Emerging Cyber Crime Patterns Linked to the COVID-19 Pandemic

Webinar Series

Emerging Cyber Crime Patterns Linked to the COVID-19 Pandemic

As the world continues to feel the enormous weight of the COVID-19 pandemic, cybercriminals are taking advantage, attacking our most critical institutions and infrastructure and playing on our fears and anxieties by engaging in extortion and fraud campaigns. When most people are working from home and the world is filled with unknowns, our industry experts will discuss how security, HR and business leaders can work together to ensure employee and business cybersecurity. 

At DailyPay and Obscurity Labs, we’re working tirelessly to understand the capabilities and mindsets of today’s dynamic cybercrime syndicates.

View On-Demand

Guest Speakers

Jeff Hudesman

Vice President of Information Security

DailyPay

Alexander Rymdeko-Harvey

CEO

Obscurity Labs

In this webinar you will learn about…

  • Learn about the emerging cybercrime patterns linked to the COVID-19 pandemic
  • Cyberattacks and campaigns that are targeting specific industry sectors
  • Ways that organizations can defend themselves and their employees while working remotely and how to prepare for going back to the office
  • Why HR plays a critical role in communicating and implementing security best practices for the workforce
  • Ways that DailyPay is protecting clients and users from cybersecurity threats
VIEW ON-DEMAND

Webinar Transcript – 60 minutes

Natalie:

All right. Good afternoon or good morning, depending on where you are. I’m Natalie from DailyPay’s event team, and I’d like to welcome you to today’s webinar on Emerging Cyber Crime Patterns Linked to the COVID-19 Pandemic. Before we get started, I’d like to go over a few items, so you know how to participate in today’s event. You will have the opportunity to submit text questions to today’s presenter by typing your questions into the question pane of the control panel. You may send in your questions at any time during the presentation. We’ll collect these, and address them during the Q and A session at the end of today’s presentation. We encourage any and all questions to be submitted. This is why we have two industry experts on the line for you all today. So, now, I would like to introduce to you Jeff Hudesman, DailyPay’s VP of Information Security and Alexander Rymdeko-Harvey, CEO and Co-Founder of Obscurity Labs. Jeff, take it away.

Jeff Hudesman:

Thanks so much, Natalie. Thanks everyone for joining us today on our first ever DailyPay security webinar. Security’s at the heart of everything you do at DailyPay, so it seemed fitting to have this important discussion. I’m fortunate to be joined by Alex Rymdeko-Harvey from Obscurity Labs, some of the most talented red team operators. So, just by way of introduction, my name is Jeff Hudesman. I’m the VP of Security at DailyPay. We’re a fintech company focused on providing financial wellness to the masses by giving employees early access to earned income. I’m joined by the super talented Alexander Rymdeko-Harvey, a former colleague and friend. Next slide.

Jeff Hudesman:

So, a little more about myself. I’ve advised some of the world’s largest organizations on cyber security. Prior to DailyPay, I’ve held global cyber security leadership positions at Sony and PR Newswire, and I also am a regular speaker at Global Cybersecurity Conferences. Next slide. So now, for Obscurity Labs. Obscurity Labs has experienced conducting offensive and defensive cybersecurity research, development, training and operations for over 30 U.S. government agencies as well as commercial organizations. They provide advanced threat emulation and penetration testing and application security engagement services range from enterprise to ICS, internet of things, and embedded. We have been working extensively with their team here at DailyPay, and it’s a great relationship. They do amazing work, and that’s why we’ve invited them to join us today. We can go to the next slide.

Jeff Hudesman:

So, to start this agenda here, I just … As opposed to some of the simplistic security guidance you’ll sometimes find on the internet or corporate trainings, we purposely made this content substantive with insights from our collected experience in military, government agencies, and some of the world’s largest companies, so in this presentation, we’re going to cover understanding the current lifecycle of threat actors and their target selection process to really get into the mind of the adversary and what their motivations are. Alex is going to speak extensively on that topic.

Jeff Hudesman:

We’re also going to talk … and obviously, it’s the tile of this presentation. We’re going to talk about the emerging cyber crime patterns linked to the COVID-19 pandemic. We’re also going to talk about cyber attacks and campaigns that are targeting specific industries and also ways that organizations can defend themselves and their employees while working remotely. As we are an HR fintech company, we’re also going to discuss ways HR plays a critical role in communicating and implementing security best practices for the workforce. We can go to the next slide. Alex, take it away.

Alexander R.:

Thanks, Jeff. I really do appreciate the introduction and kind words. So, just a little bit of a small little background on myself quickly to understand why we’re talking about cyber intelligence principles. I come from a primarily intelligence or military intelligence background where I was formally taught some of the basics of the intelligence principles. I found that mapping of these intelligence principles back to cybersecurity programs and deriving cybersecurity theory from them has been extremely effective in my career and also helping the organizations that we support today at Obscurity Labs.

Alexander R.:

So, I always like to start off with basically talking about the basics of the intelligence principles. When you start breaking down different intelligence principles in general, you go through a phase and its lifecycle. Just like we have an attacker lifecycle, we always have an intelligence lifecycle, and this is the basic of planning direction, collection, processing the data, exploitation of the data, which is where you’re actually turning intelligence into usable intelligence or actionable intelligence as they say in the military side of the house, and then performing some type of analysis production and dissemination of the intelligence. This is used by major nations today as part of their process exploitation and dissemination of intelligence. This is commonly referred to as PED.

Alexander R.:

I’d like to always mention the intelligence factors because all systems and goals by either yourself, all the way to making a decision of if I’m going to purchase a hotdog or a hamburger are all intelligent decisions. Whether you like to think it or not, everyone in the cybersecurity realm is an analyst. Whether you’re a person performing analysis on what’s the latest retail item of choice for a specific vendor or how I’m going to get it out there or if I’m trying to make a marketing decision, all these are based on intelligence.

Alexander R.:

I always like to break these down to two major areas. These can be broken down into access and collection. These different motivators or areas that can be broken down in intelligence drive motivators, goals and action. We start talking about threat actors themself. It’s important to understand what they’re trying to go after and so on, and we’re going to cover that extensively in the coming slides. These intelligence principles also feed into cyber operations as a whole when we start talking about threat actors.

Alexander R.:

So, the two ones I want to focus on today are active and passive when it comes to the access, right? So, whether it’s a organization, advanced threat actor or a insider threat, they always have some type of goal or motivation, which leads to either them performing some type of active collection or some type of passive collection for when they’re gaining access to an environment, whether they’re trying to change the sentiment of a population or they’re trying to steal a specific intellectual property that your organization may hold onto and that an attacker may want to gain access to. Next slide please.

Alexander R.:

This drives us into the, basically, offensive cyber theory as a whole, right? There are many different domains out there when we start looking at how the military classifies the battlefield, right? The reality is, is that cyberfare is, it can be mapped back to conventional warfare. The reason why I like to always use the military background is because specifically, when it comes to this new cyberspace and domain that we’re kind of all been immersed into, unfortunately, organizations today have now been putting themself in the crosshairs of nation states and so on. These large organizations that generally would not be targeting a small company or a large company, right? Companies today and technology companies today have access to some of the greatest research in the world beyond just the United States government. So, if you look at a company that builds smartphone cameras and so on, this technology can be used in a multitude of different ways, but it also can be reproduced in a multitude different ways, and so many may want to gain access to that.

Alexander R.:

So, I always like to go back to understanding a couple different physical counterparts to how the attack is formulated and how to classify an attack. So, as we start moving into the offensive cyber theory as a whole, this can be broken down into a few key areas. This is how novel the attack is, how much technology was used during the attack, the complexity of the attack, and the persistence and pace of that attack. So, we start looking at this, and we start reviewing prior threat reporting. A great example of this and that many people have heard of inside of the tech industry and outside of the tech industry is Stuxnet. This was a specific attack against an Iranian location that was basically performing a enrichment of uranium and so on. This specific malware actually started to boil into physical effects.

Alexander R.:

This is where cyberspace is starting to change. We’re starting to realize that cyberspace no longer just has technical impacts but also physical impacts. This is a great example of a piece of malware that can have grave physical damage to an organization and what their motivation and goals are. So, in this case, Stuxnet was considered super tech. It was never seen before. It had a extremely novel code base that allowed it to do things that have never been seen when it comes to the malware side of the house and the way that it interact with centrifuges, ICS devices, and these different devices also moved into the fact that the pace, right, so Iran was pushing extremely heavily on developing nuclear weapons and so on, so the pace was time critical for whoever was behind Stuxnet.

Alexander R.:

In this case, it also drive the complexity of the attack, right? So, not every day do you come by Stuxnet, but the reality is, as a security team or somebody analyzing today’s threat reporting, you have to understand where the attacker’s motivations are and what their target is to understand what they’re going to go through and how much funding and capability they need to be able to go after whatever you’re trying to secure. In our realm, we call this key cyber terrain. This is the small parts of your organization. So, if you’re a retail company and you have a specific supply chain that is critical to your success, whether that be obtaining some type of food, materials such as, let’s say metals or leathers and so on, those are very critical in your supply chain, If those where to be affected, you would have grave effects on your organization as a whole. That’s why we always like to, at Obscurity Labs, advise our counterparts to really focus on key cyber terrain. Next slide.

Alexander R.:

So, we start looking at deriving your adversary’s motivations, right? We start trying to understand what your adversary is actually after. We can break this down into four main areas. Of course, there’s many more out there, but the areas that I like to focus on particularly are where it all generally starts, which is social impact, right? So, we look at psychological operations such as PSYOPS, right? It is a military term. This could be handing pamphlets out and dropping pamphlets over a battlefield to deter your enemies from fighting, but it could also be as simple as, or something more devious such as maybe publishing fake news or different disinformation campaigns. This is an effect of cyber that has affected the entire country as a whole. This ability to disseminate information at rapid pace has actually had political as well as social impact today.

Alexander R.:

When this happens, they can go through a couple different processes. When you use something like social impact, you can influence sentiment, you could influence change, and finally, you can influence effect. Effect is an important term here. That’s because I always like to go back to the military side of the house because when commanders are planning to, let’s say performing warfare planning, they always plan by having effects on the battlefield. They may say, “Oh, well, I need to take out this specific location, and I need to have this effect.” Sometimes, they don’t understand how to get the effect, but they understand they have the tools in their arsenal to obtain that effect.

Alexander R.:

As I’ve mentioned before, organizations and civilians and so on that have never been in the … that basically connected to, directly connected to warfare have now been directly connected to warfare by today’s adversaries that you may know of, right? So, let’s say Russia, in the late 1970s, they were extremely effective. The KGB was extremely effective at using popular disinformation campaigns to basically lead people to believe that the United States was basically inventing HIV and AIDS as a biological weapon in Fort Detrick, Maryland, right? So, this was before the internet was really even a thing to what it is today. There was no Facebook. There was no Myspace. There was no Twitter, but they were extremely effective at performing these disinformation campaigns and having social effects.

Alexander R.:

This also leads into political influence, something more time relevant where we start talking about Russian meddling and so on, which reporting has shown that certain organizations and countries have been extremely effective in having political influence over our political system as a whole. The reason why adversaries may do something like this is because they may want to impact change. They may want to deter and disrupt us. Maybe they want to leverage those gains or have different social impacts to make something that they’re trying to push effective or a mainstream idea.

Alexander R.:

Then, finally, the one that many people are very familiar with recently in the past few years, which is the financial gain. When it comes to financial gain, countries use this specifically for enabling capability development. One of the key things to going after a target and having a motivation behind that target is having the capability to meet this. We’ll go on to this next because we start talking about the different classifications of adversaries. When you start having financial gain over somebody, you start having the ability to make specific adversarial decisions, right? So, let’s say a nation state or an industrial espionage attack, right, those things are specifically targeted on, let’s say a specific research that’s like today, right? Today, we’re starting to see a large uptick in targeted attacks taking place in the United States healthcare systems to gain access to research and specific corporation’s intellectual property to have an edge when it comes to potentially being the first to market for a vaccine and so on. Those things can have massive financial impacts.

Alexander R.:

We also have things like commodity threats today such as ransomware or a cryptor or something of that nature, right? Those things have an impact at many different levels. Even though their sophistication is very, very low and the prevalence is very, very high on how many of these attacks you see, they can still have just as much effect as an industrial espionage campaign. Imagine the hospital in today’s current situation being ransomwared. That would be a massive impact, right? That would have a massive effect that an adversary could use against us and the same way as if you’re an industrial organization. I understand today that there’s a lot of different large corporations here today.

Alexander R.:

When we start talking about key cyber terrain, as I mentioned earlier, industrial espionage is something you have to be seriously concerned about. The organizations I’ve worked with in the past have serious concerns over industrial espionage, and that’s because in certain cases, they may have a trade secret that gives them an upper hand in the market. If you’re not spending the time and money to defend that key cyber terrain, then you probably are in a bad situation where if somebody were to gain access to your environment, they may be able to steal this intellectual property and then have an industrial advantage over you. China has performed this. There’s been plenty of reporting of them going after specific intellectual property in large tech companies, retail companies, and healthcare companies and so on because of what kind of advantage it gives them. They have long standing goals that they have to meet, and they may use that. It may not even need to be a nation state sponsored attack. It may just be a large subset of attackers trying to gain access anywhere they can.

Alexander R.:

The reality is, these attackers today are using COVID1-19 as basically a cover for them to, or a potential social key indicator for them, to leap off of and use it as an attack platform, right? So, phishing emails and so on, you’re starting to see a large uptick that Jeff will cover in the future here on phishing emails. These things that … It may be the IRS W-2s and so on that come out in beginning of the year for phishing campaigns but now today with COVID-19, now, we’re seeing a large uptick in malicious domains registered and specifically targeting organizations that maybe at one time, they had a hard time gaining access to. This gives them, with all the fear that’s currently taking place, a good starting point to go after some of these organizations that they once had a hard time targeting. Next slide.

Alexander R.:

So, finally, one of the last portions that I like to mention is kind of bringing this all together, right? So, we talked about some of the intelligence principles. We talked about offensive cyber theory as a whole. Then, we also talked about adversary classification. So, when we start talking about all these different things meshed together, we kind of have a concept of operations that we can kind of leverage, right? If you’re somebody that is an actual analyst in the cybersecurity realm, you’ve probably seen charts like this in the past where they talk about what attackers do and what they don’t do depending on their motivation and target, right? That’s because not all attackers operate identically, right? We mentioned the different classifications of attackers previously, and we also understand that they’re going after different things. A nation state attacker may be going after government secrets, whereas a commodity attack may just want to have financial gain. That’s because there’s different types of threat actors holistically.

Alexander R.:

Now, many of the attackers are definitely classified outside of the APT designator. That’s because they don’t complete the entire attack lifecycle. They may not have the pace. They may not have the prevalence. They may not have the technology and funding and capability to perform this. A great example of this would be cryptors are also … Many people understand ransomware, right? When we look at ransomware as a whole, we’re just kind of like a commodity threat. This is something that is very prevalent, we’re seeing all the time. It hasn’t gone away, and it probably won’t go away for a very long time. That’s because it’s easy to abuse. It has a high impact or high effect with a very cheap or easy-to-use platform to launch from, right? You just need some basic malware that you could pull off the internet, and you can start today and literally start having effects.

Alexander R.:

The reason for this is because they don’t conduct the entire operation. They don’t conduct its entire lifecycle. They have no need for external access. They have no need to exfiltrate data. They don’t need to cover their tracks. The only thing that they want to do is gain access, build and acquire tools, basically deploy their malware, and boom, they’re done. That’s all they had to do. They just had to maybe use some expansion internally. There’s some more advanced cryptors out there today that do expand the access that we’ve seen in the past two years specifically with the EternalBlue CVE that would target entire organizations and have a massive impact.

Alexander R.:

When we start looking at, let’s say or hacktivism, right, well, they have a specific goal in mind, right? They want to maybe deter and disrupt you from doing something. They don’t like an action that you’re doing, so they’re going to try to use the cyberspace domains to have an effect on you. They may go through building and acquiring tools, but the only difference is they may actually go to test you tool suites and basically researching the target, gaining access, and actually having command and control over your environment, and then maybe perform some exfiltration of data to then expose you to the public. When we start getting into the APT with you guys later, they do the entire lifecycle. They perform intelligence access, basically active and passive, as well as collection operations. They want to gain an operational foothold in your environment. These are the, obviously, the rarest attacks, but they do take place against different organizations and sectors.

Alexander R.:

The reality is though, with the current state of how things are changing and what’s taking place with COVID-19, the targets are changing, right? Before, it was high tech or super tech technology companies that they’re going, a lot of retail stores, as well as going after specific IT trade secrets when it comes to building different devices and when it comes in the tech industry, but now today, they’re changing towards the financial market, the medical, as well as the tech field still today. So, it’s having an effect. COVID-19 is having a small effect on this, but it’s changing rapidly on what the motivation is and what their target is. Next slide. So, at this point, I’m going to turn it back over to Jeff, and he’s going to start talking about some of those impacts that COVID-19 has had as well as some of the specifics when it comes to the techniques and tactics that they’re using today.

Jeff Hudesman:

Yeah. Thanks, Alex. So, as a security leader, including my responsibility to obviously drive strategy and execute my program, and we’re using our operations and our resources effectively as possible, so this changes a little bit now with the introduction of COVID-19 and changes in the way that we’re working, changes in the way that people are accessing information, and changes again, as Alex mentioned and as I’ll talk through a little further, changes in the way that adversaries are exploiting people’s emotional response to COVID-19 and other tragedies in a similar status.

Jeff Hudesman:

So, to start talking about COVID-19 tactics or cyber tactics employed by threat actors, to start … I mean, I feel this is always the start to talk about different attacks and really to get a foothold into a network for an adversary is phishing. So, threat actors have been doing this for as long as security has been around, as long as email has been around, but now, they’re leveraging COVID-19 themed phishing lures. Unfortunately, these will be more successful especially in this day and age given the emotional response whether it be early on in the pandemic when NAS were highly desirable, phishing lures like that. So, that is definitely something that we’re seeing a ton of, and it’s something that we’re very cognizant of in defending our networks of.

Jeff Hudesman:

Given the changing of the work landscape and where work is taking place, there’s extensive targeting of external resources used for remote operations and for employees working remotely. The whole network ideology and the whole network concept has changed. So, now, you have a distributed workforce connecting through technology such as VPNs or other means, and it just completely changes the way that attackers will approach gaining initial access. So, in addition to that, we’re seeing a rise in remote desktop and SSH brute forcing, so those are just means to access computer resources remotely and just to kind of also build on the previous points.

Jeff Hudesman:

These concepts, the remote desktop, the SSH brute forcing, and remote work has been around forever, and we’re doing it, but now, the fact that all employees are in this situation, it’s been a much more desirable tactic for adversaries to use. Pushing forward, cyber espionage is definitely playing a major role and something that we’re seeing, targeting medical research supply chain, intellectual property, as Alex briefly mentioned, vaccine research. There’s a lot, and this is something that obviously countries like China APT groups had been leveraging for quite some time being that obviously, vaccine is one of the most thought about and important aspects of our current lives. This is something that adversaries are definitely looking to obtain.

Jeff Hudesman:

Also, distributed denial-of-service, and this also … I mean, as Alex mentioned the different types of adversaries. In here, you have … This could be groups like hacktivists, people that are just looking to disrupt things and watch the world burn. So, you have … For example, I remember, I mean in my previous life, doing work for a large electronics company, video game developer and manufacturer. You would have adversaries that would just want to take down the network. There is really no financial incentive there. They just want to cause disruption, so that’s also what we’re seeing there. They’re targeting critical infrastructure, high value targets, as well as financial services. You can go to the next slide.

Jeff Hudesman:

So, here, this is pretty interesting. So, what this chart is showing is domain registrations per day for coronavirus and COVID related domains. So, this is something that you’ll see pretty commonly in events like the coronavirus or things, current events that are really consuming the thoughts of the populace. So, here, you’ll see that starting, it looks like in early March, there’s been almost like a hockey stick graph going all the way up in these registrations of these related domains. These domains are then used for highly targeted phishing. Unfortunately, the spam protection, threat protection tools that are available to security professionals and IT teams really do a wonderful job. They are not perfect, so the bad guys are very good at being dynamic in ensuring they’re registering new names, they’re toggling certain flags and settings of how email is sent. So, they keep up on the security technology to see how they can bypass it to their own benefit.

Jeff Hudesman:

So, the phishing, as I mentioned earlier, really provides that initial access or foothold into an environment. Alex, in my previous life, we in red team operations, we’ve always many times found that doing a phishing expedition and making it incredibly targeted so doing research on who the person is, looking at doing open source intelligence around, hobbies of this person, this target … This may be an executive at a company, someone who has access that’s being sought to create the perfect email. The coronavirus domains that I just mentioned as well as this very, very comprehensive open source intelligence, these phishing emails become very, very dangerous. So, you have employees even at the high level in academia, they will still fall for these things because they’re busy with their work, and they just assume, their brain is conditioned to accept emails that look a certain way, that look professional and seem reasonable. So, that’s what makes this such a tremendous risk.

Jeff Hudesman:

With this, they’re going to try and steal sensitive information, passwords, and remote access credentials. That goes along with what I mentioned earlier, how remote access is huge now. It’s always a battle between growth and usability and security. Obviously, you want products to be usable, and you want as many users to use them easily as possible, but obviously, the security aspect of that is extremely important as well.

Jeff Hudesman:

Moving forward, so we truly fully understand … Actually, you know, I’m sorry. Go to the previous slide if you don’t mind. Thanks. Sorry about that. So, history and context are key to fully understanding the motivation of these attacks. Sophisticated threat actors, as I mentioned, that’s what we’ve talked earlier about, can hold access for many months to years. So, maybe they’ll go break into a network, they’ll compromise a few accounts, external accounts, and they’ll hold onto these. Then, once they know this organization, this entity might have more information that could be of interest to them, they can go back. So, really, they’re going to create a backdoor to return when needed. We can go to the next slide.

Jeff Hudesman:

So, back to more tactics employed by threat actors and still working off of phishing because again, it’s one of those things where as a security executive, in talking to my peers, it’s one of the, I would say difficult things to explain to executive leadership because they think that, “Wait. Aren’t the bad guys, aren’t the hackers doing some very highly technical, exploit-related activities to break into websites and to do that sort of hacking?” But really, us humans are and will continue to be the weakest link, so that’s why phishing is always involved. I mean, recent statistics have said that around 95% of major breaches are some kind of phishing or social engineering component. Especially in this case with COVID-19, threat groups are using people’s emotional response to really get them to participate and follow through with the needs of the adversary.

Jeff Hudesman:

So, one notable campaign was attempted on personal accounts of U.S. government employees with lures about American fast food franchises, COVID-19 specific targeting on international health organizations, downloading malware by impersonating health organizations, and targeting of the financial sector and other key essential services. I mean, being the financial sector, financial companies, fintech companies, we’re protecting real dollars. We tend to get a lot more activity and interest from many adversaries. So, motivation is really key to understanding the threat landscape, and stealing sensitive research data, intellectual property for commercial and state benefit. We can go to the next slide.

Jeff Hudesman:

So, now, let’s talk a little bit about organizational vulnerabilities. No company is perfect. As much as I think the DailyPay is doing an amazing job securing our company, companies don’t have everything covered. Given the change in the threat landscape and how work is being done, these threat groups know this. I mean, these threat groups are very talented individuals that are trained whether it be by their governments or heavily funded crime rings. They know what’s out there and what’s being used and what companies are using to facilitate business. So, for example, now that we are using tools like Zoom and GoToMeeting and all of these remote conferencing softwares, the adversaries know this, so they are going to target that. That’s why there’s a lot of news previously that Zoom and how adversaries were taking advantage of that, and it’s one of those things where that is really inevitable as market share grows for a specific solution or product, they’re going to get a lot more attention from adversaries for whatever their motivation is.

Jeff Hudesman:

Also, security consideration is often trumped by urgent operational needs, unfortunately. As much as I think that security is the most important thing to anything, it’s obviously … I mean, it is paramount, but we obviously need to keep the business running. So, it’s just very important as a security leader to ensure that the executive leadership understands the risk and things that really could go wrong and how that affects, obviously, the company stature.

Jeff Hudesman:

So, also, this scramble often leads organizations vulnerable to external public facing threats that weren’t the same prior to COVID-19. So, as I mentioned, VPNs now, they might not have been as important to … I mean, it’s important to us, and it’s important to a lot of security executives, but some organization might not have patched their VPN or their remote access solution or even their conferencing software that often because they didn’t need to because it just wasn’t a heavy target, but now, it is. Now, adversaries are using zero-days, which are highly sophisticated, unknown to the public, exploits to break into VPNs and to gain access to networks. It’s very, very concerning.

Jeff Hudesman:

So, as I was mentioning earlier, security threats are not dramatically different than they were before this current quarantine, but the targets have changed. Just a few things that US-CERT has classified, so cyber actors are targeting organizations who’ve kind of rushed through Microsoft O365 for instance and may have improper security configurations, will make them more vulnerable to attack. As I mentioned, email is really one of the most common primary vectors for facilitating an attack. There are also, as I mentioned, increasingly targeting unpatched virtual private networks. So, to any security folks on the call or really anyone who’s going to speak to their security team, really just make sure that remote access technology and things that really provide a lot of access to your company’s information resources really need to be patched and maintained more so than they were before.

Jeff Hudesman:

Also, security weaknesses such as poor employee training and awareness and a lack of recovery and continuity plans continue to make companies susceptible to ransomware attacks. Again, it’s very similar to my previous point on the hacktivists or those types of adversaries. It’s not always hacktivists because again, some hacktivists generally aren’t looking for financial gain, but you have different criminal rings that will facilitate ransomware and then charge for the decryption of the information that they decrypted. Unfortunately, hospitals even during this pandemic have been targets of this where they now have their systems that are not operational. They can’t do anything unless they pay an expensive ransom, and they’re not even sure that they’re actually going to get returned to their data. So, that’s always a major concern. We can go to the next slide.

Jeff Hudesman:

So, these are the top 10 industries impacted by threats in 2019. Just a good thing, an interesting thing to look at. You’ll see how things fluctuate and change month to month. For example, you’ll see education threats dropping midyear with services spiking in the summertime. These are things that security teams need to be cognizant of. As Alex mentioned about key cyber terrain and we mentioned how key motivation is in the attack equation because without knowing a known target and motivation, the ability to defend the aforementioned key cyber terrain, which again, is our most important asset, is impossible.

Jeff Hudesman:

So, for example, right now, motivation wise, sensitive research data and intellectual property for COVID-19 vaccines and treatment and testing is of extremely high value to adversaries. Another really critical one is managed service providers, certain financial platforms and startups and tech services as being jump points into larger organizations that are more secure. You’ll see that a lot … or if you read about previous breaches, a lot of the breaches stem from a third party that had a degree of access to this larger company’s environment and their controls whether it be access controls or configuration management. Ensuring their systems are secure or even their employees are trained might not really be at the same level with this larger and more secured companies, so that is obviously a concern as well. Obviously, there are lucrative monetary incentives for leveraging cyber attacks including ransomware in the financial, medical, and government industries or the financial and medical industries as well as government. You can go to the next slide.

Jeff Hudesman:

Now, for financial services specifically, we are starting to see a major shift in targets as consumers start to use different services in quarantine. Some of these attacks are really deceptive in nature to create a diversion, so almost like a smokescreen type situation. With the increase of remote work, the use of VPNs has become instrumental to a functioning business environment, making them prime targets for not only getting into a network but also taking down the ability for employees to access said network. Large scale attacks are growing in severity. The need for robust protection, critical to ensure that the workforce can stay operational. You can go to the next slide. So, at this point, we’re going to pass the torch onto Alex who will start talking about ways that organizations can defend themselves against all the aforementioned COVID-19 threats as well as just generic cybersecurity threats.

Alexander R.:

Thanks, Jeff. So, yeah, the key here is a few different things, right? Obviously, defense-in-depth is critical to any cybersecurity program as a whole, but that’s why I really like to say the key cyber terrain because we understand that security budgets are finite. There are specific resources that there may not the same amount of funding as a large organization or what they can accomplish. So, it’s really important that organizations need to identify what that key cyber terrain or what’s most important for them to protect, and really devote their resources to those specific areas of interest that an attacker may be motivated to go after, right?

Alexander R.:

So, in today’s day and world with where we’re at currently, defending the external VPN and spending time to reconfigure hardened and developed technologies or placing [inaudible 00:43:29] technology that would help you potentially decrease the attack surface is really important when it comes to, let’s say the VPN or a specific RAP or workstations that are in the cloud today, whereas before, maybe it wasn’t as always important for today’s security teams to focus on those, but today, those are now extremely, extremely important to protect as Jeff was mentioning earlier. There’s this capability, right? So, while attackers have capability, so do defensive teams, right? So do the SOC and security operation center, right? So, the SOC may have capabilities to combat these threats. If they don’t have the capabilities, they need to be able to refine or fit once they see something take place because inevitably, they will eventually happen to any company. It’s just a matter of when, right?

Alexander R.:

Some people say the attacker has the advantage, but in certain cases, so does a security team if they have the proper capabilities to combat those threats. So, if you’re spending your time defending RDP or defending a VPN or defending against phishing emails extensively, you have to make sure you have the capabilities properly in place to defend against those. There’s many different ways, right? There’s different technologies. There’s technical controls, and there’s policy controls that Jeff mentioned earlier, right? So, when it comes to defending against phishing, maybe it’s rolling out a new social engineering training course for all employees. Those things, while they seem they may actually be extremely cheap and easy to implement, they can have a huge impact when it comes to deterring and disrupting an adversary and what they’re trying to go after.

Alexander R.:

As simple as even marking an email as external, imagine what that can do, right? So, if you’re marking all your emails that are coming in from external or untrusted resources, that’s a big deal. You can mark those external. Now, users are aware that this is not an internal, let’s say HR email, something that threat actors commonly use to gain access, right? They generally impersonate people or offices of an organization to use that against the social … use social engineering against employees.

Alexander R.:

Another key thing here is that security teams have to go through the process of mapping these threat factors to their corresponding capability, right? If you find yourself during the identification of security gaps, you have to provide yourself or have to somehow implement some capability or control, right? So, if you don’t have a security program that helps with phishing, you need to implement that. If you don’t have DNS filtering or if you don’t have some type of, let’s say full PCAP or something on the boundary that you need access to because you’re a high risk, you’re potentially a high value target for an attacker, you need to implement those controls. I understand that sometimes, that’s easier said than done because some of this comes with legal concerns and so on, so there are things you have to keep in mind, but security teams today really have to start mapping these threat vectors to the corresponding capabilities, so that way, they can make good decisions on where they’re spending their resources and their money. So, that’s a critical portion of where security controls actually meet technical controls.

Alexander R.:

Then, finally, before I pass it off to Jeff to start talking about more of the human resource portion, these technical controls have to be basically put into place to be as left as boom as possible. I always like to say this specifically because it maps very, very, very well back, right? It maps back to the military side. It maps back to the intelligence side. It maps back to the cybersecurity domain as well, whereas if you’re trying to thwart or deter, and disrupts an attacker from gaining an advantage over your organization, you have to be thinking left of boom. You have to be thinking ahead of the adversary.

Alexander R.:

Your security teams need to have the capabilities and controls in place to help them, one, discover or even basically find the known bad but also help them find the unknown bad as well. Again, easier said than done, but becoming left as boom as possible where boom would potentially be initial access or maybe a phishing email will really, really help you block some of this noise in the heightened, let’s say phishing campaign era that we’re in today. I’m going to pass back to Jeff because he obviously … He’s in this process right now to basically to help operationalize the overall portion of work from home.

Jeff Hudesman:

Yeah. Thanks, Alex. So, yeah, I mean as we build this new normal, obviously, we’re experiencing extreme end now as quarantine, as people are largely inside with the exception obviously of essential workers, we really have to be dynamic in how we employ security controls, how we leverage resources. So, basically, what I hear … When the world went on pause, the workplace was … what we’ve known before was really shattered. Some security threats went away, maybe some things that were more physical in nature, but new things are taking their place.

Jeff Hudesman:

As we come out of this, I mean we really now have like the unprecedented opportunity, so all the companies, all the people on the line right now, your companies have the unprecedented opportunity to start fresh and really do this right and really take on these threats that are really geared towards the remote workforce and this new post-COVID world to really build a robust security program. It really is a lot … I don’t want to say it’s easier than you think because I think that Alex and my, our jobs are very, very difficult, but I think a lot of it just has to do with just proper allocation of resources and focusing on the right things.

Jeff Hudesman:

So, for example, in HR, just establishing that security culture and just ensuring the employees know that we take this very seriously … You have to follow these security policies. This is not just a document that you check or you sign and that’s it. You really need to understand what you are allowed to do in your company because the ramifications of negligence or any other types of oversight is tremendous and can cause companies millions of dollars, so really … and something that I know in my own career, my own role currently, I work very, very closely with my HR department to make sure that, again, we properly communicate to employees and they’re well-trained on our security policies and in how to make sure that they’re doing things right by the company. I think we can go to the next slide. So, yeah. So, I think we’re going to start some questions, which I think a few just came in. Becky, are these the questions that we are going to answer here?

Becky:

Yeah. So, we have a couple that just came in.

Jeff Hudesman:

Perfect. So, the first question is, what is your company’s experience with COVID-19 and have you seen any impacts? So, I think I could take this, and I’m not sure if Alex has anything to add. So, first thing, at DailyPay, we haven’t seen much in terms of the offensive side of things. We haven’t seen any real changes in the way that adversaries are kind of taking on our security defenses, but in response to COVID-19, we really work very hard to ensure that methods of remote access, ensuring that all of our different applications, all end user computing devices, everything is secured and … because being that we are now giving employees … We’re really entrusting them to a certain extent because they’re no longer on premises, and they do have a little more flexibility, so we do use technology to make sure that, again, they’re using their work computer, are they going to put it on some insecure laptop that doesn’t have our tightened security policies like encryption, or making sure that USB drives can’t be used.

Jeff Hudesman:

So, in terms of our strategy and how that’s changed, of course in terms of remote access again and in terms of how we view security threats, it’s definitely something that comes up daily in our security team and meetings and discussions. Yeah, that’s how we’ve seen things thus far. So, that’s definitely a really great question. So, next question I see, what technology or controls could we implement to handle the influx of malicious domains and block them proactively? Alex, do you want to take a stab at that one?

Alexander R.:

Yeah, absolutely. I’ll take a stab at this one. So, obviously, there are technical controls that can be put into place as well as policy controls, of course, but there are some easier and then some harder implementations of technical capabilities that would have to be implemented. Just as simple as using even a DNS filtering service could probably have an immediate impact on your infrastructure, small or large, right, just to provide that threat intelligence that’s currently being propagated throughout the community as a whole to block and reduce the impact of these malicious domains or ones that are at risk or newly registered.

Alexander R.:

Then, of course, a defense-in-depth scenario has to be applied, right? So, it’s not just that. You may need to have some larger technology such as NetFlow data in conjunctions with threat feeds such as domain tools, which we mentioned today as an example. There’s plenty of vendors out there that could help you with this, but at that point, you could start setting up monitoring of your NetFlow feeds to basically alert on suspicious domains or ensure they’re not communicating internally, and then the investigation and lurk process can be kicked off for your SOC. So, that’s a great way of getting started. Something small such as even this DNS filtering could be a huge impact to the overall effect that a threat actor could have and stopping some of these newly registered domains.

Jeff Hudesman:

Great. Yeah. So, I think we have one more question here. So, what do you suggest for helping to filter out the influx of phishing emails seen related to COVID-19? I could just give a little bit on here, and I’ll definitely want Alex to build on it. So, yeah, at DailyPay, we leverage an advanced threat protection platform for email, and I think it’s absolutely critical to defending our employees from receiving these targeted threats. It’s highly configurable. Again, we do see that the vendors will obviously constantly update their signatures and things they’re looking for to block things, but we also, as a team, will add signatures ourselves to ensure that we are blocking things that are, I guess in this case, COVID-19 related or anything that’s a major threat to our company. Alex, I think you definitely can add some cover here too.

Alexander R.:

Yeah, absolutely, Jeff. So, once we start talking about technical controls outside of even the policy controls, there’s context that has to be here, right, as well as legal concerns and the capability to actually implement these controls, but I always like to start with the easiest, right? So, from a high level, you could always start with a low-hanging fruit such as aggressive email filtering like Jeff just mentioned, enabling DKIM, DMARC and SBF controls to ensure that the emails that are coming in are actually trusted domains, they’ve been properly set up because a lot of times, attackers will basically misconfigure these specifically. That’s an easy way to start filtering out a lot of the noise right upfront.

Alexander R.:

Then, there’s obviously the one I mentioned before, which is, you can do a policy based technical control such as marking email as external or even moving to a whole-blown SMTP mail filtering and sandboxing solution that some people offer. These small steps can really weed out the bulk of the less determined threat actors out there, but from that point forward, once those technical controls fall off, the training kicks in on the user. So, that’s why we’ve mentioned it a few times now in this presentation that training on the user side is critical when it comes to phishing. It’s your first line of defense against it especially if the technical controls failed because if there’s a determined threat actor, they will eventually be able to get through it. They will do the testing. They will use the right tools. They have the capability to get through it.

Jeff Hudesman:

Wonderful. Yeah. So, again, thank you very much everybody for attending this webinar. It’s been great to speak with you, and if there are any additional questions, I’ll make sure I work with our team to get Alex and my contact information out to all the attendees. Just if you have any questions about what we’ve covered or anything else, we’d love to assist there. Then, Natalie, I guess I’ll pass it onto you to maybe speak about the next webinar in the DailyPay webinar series.

Natalie:

Yeah, awesome. Thank you for those wonderful insights, Jeff and Alex. So, yeah, before we sign off today, I’d like to let you guys know of one other webinar opportunity in two weeks called Evaluating On-Demand Pay Providers in the New Normal. So, if you’re interested in learning about why companies like Kroger and Tractor Supply use the method, how they’ve evaluated the on-demand pay industry and ultimately chose to work with DailyPay, that is one you will not want to miss. All right. So, thanks everyone for joining us today. We hope to see you in two weeks, and have a great rest of your day.

Who’s DailyPay

DailyPay, the premier provider of the daily pay benefit, goes beyond financial wellness with a flexible, simple, and compliant pay experience that strengthens the employee-employer bond and significantly enhances the employee experience throughout the enterprise, at no cost to the employer.

CONTACT US