Adarma SOC During Covid-19 Disruption

Adarma Managed SOC response to Pandemic related business transformation and WFH challenges

The Covid-19 pandemic has caused unprecedented business disruption and change. This has resulted in increased security risks as businesses adjust to new ways of remote working. Couple this with threats that are constantly changing and clear intelligence on new Covid-19 related phishing and malware attacks, we see risks increase further.

The modern Security Operations Centre (SOC) is a key component of the cyber Resilience framework for enterprise organisations. In light of the challenges most businesses are facing relating to remote working, The Adarma SOC team is creating and rolling out working from home (WFH) use cases to help our customers adapt to the new ways of working brought about by the Covid-19 pandemic and new threat vectors.

Rory Shannon, Director of Managed Services for Adarma commented “Remote working has its benefits for most however, presented with an extended level of freedom and independence as well as reduced influence of cultural norms and behaviours, staff may be more likely to stray from organisational processes and working practices that exist. The traditional working environment encourages adherence of cyber hygiene and organisational policy by default and it’s important that organisations support their staff in maintaining security best practices.

Our customers are addressing new challenges associated with quick adoption of an enterprise-wide working from home model and we are doing everything we can to support them during this time. “

The influx of remote users during standard business-hours puts a strain on various online-services which provide essential functions, such as communication, collaboration, authentication and remote access. We have developed use cases and threat hunts around these in terms of confidentiality, integrity and availability (CIA) in these key areas.

Virtual Private Networks (VPNs)

Adarma has created bespoke WFH Traffic Dashboards for customers to monitor client remote access and related infrastructure on a regular basis in order to identify any control gaps across the relevant services as well as custom threat hunts.

If VPN’s are at capacity and are disconnected temporarily as they struggle to cope with the sudden rise in demand, this could leave company assets vulnerable to staff looking for insecure workarounds. We monitor VPN usage, capacity and availability in a number of ways including;

• Predicting the future bandwidth required, based on historic log analysis
• Monitoring actual VPN session count
• Monitoring terminated VPN sessions in the last 4 hours
• Monitoring failed VPN logins
• Searching for distinct users who have logged into VPN from multiple IP addresses
• Searching for multiple users logging into VPN from a single source IP address

Collaboration tools

Microsoft Teams has recently proven to be one of the most popular WFH applications; seeing a usage rate increase of more than 37% as the UK and other countries entered lockdown and companies were urged to adopt remote working practices.

When considering the popularity of Teams, in addition to the rapidly increasing volume of employees WFH, the risk of outage and compromise has exponentially increased.

Adarma has introduced an availability measure to understand the current Teams utilisation whilst comparing to baselines over 4 hours, a week and 7 days. We could also use the predict function to assess the future capacity required for Teams.

Covid-19 Phishing Attacks and Malware

When coronavirus first began to spread in China, we received intelligence that the majority of malicious, coronavirus-themed files were submitted from China and targeted Chinese speakers. As the virus continued to spread and infect more countries, the malicious campaigns effectively mirrored the spread of the virus with new campaigns being seen within days of countries being affected by Covid-19.

Research has shown that an array of malware was distributed by these “coronavirus” campaigns, including variants of Emotet, RemcomRAT, ParallaxRAT, HawkEye, TrickBot, Agent Tesla and more. The most common technique observed thus far is a spear phishing attack that uses coronavirus-themed emails with malicious attachments. The Adarma SOC created threat hunts looking for these indicators and behaviours described by this series of threat intelligence reports.

Cyber Hygiene

Our customers are asking us for additional focus on these security metrics at this time. Whilst not always the most glamorous of use cases, having visibility of where other controls aren’t working provides excellent Operational Intelligence. Examples include;

• Significant changes to the number of endpoint devices failing to receive Windows, AV or other routine updates.
• Significant changes to either allowed or blocked traffic through perimeter firewalls
• Use of prohibited or Insecure protocols on the network
• Tracking RDP usage for potential malicious lateral movement
• Data sources stopping reporting to the data platform/SIEM

The Adarma Managed SOC Service

At Adarma, we provide a fully managed tailored and entirely flexible SOC capability that constantly evolves with our customers’ needs and the changing threat landscape. Our primary objective is to provide pain free access to all of the necessary tools, skills and processes that will give our customers peace of mind and enable them to get on with the job of running their businesses.

In times of uncertainty and business disruption, the Adarma service is able to adapt quickly and ensure our customers remain fully supported, thereby minimising the impact of security incidents and threats on the day to day operation of the business.

The Adarma Managed SOC Service acts as an extension to our customers in house team. Delivered remotely, the service enables complete visibility of threats across their entire monitored domain, highlighted from the background noise of all of their event data. Every event is handled, nothing is ignored.

We also deliver a day one configuration balancing our industry expertise with a flexible approach focusing on clients’ key risks as well as consistent, high quality, context aware and iterative response processes ensuring threats are identified and addressed in a timely manner.

Whilst our service includes bespoke use case creation and development as standard for every customer, we also quickly create use cases aligned to the Mitre ATT&CK framework, responding to common shared threats and challenges to ensure our customers remain operational.

Sign up to our webinar to learn more and meet the SOC team

About Adarma

Adarma analyses, monitors and responds to threats for some of the world’s largest companies. Formed and run by former senior security leaders from the UK’s leading financial organisations, we know security and how to deliver real value in the real world. Our clients are successful FTSE 350 organisations from highly regulated industries, looking for a partnership approach to threat management. We would welcome conversations to discuss Adarma’s SOC service with any existing Adarma customers as well as organisations considering outsourcing their Security Operations.