregate logs. Once logs are ingested, Exabeam Advanced Analytics models the data sets for each user, peer groups and the organization. Modeling data from different perspectives gives your security operations center a multi-dimensional perspective on identifying abnormalities within the environment.

Once a phishing email is detected, Exabeam allows security analysts to quickly respond by leveraging the organization’s security ecosystem. For example, Exabeam Incident Responder can automate several tasks as part of a response to a phishing email:

1. Collect the malicious file from the victim system
   1. Sandbox the file
      1. If malicious, add to a block list
   2. Check the file against threat intelligence
      1. If malicious, add to a blocklist
   3. Hunt for the file
   4. Isolate the system
   5. Disable the user account
2. Identify other users that received the same email
   1. Remove the email from the recipient’s mailbox

Through these series of steps security analysts who are dependent on other teams within the organization to respond can use their organization’s security ecosystem to implement a faster response while mitigating the risk of additional compromised systems and users.

In addition to offering your employees phishing prevention advice, consider deploying a defense in depth strategy, which could include: 

• Security awareness training, including how to spot phishing emails as mentioned above
• Implementing relevant security products such as  email security and threat intelligence solutions, which may help identify threat campaigns targeting your organization
• Implementing behavioral analysis to help identify users who are behaving anomalously and may have fallen victim to the phishing campaign. 
• In the near term, consider creating rules that look for any email with the word “corona” in the domain to identify potential phishing attacks and elevate risk points for that specific situation.

Want to learn more?

This is part one of a five-part series on common issues security teams face with remote workers. For more information on VPN monitoring, malware detection, remote access monitoring and device policies, please read the articles listed below.   

Securing Your Remote Workforce, Part 2: Detecting Unusual VPN Access and Best Practices to Secure VPN Services

Securing Your Remote Workforce, Part 3: How to Detect Malware in the Guise of Productivity Tools

Securing Your Remote Workforce, Part 4: How to Detect Fraudulent Logins and Policy Violations Using UEBA

Securing Your Remote Workforce, Part 5: Helping Your End Users Stay Protected

And as a bonus, watch our YouTube video featuring a demo on investigating a phishing incident.