The COVID-19 pandemic has forced us all to rethink how we do things, both personally and professionally. In cyber security, we need to remain proactive to protect ourselves and our customers in the face of these threats. By combining the intelligence that TELUS gathers from different intelligence forums, threat feeds as well as our own tracking of novel Indicators of Compromise (IOC), we have performed proactive threat hunting activities on customer environments, alert impacted customers and helped with their investigation, most recently working with a large hospital system, at a time when Canadian health organizations have been specifically alerted.
Focus on the areas most impacted by the change in end-user activity
Cyber security, like many other disciplines reliant on analytical techniques, often relies on detecting behaviour that is out of the ordinary. Central to this, is first defining a baseline for normal behaviour, typically based off of historical patterns. But what happens when there is a new normal?
With the emergence of COVID-19, the rapid transition to a remote workforce has had significant impacts to network traffic patterns, introduced a variety of new collaboration tools, and shifted user activity times due to varied work schedules. As a national network operator, we are seeing these impacts across the board, with pretty much every industry and geography affected.
With this new normal, detecting anomalous behaviour has required us to view the same data sets that we are used to, but with a different lens. For example, before the pandemic, large variations in VPN traffic may have been a reason for alarm. Today, viewing these same variations in VPN traffic is not likely to allow for a meaningful conclusion to be drawn. While re-baselining for the current context is an absolute necessity, this can only be done over time, once a pattern has been set for the new normal. In the interim, focusing on metrics that are likely to remain stable, such as the ratio of VPN authentication failures, gives us a meaningful way to continue to identify anomalies.
Help users identify the trending phishing topics
Recent weeks have seen a number of headlines calling out the attempts by fraudsters to capitalize on the global pandemic. At TELUS, we have noted that the phishing email volumes, and associated infection rates, continue to remain relatively stable, indicating that there isn’t a sudden spurt in fraudster numbers, just that the same old ones are keeping up with the times. On the SMS messaging side, we are seeing the scams moving from focussing on tax refunds to trying to exploit the new government income support programs instead.
With the increased distraction, stress and the speed at which information is evolving it’s easier than ever for people to fall victim to phishing. It is important to reach out to your users and share examples of the current phishing and smishing campaigns (like “the virus is now airborne”, “click here for a cure”, and “deposit your emergency response benefit”) to help them identify the trends. Remind them to stay vigilant.
Collaborate with threat intelligence partners to strengthen the community’s resilience
TELUS is an active collaborator within strategic intelligence sharing communities, helping play our part in maintaining a cyber resilient Canada. As a founding member of the Canadian Cyber Threat Exchange (CCTX), we believe that through gathering, enriching and sharing cyber threat information, we strengthen each other. COVID-19 themed discussions are being held multiple times a week and TELUS is able to contribute a unique perspective to the increasing number of COVID-19 threats and provides insights into the overall network health in Canada.
A new association of cyber security professionals called the World CTI League has assembled to tackle COVID-19 themed cyber attacks with special attention to the protection of the healthcare sector and other essential services. TELUS has quickly developed processes to ingest the new intelligence to protect TELUS and our customers.
TELUS will continue to join with other cyber security leaders in this fight, recognizing that community action is required now more than ever.
Proactively protecting our customers
As a large network operator we have visibility to a broad set of threat data that we use to identify new and emerging threats. We perform phishing detection within our SMS services and combine that data with what we are seeing on email platforms to refine our filtering capabilities. We use a defense-in-depth approach with technologies deployed across multiple layers within our networks (email, endpoint, perimeter, sms message flow, etc.) to look for novel indicators of compromise.
Being aware of the threats is only the first step. With over 230 (and counting) patterns to match, TELUS security analysts use automation to analyze the IOCs for common elements (contacted IPs, creation date, file names, tags, etc.) to identify the set of actively malicious threats. Using our customers Security Information and Event Management platforms, we are able to scan their environments for confirmed hits so we can quickly respond to the emerging threats.
Keeping a proactive stance is necessary in the rapidly evolving threat landscape.
To learn more about remote working security, visit telus.com/cybersecurity.