CIO Academy Asia #HASHTECH Insights
April 6, 2020

The COVID-19 crisis is dramatically changing the way we live and work. For many people, it is leading to a need to work from home. Organisations must now ensure that they can operate, with unprecedented levels of remote working.

A key consideration for organisations, as widespread remote working is thrust upon them, is cybersecurity. There is an urgent need for security solutions, which address the new reality.

Remote working and COVID-19 opportunism change the threat landscape and create new risks

The combination of the sudden increase in remote working, with massively increased digital engagement and a fear of COVID-19, has emboldened malicious actors to launch new targeted attacks.

These threats include ransomware, malware, and corporate espionage. They are not new threats, but they are given fresh impetus by extended attack surfaces.

Insecure Wi-Fi networks or 4G/5G connections make endpoints more vulnerable. For example, the DarkHotel campaign – which attacked top managers via Wi-Fi in luxury hotels in Asia – was identified by Kaspersky researchers a few years ago.

The use of personal devices as part of organisations’ ‘bring your own device’ policies creates additional risks from phishing attacks via consumer sites. These attacks can lead to sensitive data such as passwords, and financial data, being compromised. The global shift to remote working will exacerbate this risk.

Attackers are sending targeted emails from companies selling masks, gloves and other protective equipment, which contain malicious links. Messages appearing to be from trusted sources such as government health agencies have also been found to be attacks.

Organisations are ill-prepared for new threat landscape

Many cybersecurity decision makers have recently made sizeable investments in multiple solutions and face challenges in making them operate effectively. Organisations need to undertake a study as soon as they can to understand new cyber vulnerabilities that may have surfaced due to the COVID-19 situation.

The Southeast Asia Technology Trends And Priorities Survey Report published by CIO Academy Asia shows that even before the COVID-19 crisis, 40% of IT decision makers in ASEAN, believed that their organisation’s cybersecurity function did not meet its needs. This number can be expected to be larger today, as remote working exposes organisations to more cybersecurity risks.

The expanded attack surface, created by more endpoints and less IT control, will inevitably lead to an increase in security incidents.

While Kaspersky research shows that 96% of all companies in ASEAN have basic security tools, such as endpoint security solutions installed, more than 10% of the security solutions being used by businesses are free software. Almost a fifth of respondents admit to using licensed solutions which are meant for home use only.

Kaspersky research also suggests that a sizeable proportion of ASEAN companies are using solutions that may not be suited for their needs. Highly distributed IT environments create a much greater need for threat hunting – to combat unknown and highly sophisticated threats – and a more proactive approach to cybersecurity.

The situation is worsened by a lack of skills. CIO Academy’s survey report also revealed that nearly 50% of enterprises in ASEAN do not have the budget for a cybersecurity specialist, and just under a third have difficulty finding someone internally with adequate cybersecurity skills.

Rigorous cyber hygiene practices, a proactive, cyber-defence posture, supported by a unified and adaptive capability center is critical to manage the new threat landscape

More than ever, organisations will need to place more emphasis on a unified and adaptive approach to cybersecurity with even greater focus on endpoint security.

Today, all citizens are being asked to participate in the fight against COVID-19.  Consequently, it is more important than ever to engage employees in the battle against cybercrime. All employees must now be educated on cyber hygiene, ranging from educating them to not click on suspicious links, double checking the file extensions of downloaded files, and being just a little more savvy about the origins of the file/link that they’re about to access.

Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky noted, “Organisations should implement proven protection software on every endpoint, including mobile devices, and ensure that their firewall is always switched on.” He further emphasised, “Organisations must implement encryption to prevent the less secure home environment from compromising the corporate network.”

Two critical activities that need to be addressed are active threat hunting, in the form of targeted attack discovery, and incident management.

Targeted attack discovery is key to early intervention of new threats caused by remote working and COVID-19 opportunism

The chaos and sudden shifts in the way organisations are using technology, caused by COVID-19 are giving targeted attackers new ways of achieving their goals. From posing as a trusted source of information to offering to distribute products that are in short supply, many new avenues of targeted attack are available.

There have been solutions to targeted attacks for years. But these solutions often create too many security events to be processed within a reasonable timeframe, causing what is commonly known to security leaders as ‘alert-fatigue’.

To guard against new and emerging dangers, organisations need an increasingly adaptable approach to security. Threat intelligence and unified security solutions need to be built into SOCs to better facilitate threat management in an efficient, centralized approach.

The integration of analytics and machine learning is needed in today’s solutions. Only with data, analytics and AI/ML can targeted attacks be identified. For example, Kaspersky’s Anti Targeted Attack Platform combines network and endpoint data, sandbox and intelligent analysis to correlate incidents, search for indicators of compromise and help uncover the most complex targeted attacks. By connecting the multiple elements of an incident, organisations can get a comprehensive view of the entire attack chain. This can increase confidence in assigned threat scores and drastically reduce false positives.

Incident response plans must be revised in light of COVID-19

Given that IT teams and employees are now distributed across multiple locations, mounting a co-ordinated response to incidents is more challenging than before. Many IT and support professionals are not familiar with remote working and even less familiar with how they manage incidents from afar.

A recent Kaspersky Incident Response Analytics Report shows that 56% of incident response requests occur after damage from a cyberattack is complete, with 44% of requests processed after detection of an attack during the early stage. Commenting on the findings, Yeo stated that while it may not always be possible to halt an attack before it penetrates cyber defences, this data highlights the importance of reacting early to an attack, not after a cyberattack is completed. Timely incident response makes almost all the difference to minimizing damage resulting from malicious penetration.

Yeo also pointed out that another major challenge faced by incident response teams is incorrect assessments. It is necessary to have some human oversight of the process to ensure that this does not happen – especially given the unpredictable nature of today’s operating environment. Ultimately, a mix of automation and traditional human skills will be key to successful incident response strategies.

Organisations need a solution that covers the entire incident investigation cycle, from the onsite acquisition of evidence to the identification of additional indications of compromise, preparing a remediation plan and completely eliminating the threat to the organization. The solution must incorporate malware analysis and digital forensics.

The COVID-19 situation will force many organisations to embark on a thorough revision of incident response plans.  Incident response plans will need to accelerate the handling of security breaches through containment, analysis and eradication of infected elements in the network.

Incident response plans must be integrated with auditing policy and a log retention period of at least six months to one year. This will enable the development of guided procedures for proper handling of digital evidence, allowing faster and more complete analysis of incidents by experts.

Conclusion

As employees are compelled to work at home, the attack surface is greatly expanded. Endpoint security becomes critical as does addressing the deluge of opportunism coming from innovative attackers.

Regardless of an organisation’s cybersecurity posture, breaches will occur, especially in these uncertain times. So, greater emphasis must be placed on targeted attack discovery, and on incident response. It is essential to have tools which can track threats that can evade endpoint solutions.

An intelligent and adaptive cybersecurity posture must be adopted which can detect targeted attacks and mitigate the risks that they pose. Solutions such as Kaspersky Anti-Targeted Attack, and Kaspersky Threat Intelligence can help organisations to pre-empt threats and proactively mitigate the risk that they pose. Together, with a revised incident response strategy, these tools should be part of a comprehensive and proactive approach to cybersecurity.


The Southeast Asia Technology Trends & Priorities for 2020 Report, published by CIO Academy Asia in collaboration with the Lee Kuan Yew Centre for Innovative Cities at SUTD, is now available for download.

Visit here to get your copy