I heard some alarming new statistics from IBM security this month during IBM Think. With COVID-19 as a backdrop, cyber-attacks are up 14,000%, led by a spike in ransomware. IBM also revealed a 6,000% increase in SPAM, as hackers take advantage of nervous users with fictitious coronavirus news and miracle cures. Other firms like DomainTools, FireEye, and Palo Alto Networks have reported similar data.
Of course, an explosion of cyber-attacks around COVID-19 comes as no surprise to cybersecurity professionals. Whether its flooding in Houston, fires in California, or earthquakes in South America, cybercriminals have perfected their ability to make an illegal buck on human misery. Global pandemic? Great news for online bad guys – the world population is a potential target.
Fortunately, cyber-defenders have a way to fight back.
As Sun Tzu said, “if you know your enemy and know yourself, you need not fear the results of a hundred battles.” From a simple cybersecurity perspective, this means comparing the latest and greatest cyber threat intelligence (CTI) with what’s happening on your organization’s network looking for malicious files, behaviors, and network traffic.
Yeah, I know, this is an obvious conclusion, but many organizations continue to take a very basic approach to CTI. For example:
- Leaning on vendors. Part of being an endpoint or network security vendor is keeping up with attack patterns, developing countermeasures, and sharing them with customers. Okay, but this is a first line of defense and nothing more.
- Equating threat intelligence with indicators of compromise. Cyber-adversaries use web sites, IP addresses, and files within their attacks. Threat intelligence researchers watch for this activity and report the malicious things they find as indicators of compromise (IoCs). Blocking malicious IoCs is useful, but it’s a baby step.