How security teams can combat disinformation attacks

Nov. 11, 2020
Fake news allowed to spread online can have devastating consequences for organizations of all sizes

The damaging effects of misinformation are not limited to the political process. Cybercriminals and state-backed groups are increasingly targeting the private sector with disinformation campaigns or campaigns which deliberately spread misinformation. These bad actors use a range of tactics – including phishing attacks, fake domains, and social botnets – to spread misleading and damaging information about companies. With major brands like Starbucks and Tesla forced to mitigate brand damage from disinformation, cybersecurity professionals are understandably concerned by the impact these campaigns can have on their own organizations.

The Growth of Disinformation Campaigns During COVID-19

Mark Twain famously said that a lie can travel around the world and back again while the truth is lacing up its boots. True as it may be, in an ironic twist that he would surely appreciate, Twain never said it. While both misinformation and disinformation thrive in times of chaos and confusion, COVID-19 has been a boon for attackers to sow the seeds of disinformation.

In the early stages of the pandemic, cyber criminals acted quickly to register fake domains related to the coronavirus. Neustar tracked 28,000 of these illicit websites by the end of March. Some of these sites solicited donations while others pretended to offer government advice but were actually fronts for phishing campaigns. They all used fake domains to portray themselves as legitimate, making victims believe they were connecting with real organizations instead of criminals. Although hosting companies have done an admirable job of taking down these malicious domains, it’s up to businesses to protect themselves from the fraudsters targeting their customers and employees.

Attacks conducted with fake domains are certainly large-scale efforts, but they pale in comparison to the reach of social networks. Platforms like Facebook, Twitter and Instagram are used to spread disinformation on a global scale. The unsubstantiated conspiracy theories that have sprung up in response to the pandemic have significantly hurt the credibility of public health officials, making them less effective in mitigating the disease. The same tactics are impacting private organizations. Bad actors are using these channels to spread false information, or even misrepresent themselves as a business, creating confusion and damaging brand trust.

An Evolving Threat Landscape

There are new technologies emerging that put organizations at additional reputational risk. Deepfakes use artificial intelligence to create sophisticated digital forgeries of images, video and audio. Shared over social media, manipulated media can facilitate fraud and damage brand credibility in minutes. Work is already underway to apply quantum computing and crypto-algorithms to tell if a bit or pixel has been altered between original transmission and reception, but deepfake technology is five years ahead of the infosecurity industry’s ability to defend against it. In the time lag between the emergence of the problem and the development of a solution, the hazard to businesses is of real concern.

In the face of these growing threats, most infosecurity professionals feel their teams are not equipped to address potential disinformation issues. A recent survey from the Neustar International Security Council found that only 36% of security executives were confident in their organization’s current ability to successfully identify disinformation and fake domains. That’s not surprising given the complexity of these attacks and the internal coordination required to mitigate them. However, there are proactive and reactive measures teams can implement to protect their organizations from the risk of digital disinformation.

Monitoring for Disinformation Threats

Organizations need to be aware of how their brand and networks can be coopted to spread disinformation. The first step is to implement systems that monitor all digital mentions of your brand. Most track for mentions in traditional, online, and social media, but security teams should also track activity from similar domains. It’s up to businesses to quickly identify fraudulent domains mimicking their own corporate sites. Speed is key to preventing brand damage, so having an automated monitoring system in place that alerts teams of suspicious domains is recommended. In the event of a business discovering a malicious domain, they can report it to the hosting company which can take appropriate action.

Monitoring to prevent users from being deceived by illicit domains is just as critical to protect company data and systems, especially as employees have shifted to a remote work environment. Queries leaving the network should be monitored carefully. This involves looking at the size or depth of a query. Given that DNS only allows for 63 characters between each dot, anything to the left of the “.com” of a domain can only be this length. Cybersecurity teams should also look at the character strings. As an example, the Mirai botnet randomized the first 12 characters before the dot. Catching these newly created or zombie domains will protect users from being part of exfiltration or malware campaigns.

Typical corporate IT infrastructure uses tools to look at and filter DNS queries for employees on the network, but when the footprint changes, the protections also change. Remote work environments have these queries come through an ISP. The home networks of employees won’t be secured to the same extent, and unless a VPN tunnel has been directed through DNS filtering tools, these endpoints make organizations vulnerable to attack.

Prepare for a Coordinated Response

Though online reputation management is not a traditional responsibility of cybersecurity teams, they are the best positioned to address disinformation campaigns. They can leverage information security frameworks to give organizations methods to identify and counter disinformation-based attacks. That being said, marshalling resources and teams from across the organization make for the most effective response to disinformation efforts.

Key to that is establishing a crisis response plan with buy-in from stakeholders across the organization. This should include senior leadership, legal, public relations, and product marketing. Any response plan should have detailed roles and responsibilities, along with the steps to take in the event of certain scenarios. It’s also an opportunity to identify any gaps that identify additional resources, people, or technology that security teams need to address. Consider hosting exercises to ensure a quick and effective response in an actual crisis.

Lastly, make sure your brand’s established communication channels remain secure. Misrepresentations are damaging enough; if members of your organization are irresponsible with credentials and email or social media accounts are compromised, the brand damage will likely be worse.

The right practices will give security teams the means to address disinformation campaigns and protect brands from the trolls and criminals who would hurt them.

 About the Author:

Rodney Joffe is a DNS and security industry pioneer who founded a pair of keystone companies – Genuity (first commercial Internet hosting company) and UltraDNS (first outsourced, cloud-based DNS company) – and now serves as SVP and Fellow at Neustar. He regularly lends his insights and experience to organizations like ICANN and the U.S. government, where he sat on the cybersecurity intelligence panel and served as an advisor to the Obama White House. Rodney is one of the first civilians to receive the FBI Director’s Award for outstanding cyber investigating (due to his role in uncovering and taking down the Butterfly Botnet), and has helped establish and lead prominent engineering organizations including NANOG, ARIN, IETF and OARC, as well as numerous working groups including Conficker and M3AAWG.

About the Author

Rodney Joffe | SVP and Fellow, Neustar

Rodney Joffe is a DNS and security industry pioneer who founded a pair of keystone companies – Genuity (first commercial Internet hosting company) and UltraDNS (first outsourced, cloud-based DNS company) – and now serves as SVP and Fellow at Neustar. He regularly lends his insights and experience to organizations like ICANN and the U.S. government, where he sat on the cybersecurity intelligence panel and served as an advisor to the Obama White House. Rodney is one of the first civilians to receive the FBI Director’s Award for outstanding cyber investigating (due to his role in uncovering and taking down the Butterfly Botnet), and has helped establish and lead prominent engineering organizations including NANOG, ARIN, IETF and OARC, as well as numerous working groups including Conficker and M3AAWG.