How COVID-19 Has Impacted Cyber Incident Response

Ruth Lanigan

Ruth Lanigan

How COVID-19 Has Impacted Cyber Incident Response

The COVID-19 pandemic has greatly affected cybersecurity, network defence and incident response operations. Security Incident Response teams have had to adjust as malicious threat actors have attempted to use the pandemic to their advantage. Threats to end-users have also changed in this new telework-focused environment.

Many organisations have become more reliant on potentially unsecure networks, uncontrolled devices and certain security controls such as virtual private networks, multi-factor authentication and end point security programmes which often had to be disabled if they interfered with ordinary business, became overloaded or failed to work as intended.

Before COVID-19, security teams had an established baseline for normal and abnormal network activity. They used this baseline to create monitoring rules, set up detection alerts, craft specific dashboards and investigate anomalies that fall outside the baseline. With the near-full migration to remote activity, the number of false-positive alerts has skyrocketed and many more events look like anomalies. The baseline for normal network activity has completely changed for those working in IR. Users are now working remotely, using different services, doing more personal browsing on their work computers and generating a different volume of network traffic and events. IR teams have had to adapt.

The Human Element

Weaknesses in cyber defences continue to be found at points of human involvement. Phishing accounts for 90% of data breaches, with sophisticated scams that can appear very genuine to the untrained eye. There has been an explosion in the number of COVID-19 related lures being used by cyber criminals to seek to inject malware and gain access to infrastructure. We have all seen fake appeals for donations to help those affected by the pandemic and websites selling cures, vaccines or protective equipment that do not exist.

We have seen a number of data breaches stemming from human error. These include breaches caused by infiltration of employees’ VPNs whilst working from home and due to skeleton mail-room staff being tasked with compiling and issuing correspondence that is normally managed by specialist administrative teams.

Since the COVID-19 pandemic began, there has been an increase in the use of social media sites and an increased number of social media-related security events from phishing and social engineering attempts. There has also been an increased use of video teleconferencing sites/services and related vulnerabilities and information leaks from these services such as Zoom. In fact, we saw a 2000% increase in malicious files with ‘zoom’ in the name since the pandemic began.

Employees just do not feel the same level of vigilance about using safe online practices while working remotely. Being physically in an office may provide a different secure and cautious mindset and it is more important that ever to have your employees trained/made aware of imminent threats. Employees can serve as an effective last line of defence for organisations but without effective training, staff will not know how to spot and stop a scam. Something as simple as employee training can prevent your organisation from a cyberattack.

Reacting To An Incident

Organisations may not effectively detect cyber attacks as security teams are short-staffed or repurposed to support other activities, leaving security alerts uninvestigated. Sinilarly, organisations may not be able to effectively respond to and recover from cyber security attacks as key employees from security, IT suppliers, and the wider business may be unavailable to support decision making and response efforts. This is likely to be especially true for organisations with lower maturity who rely on key individuals, rather than having fully documented and widely rehearsed processes. The biggest problem is ineffective incident management plans. By ineffective we mean improper planning, unexercised response scenarios and untested emergency escalation procedures.

Identifying and responding to an incident while key security personnel are themselves dispersed and working remotely poses unique challenges, particularly in the current environment. In the worst cases, IT professionals responsible for identifying and containing breaches may themselves end up locked out of the remote systems they are charged with defending. Without physical access to affected servers and backup systems, protocols for responding to infiltrations may no longer be valid and forensic analyses to determine the scope and severity of a breach could prove difficult or impossible. In all cases however, remote response teams will, in the absence adequate incident response planning, face a multitude of potential logistical hurdles in coordinating an effective response.

The Elephant in the Room

“Globally, businesses in 2021 will fall victim to a ransomware attack every 11 seconds”

This year has seen a huge increase in the number of ransomware attacks. Not only has the number of ransomware attacks increased, but ransomware has continued evolving, with some of the most popular forms of ransomware last year having disappeared while new forms of ransomware have emerged. Hospitals and other healthcare institutions continue to be unfortunate victims to this day. The FBI, the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services have released a joint warning on the rise in ransomware attacks targeting hospitals and have urged health care providers to take precautions to protect themselves before the hacks hit. 

Traditional incident response has never been applicable to ransomware attacks; the dynamic is that much different. Ransomware attacks are potentially as destructive as they are disruptive. Once the malware is executed, depending on the particular family of ransomware, it will first encrypt local files or hard drives, and then seek out network shares to do the same to resources that the infected machine has access to – and it doesn’t stop until it gets what it wants. Even amongst organisations that have built a formal cybersecurity incident response plan, only about a third also have playbooks for ransomware. The problem is that more than half of these organisations have never ever reviewed or tested the plans.

A recent example of how a lack of IR planning caused a surge of events and downtime:

As of October 27, 2020 – Sonoma Valley Hospital in California is currently operating under EHR downtime procedures after falling victim to a security incident two weeks ago on October 11. The incident joins a host of similar EHR downtime procedures in recent weeks, caused by various IT disruptions, security incidents and ransomware attacks. Calling it a significant downtime event, the security system affected all of Sonoma Valley Hospital’s computer systems. Officials said they have been able to maintain operations and patient care by leveraging the hospital’s business continuity plan, while the IT team works on fully restoring affected systems. It’s currently unclear just what caused the security incident or whether it’s ransomware. On average, incidents caused by ransomware spur about 15 days of EHR downtime, though it took UHS more than three weeks to fully recover from its ransomware attack.

SoutheastHEALTH | Cape Girardeau, MO | SoutheastHEALTH | Cape Girardeau, MO

On the flip slide, earlier in the month, we saw how SoutheastHEALTH stopped a massive cyberattack that included a high volume of internet traffic on the computer’s mainframe due to their effective IR planning strategy. SoutheastHEALTH in the US shut down their computer network for a number of days to prevent the hackers from gaining access to the network, which could have disrupted the provider’s email and internet channels. SoutheastHEALTH maintained patient care by leveraging EHR downtime procedures and diverting potential emergency department patients to alleviate the burden on staff. The systems were brought back online about two days after the attempted attack. Officials said the EHR and its patient records were not affected in the attack.

Moving Forward

While the global pandemic introduced many new challenges, the process of monitoring, reacting, containing and investigating incidents has remained the same. Modifications have inevitably been made to accommodate the remote climate and response times have increased in certain situations but the methodology has largely stayed the same. According to a report by the Ponemon Institute and IBM Resilient, incident response plans aren’t something most companies have or have applied consistently throughout the organisation and more than 77% don’t have Incident response plans in place. Taking a proactive approach to security is often a big part of standing fast against threats. An effective incident response plan will better equip you in the case of security incidents and will help your organisation to mitigate damage to your operations and improve your interdepartmental communications going forward.

1. Create and Test Your Incident Response Plans

Response plans help coordinate the actions of each team member so that they can spend less time figuring out what to do in the event of an attack, and more time responding. Time is of the essence when responding to cyber threats, especially ransomware.

Develop alternative communication channels

Companies should establish alternative means of communication for critical response personnel to use when an incident occurs.

Plan for the possibility that key staff are unavailable

Companies must also plan for the possibility that key security staff who would ordinarily handle incident response may be incapacitated or otherwise unavailable. 

Review key response plans

Companies should review key response plans with an eye toward identifying instances where staff members’ physical presence onsite would ordinarily be required. 

Run tabletop exercises

One common theme among companies that fall victim to devastating attacks is that despite investing in cybersecurity measures, they failed to execute their incident response plans. Be ready for when the attack will happen.

If you don’t know how to create an incident response plan or how to test one, reach out to our security team and we’ll help you – no matter at what stage of your cybersecurity maturity you are.

2. Back up – Back up – Back up

Organisations should also regularly backup their systems, as well as testing those backups on a regular basis as part of a recovery plan, so if the worst happens and ransomware does infiltrate the network, there’s a known method of restoring it without the need to pay cyber criminals.

3. Get your house in order

Balance the need for increased administrator privileges

Companies eager to ensure robust incident response capabilities may be tempted to expand administrator privileges by broadening access rights or increasing the number of individuals who hold those rights.

A security breach can cause operational disruptions, data leaks, reputation damage and regulatory complications. But a threat prevention and response strategy can speed recovery from unexpected security breaches and help prevent future incidents.

Many organisations and employees are needing to rethink ways of working in light of considerable operational and financial challenges. Without appropriate considerations, this could fundamentally increase the risk of cybersecurity attacks. We are seeing both the likelihood and impact of cyberattacks increasing and cybersecurity good practices may fall by the wayside as organisations become more technology dependent than ever. We are also beginning to see the nature of the threat changing, as attackers exploit uncertainty, unprecedented situations, and rapid IT and organisational change.

Vulnerability Management & Patching

As the number of discovered vulnerabilities increases every day, networks are becoming increasingly difficult to keep secure in the face of emerging incidents. Vulnerability assessments are extremely important in managing security flaws for many organisations. The ability to quickly identify misconfigured and unpatched systems helps you apply the patches and prevent devastating attacks. Vulnerability management and patching should be part of your overall incident management and disaster recovery plan.

A multi-faceted approach to prevention for better incident management

A proactive prevention approach is crucial to ensuring processes and data are not exposed to malicious attacks. This includes:

Employee Security Awareness Training. A good security strategy starts with a proactive employee education to ensure they are prepared to assist in keeping your computers and networks safe. We recommend running regular phishing simulation exercises to ensure that if an attack does occur – your employees are ready to spot & report it.

24/7/365 Security Monitoring.Managing and monitoring the incidents around the clock can effectively help an organisation quickly recover from an attack and strengthen its security posture. We advise organisations to invest in SIEM, EDR and IDS/IPS solutions that allow for real-time monitoring and detecting security events in order to block network intrusions.

Ruth Lanigan

Ruth Lanigan