How NTT Ltd. in India is Protecting WFH Employees from BEC Attacks During the Pandemic
Nigerian groups like the OZIE Team increasingly targeted work-from-home employees, knowing that personal devices and home networks lack enterprise-grade security. So, NTT Ltd. launched Project Care to protect its customers and their employees.
NTT Ltd. Global Threat Intelligence Center (GTIC) publishes a Monthly Threat Report based on its observations and research. Its October 2020 report featured an article on the OZIE Team – a Nigerian business email compromise (BEC) threat actor group. The OZIE Team has targeted 852,541 domains since it became active in 2017. It is targeting businesses around the world working in the manufacturing, health care, automotive, and food distribution industries. GTIC has been tracking the OZIE Team Team since August 2019. CISO MAG spoke to Murtaza Bhatia, Head – Vertical Solutions, NTT Ltd. in India. to learn about the modus operandi of this gang and what NTT Ltd. did to protect its customers and employees from BEC attacks during the pandemic.
By Brian Pereira, Principal Editor, CISO MAG
According to the GTIC report, the OZIE Team relies on commodity malware sold through sites like HackForums.net and private discord groups. To purchase the commodity malware, the OZIE Team uses Bitcoin and Bitcoin Cash, or internet payment systems like Perfect Money.
Murtaza Bhatia, Head – Vertical Solutions, NTT Ltd. in India
“They use off-the-shelf tools to do this compromise, rather than creating new variants or new malicious codes. They compromise communication channels, people’s information on their laptops and desktops via their email accounts. So, the whole idea is to hack via email as a channel. They send bulk emails to different targeted industries, groups of people that they select, which leads people to click links in the mail or open attachments in the mail. Those links or attachments are malicious, with malicious codes built into the attached files. And that malicious code once executed will start logging keystrokes and send these back to a central server, which collects information over a period of time. And that is how they get passwords and other user information,” explained Bhatia.
The OZIE Team performs massive reconnaissance spam campaigns against a variety of industries looking for victims. After the reconnaissance campaigns, the OZIE Team will analyze the results and focus on an industry based on the results of their reconnaissance campaigns.
This year, the OZIE Team turned its attention to work from home employees, with pandemic-themed BEC attacks.
“The group took advantage of the fact that people are working from home using unsecured systems such as their personal devices, which lack enterprise-grade security tools,” said Bhatia.
To protect its customers who had work-from-home employees, NTT Ltd. launched an emergency response program in March called Care Program.
“Through the Care Program, we went to all our clients and helped them in terms of setting up secure remote connectivity, giving them secure access to business applications on personal and corporate-owned assets from home. We gave them the ability to measure and monitor the productivity of their employees working from home by providing the appropriate collaboration tools. The combination of these solutions will create a secure environment around the user,” said Bhatia.
NTT’s strategy to protect WFH employees
CISO MAG asked Bhatia about NTT’s strategy and the steps it took to protect WFH employees. Bhatia told us that they considered the visibility of the corporate assets at remote locations. They also looked at the reconfiguration of security tools that are already deployed on those assets or devices.
“We need to first understand what kind of asset the home user has. Is it a corporate-owned laptop with security tools already installed and deployed? Can I reconfigure those security tools, because now these tools have gone out of the corporate network and the device will be connected to home Wi-Fi broadband, which is an unprotected network? So, configuration checking policies on these tools had to be considered. These configurations have to be reset or changed for a different scenario because the connectivity has changed. And when the connectivity and environment have changed you need to understand what applications a user is authorized to access. And this depends on the security profile of the user as well as the sensitivity of the application they are using,” added Bhatia.
NTT Ltd. had to assist its customers in changing the policy frameworks for all employees. It was a laborious and time-consuming process.
“We had to change those policy frameworks so that the users had access to applications and data on a need-to-have or need-to-know basis. We could then configure the toolsets available on their devices to prevent them from doing a copy-paste or accidentally leaking the data. So, there are tools and solutions which will help you to do that. We saw that most organizations opted for virtual desktop solutions where the desktop is running in the data center and is streamed to the client device,” said Bhatia.
NTT Ltd. offered its customers data encryption solutions and helped them with policies for sharing and storing data. Customers raised questions about compliance and regulation when discussing cloud storage. However, the government relaxed certain rules about allowing call center employees to operate from home, and that took away some anxiety.
“Everybody said it is OK to use the cloud. But some industries were bound by regulation and were not allowed to use the public cloud. But the DoT later said our contact center agents can work from home. They relaxed the rules in terms of connecting and doing calls from agents sitting at home in the ITeS / BPO sector. The relaxation in rules changed the boundaries of security,” said Bhatia.
Bhatia opines that it is the thought process that matters more than reconfigurations or anything else.
“Reconfiguration is about allowing access and also about securing. It is about how do you allow access with minimum or no risk. And this was possible because of the additional tools and cloud solutions that we deployed, such as multi-factor authentication. We could not ship reconfigured devices to remote locations because of issues with logistics. However, we could deploy and configure security tools to remote devices over the cloud. This helped us in reconfiguring security tools and policies,” concluded Bhatia.
Read the December edition of the GTIC Monthly Threat Report here.
Brian Pereira is the Principal Editor of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).
Ensuring that you get the best experience is our only purpose for using cookies. If you wish to continue, please accept. You are welcome to provide a controlled consent by visiting the cookie settings. For any further queries or information, please see our privacy policy.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
June 11, 2024
Location: London, United Kingdom
City & Financial Global’s 10th edition of its annual Cyber Security in Financial Services Summit event taking place...
Brian Pereira is the Principal Editor of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).
