The Very Real Impact of COVID-19 Cyber Threats
A 20% Increase in Blocked Network Connections
That’s what we have seen so far. Between February and March of this year, Threater customers increased blocked network connections per day from 185 million to 221 million. This represents an alarming 20% increase in one month. If this trend continues, the total number of network connections blocked by the Threater Threat Intelligence Gateway will increase by over 1.5 billion or 30% from February levels. Over 50% of these network connections are being blocked as a result of threat intelligence blacklists and over 40% of connections are being blocked based on GEO-IP policies.
How Organizations Are Using Threat Intelligence & Tighter Policy Controls to Improve Defenses & Reduce Risk
The increased volume of blocked network connections is being driven by three specific factors:
- Increased network traffic as organizations scramble to open their networks to a significant, unexpected increase in remote users;
- Greater threat volumes with opportunistic threat actors taking advantage of the Coronavirus pandemic
- Tighter policy controls as customers look to improve network defenses and reduce risks amidst an expanded attack surface.
In this blog, we will take a deeper look at how the Coronavirus or also commonly referred to as COVID-19 pandemic is impacting organizations’ network security. Specifically:
- The pressure that the Coronavirus is putting on organizations’ networks and their network security.
- Measures that organizations can take to alleviate increased pressure to the network and its resources.
- How customers are using the Threater Threat Intelligence Protection Platform, including our Threat Intelligence Gateway to improve network defense and reduce risk.
How Coronavirus is Impacting Organizations’ Network Security
The Coronavirus pandemic or also referred to as COVID-19 is creating significant disruptions to business and society in general. Social distancing has become a verb exponentially faster than “Googling.” “Zoom” and “Zooming” have become common, everyday vernacular.
The COVID-19 pandemic, and its related need to quarantine has resulted in a rapid and seismic shift to “working from home” or “teleworking.” The result is that many organizations are scrambling to enable remote IT and network access to a significantly larger number of users.
Unfortunately, threat actors are taking advantage of this global crisis as an opportune time to target organizations with a concerted and documented increase in cyber threats associated with Coronavirus and COVID-19.
The combination of a significant expansion in remote access, and a remarkable increase in threat activity, is creating three specific pressure points on organizations’ network security:
Pressure Point #1: Increased Coronavirus and COVID-19-related Cyber Threats
The global Coronavirus pandemic has created an unprecedented opportunity for cyber criminals. A fearful public and a momentous technology shift offer an easy target and potentially rich reward for phishing, ransomware, and data theft.
Threat intelligence provider Recorded Future recently released a report showing the various ways threat actors are using the global disruptions caused by COVID-19 to further their cyber threat activities. Click here to read the full report:
”The emergence of coronavirus disease 2019 (COVID-19), the novel coronavirus that originated in late December 2019, has brought with it chaos in many different economic sectors — finance, manufacturing, and healthcare, to name a few. However, it has also originated a new cybersecurity threat, igniting a bevy of COVID-19-themed phishing lures and newly registered COVID-19-related domains. The technical threat surrounding COVID-19 primarily appears to be around phishing, with actors promising that attachments contain information about COVID-19.”
This report is one of many ‘flares” being sent up by various organizations in recent weeks. These include:
- The US Dept of Homeland Security’s CISA issued an alert related to potential security scams, including phishing, stemming from the COVID-19 pandemic.
- The WHO put out an alert warning the public of imposters impersonating WHO members in phishing attempts.
- Check Point announced that over 4,000 COVID-19 related domains have been registered since January with 3% found to be malicious and 5% suspicious.
- Proofpoint released a Threat Insight noting that 200,000 COVID-19 related threats have been noted, with figures increasingly on the rise.
Solution: Use Threat Intelligence to Keep Abreast of Coronavirus and COVID-19 Related-Threats
If you aren’t using threat intelligence as a critical element of your security efforts now is a good time to start. Threat intelligence has become an increasingly critical cyber security component as organizations struggle to keep up with a dynamic threat environment. A few months ago the “threat du jour” was cyber-attacks from Iran. Today the focus is on threats related to Coronavirus and COVID-19. Six months from now there will be a new focus. Arming yourself with threat intelligence from multiple sources, including commercial, open source, government, and industry sources can help you bolster cyber defenses and reduce the risk associated with dynamic threats.
It’s important to note that incorporating threat intelligence into your security efforts doesn’t have to be expensive or burdensome for your staff. There are many sources of valuable threat intelligence that can be accessed for free or for a minimal cost.
How Threater Can Help
At Threater, we aggregate threat intelligence from multiple sources, including commercial, open source, industry, and government sources. We offer “out of the box” threat intelligence from leading commercial providers like DomainTools, Proofpoint, and Webroot, open source threat intelligence feeds (OSINT), and government providers like DHS. For industry threat intelligence, we are also partnering with various ISAC/ISAOs, including FS-ISAC, Global Resilience Federation, MS-ISAC, and others.
For customers already using threat intelligence, we integrate with leading threat intelligence & platform providers, including Anomali, IntSights, Recorded Future, ThreatConnect, & ThreatQuotient. Customers using these solutions can easily integrate threat intelligence from these providers into the Threater Threat Protection Platform enabling you to take action with this threat intelligence to protect your network.
Pressure Point #2: Network & Network Security Infrastructure
In order to address the significant increase in remote access requirements, organizations are focused on ensuring their networks can handle the load. The primary focus here is on increasing network capacity and remote access capacity by increasing firewall/VPN capacity (throughput and licensed users). However, while organizations rush to expand network infrastructure and remote access capabilities, it’s important to also make sure your network security defenses are also equipped to handle increased traffic volumes and network threats.
Solution: Ensure Your Network Security Controls Are Equipped to Handle Increased Traffic & Threat Volumes
An easy first step is to make sure that your existing network security controls are capable of handling the increased load. Make sure your network security controls like your next-generation firewalls, intrusion detection & prevention systems (IDS/IPS), and for Threater customers, your Threat Intelligence Gateways can meet the increased network demands. If you are expanding network access points, it’s also important to make sure you are securing these network access points, in tandem.
As network traffic loads increase, so will the potential for network security threats also increase. This is a good time to revisit your defense-in-depth strategy and consider additional layers of protection.
How Threater Can Help
Threater customers are deploying our Threat Intelligence Protection Platform as an additional layer of network protection complementing traditional network security controls including next generation firewalls and IDS/IPS solutions. As previously mentioned, our Threat Intelligence Gateways are blocking billions of malicious and unwanted network connections for our customers.
Importantly, many of our customers are seeing an additional benefit of improved firewall efficiency. For example, a Threater customer saw the CPU utilization of its firewall reduce to approximately 20% from 70% after deploying the Threater Threat Intelligence Gateway in front of their firewall.
As organizations scramble to expand their network and network security capabilities to deal with increased users, traffic, and associated threat volumes, the Threater Threat Intelligence Protection Platform can deliver a powerful “one-two punch” by improving your network defenses while enabling you to get more out of your next generation firewalls.
Pressure Point #3: Expanded Network Security Attack Surface
An increase in attackers looking to take advantage of the current situation. More remote users on your network coming from places you don’t control. These equate to one thing, a significantly expanded attack surface. Enough said.
Solution: Lock Down Network Security Protection & Become More Vigilant in Monitoring Efforts
Here are two critical steps organizations can take to alleviate the pressure of an expanded attack surface:
- Revisit your current network security policies. We here at Threater are seeing many of our customers become much more restrictive with respect to their network blocking policies, both from a threat intelligence enforcement perspective, and from a GEO-IP perspective. In fact, from March-to-date, we’ve seen a 10% increase in the percentage of total network connection being blocked by our customers and we’re having increased one-on-one interactions with our customers as they tighten up their policies.
- Become more vigilant in monitoring your network, particularly now that the network makeup is going to change dramatically. Threater recommends that our customers increase the frequency of monitoring their Threat Intelligence Gateway logs, security logs in general, and SIEM monitoring efforts as a best practice.
How Threater Helps
The Threater Threat Intelligence Gateway logging functionality provides rich visibility into both blocked and allowed, inbound and outbound, network connections. The newest version of our software (TIG OS 2.0) offers a powerful new feature called “Threat Source Attribution,” which enables you to associate IP and domain indicators with specific threat intelligence sources (feeds). This practical feature not only provides improved visibility into network connections, but also enables users to measure the effectiveness and ROI of threat intelligence sources. Importantly, logs in the Threater Threat Intelligence Gateway can be easily exported via syslog to SIEMs.
Summary
Organizations are under tremendous pressure to expand network access as “work-from-home” becomes an organization-wide requirement. This represents a significant expansion in an organizations’ attack surface, and a perfect opportunity for threat actors to take advantage of the situation, as they launch Coronavirus and COVID-19 related attacks.
There is good news! There are ways that security organizations can alleviate these aforementioned challenges and pressures. These include; leveraging threat intelligence to keep up with Coronavirus and COVID-19 threats, ensuring your network security (both from a capacity and capabilities perspective) adapts with your newly evolving network, and becoming more vigilant with your network security protection policies and your monitoring efforts.
At Threater, we are seeing these changing dynamics affect our customers, first-hand. The volume of blocked network connections has grown significantly since the pandemic began to take hold on a global stage. This is being driven by both an increased volume of traffic and threats, as well as more stringent network enforcement policies initiated by our customers.
We also take pride in knowing that our Threat Intelligence Protection Platform is making a difference during these difficult (and dangerous) times.
If you are a current Threater customer would like help with a policy review, or you need to expand your network protection capabilities, please don’t hesitate to reach out.
If you are not a Threatercustomer, and are looking for an easy, automated, way to use actionable threat intelligence to improve network defenses and get more out of your firewalls, we’re happy to chat.
For more information on the Threater Threat Intelligence Protection Platform please visit us at Threater.com
If you would like to protect your network by making threat intelligence actionable, contact our team today at sales@threater.com.