Cyber Defense eMagazine August 2020 Edition

that 60-day threshold has begun to pass. Attackers who have been biding their time may soon be ready
to strike.
Today’s ransomware attackers don’t operate like they used to. While older ransomware attacks tended
to be “smash and grab” operations stealing and encrypting any data they could, human-operated
Ransomware 2.0 involves attackers spreading throughout the network to identify and target the most
valuable information for the highest financial gain. For the largest possible payout, attackers want to take
down a whole organization, not just one machine. Quickly spreading throughout the network to establish
a stronger foothold is the smartest move, and given that the average ransomware payout was over
$111,000 in Q1 2020 (up 33% from the previous quarter), the strategy appears to be working.
The COVID-19 Lockdown Has Created New Opportunities
The extensive remote work necessitated by COVID-19 has, unfortunately, exacerbated the issue. Most
businesses simply were not prepared for this volume of employees working from home, and the sudden
onset of the crisis meant that they had to make security compromises in the spirit of achieving service
availability. Naturally, both technology-based and human-based security issues have arisen as a result.
Network endpoints are more exposed, as employees access the network from the outside rather than
from within. Employees are pulling data out of the company that may never have been off-premises
before, creating opportunities for attackers to target less secure machines. Similarly, attackers are
entering the network via split-tunneling VPNs, which separates personal employee traffic from company
networks but doesn’t have all the traditional security controls needed to protect the remote systems from
attacks. Multi-factor authentication can help verify identity as employees work remotely, but some
organizations still do not mandate its use, and it is not always effective against targeted attacks.
Phishing and other scams have also noticeably increased during the lockdown, preying on employees
that are distracted or flustered by the sudden shift in routine, underscoring the fact that organizations
have less control over employees working remotely. The number of BYOD devices (laptops, routers,
access points, etc.) on the network has increased, and it is harder to verify that employees are doing
things like installing security updates promptly, creating potential vulnerabilities. Even employee turnover
can create openings for attackers, as it can be harder to verify the full removal of stored credentials and
other attack paths from all applications and systems. Given that misused or stolen credentials continue
to be at the center of countless breaches, this poses a significant threat.
There are tools designed to help protect against these new threats, but they require effective security
controls at multiple levels of the network. Traditional Endpoint Protection Platforms (EPPs) and Endpoint
Detection and Response (EDR) tools try to stop attacks at the initial compromise of the system. Still,
given the potential new vulnerabilities created by extensive remote work, attackers may have an easier
time bypassing those tools during the current crisis, highlighting the importance of overlapping security
controls and building in a safety net to boost detection capabilities.
Cyber Defense eMagazine – August 2020 Edition 31
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.