Hello everyone !
Some of you know that next week I will quit the SoC & Incident Response team world for another adventure (still in cybersecurity). But I want to make a last blog post about best practice (for me) for blue (and purple) teams during this pandemic time !
First at all : the threat landspace
It is not a surprise many attackers use Covid-19 like a propagation vector for Phishing and malwares attacks. We can see too some "new" physicals attacks like send infect USB Key via UPS (is not link to Covid but we can imagine that some group will send infect UPS key to critical employees).
Of course some remote conferencing tools like zoom are used by attackers.
And unfortunately some attackers still use ransomware against hospitals.
Some companies weren't ready too full home working, so some uncrontrolled changes have been made. And we all know that not controlled transformations are egal to security vulnerabilites ;).
When you know that, in France for example, in many compagnies home working was only 1 day /week and just for some employees, and in some SMBs they had no homeworking at all, now imagine when the majority of your staff/employees need to homework, providers too and that all working days.
You can easily imagine that some homeworking services were created at last time and are not compliance with "the state of art" !
Blue/Purple Team/SoC what to do ?
For me main steps are :
- Please do not stop vulnerability management : we still have new vulns ! Patching must continue. Please ensure to patch your VPN controllers, exposed servers and user's end point !
- Check for anormally long SSH connections : it can be a reverse SSH tunnel (not necessary from an attackers, it can be from legit users for home working problems). You can do the same for VPN connection !
- Check for remote control tools like teamviewer : you can use DNS logs, or some TI feeds can help, I know that emerging threat give list of GotoMyPc IPs (which include teamviewer, logmein, ...)
- If you have AI/ML network security sensor like Vectra or Darktrace, please ensure that they still can capture the user trafic ! Your users are not even in your private network but they are thoughts VPN, please ensure that this network trafic is capture and send to your sensor.
- If you have an on premise AV/EDR controller please ensure your users endpoints can contact it, even if the VPN is not mount !
- Scan your public IPs to find new open port (like RDP for example :)).
- Review firewall rules.
- Review AD/LDAP sensitive groups.
- Ensure that your SIEM manage correctly logs from cloud services (like O365/Azure) and check for abnormal behaviour !
- Please ensure that all critical access have MFA/OTP.
- Try to make security awarness to users about phishing and malwares.
- In your DNS logs check for domains with key words zoom and covid, they seems to be hardly use to serve malwares :)
- Prepare yourself, try to stay cool and have fun (as always but from home) !
And maybe is the good time for a red team exercice (or not :)).
Some Indicators of Compromise
Here some IoC relative to Covid-19 :
- Fake AV :
- Hash : 146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
- Some phshing examples :
And you can find many IoC link to covid-19 campaigns, if you want somes contact me, but if you work in a SoC/CERT you will have them.
That's all for me. Please stay safe online and IRL !
If you want to contact me about this subject :