The cyber-world has endured a tumultuous past year as cybercriminals played havoc with a reimagined workforce and a strained global supply chain. With the pandemic spilling over into 2022 the chaos of the prior year highlighted by a devastating SolarWinds hack and record-breaking numbers of ransomware attacks, our digital society faces challenges few would have imagined just 24 months ago.
As the social fabric of our country absorbs threats both physical and cyber, phishing attacks, social media manipulation, brazen hacks and scammers are all pounding at the doors of most organizations like barbarians at the gates. So, what is in store for 2022 as we begin the new year?
Climbing over the cyber debris left by SolarWinds, Log4j and other events of 2021, we gathered the comments of several cybersecurity experts who make no bones that security professionals may be embarking on the most difficult year of their careers. Predictions about the new year may seem a bit foolhardy, but many may serve as a roadmap of threats not yet encountered and a preemptive exercise for those already here.The Ransomware Menace
Looking back over recent years, ransomware has been an ongoing security threat for companies around the world. Digital transformation has accelerated — largely due to the rise in remote work resulting from the COVID-19 pandemic. Unfortunately, as companies went increasingly digital, a new opportunity emerged for cybercriminals to maximize profit by exploiting this new reality.
BitSight, a cybersecurity ratings company that analyzes companies, government agencies and educational institutions released some startling information related to the rise of ransomware attacks in a recent report, showing that from 2014 to 2019 attacks accounted for only 13% of cyber insurance claims. However, in 2020 alone, 54% of all claims were as a result of ransomware.
According to Justin Lie, Founder and CEO of SHIELD, a mobile-first risk intelligence company, expect Ransomware as a Service (RaaS) and double extortion ransomware to explode in 2022.
“We are now living in a time where anyone with access to a device can pose a significant threat to user safety and customer trust. And the cherry on top of the ransom-cake is that data is increasingly being exfiltrated as well as encrypted in a process known as double extortion. REvil (aka Sodinokibi) was the first to do this just over 18 months ago and it's now common practice. These are scary times indeed,” says Lie.
Chris Berry, CTO and GM of Security Solutions for PDI Software, a leader in enterprise management software for the convenience retail and petroleum wholesale markets that delivers solutions to connect to intelligent business, believes that in 2022, organizations will continue to see the proliferation of ransomware hitting all sizes of businesses.“That’s why it’s so important to make sure you’re preventing threats by securing your perimeter. But you also need the capabilities to detect potential threats and respond in real-time if you suspect you’ve been breached. Unfortunately, a large number of businesses still aren’t adequately protected against today’s sophisticated threat landscape. If you don’t have the internal cybersecurity staff or expertise to maintain 24/7/365 coverage, you might want to seek out a managed security services provider to supplement your own team’s efforts.”
Kevin Hanes, the CEO of Cybrary, a cybersecurity professional development platform that offers hands-on experiences to gain real-world cyber skills, insists that ransomware attacks will continue to increase, and someone finally pays the full price for meeting demands.
“Even though ransomware attacks over the past couple of years have been bad, they were only the tip of the iceberg. Given the extensive financial motivations for ransomware gangs and their utilization of insider threats, even current legislation and the Biden Administration's cybersecurity executive order aren’t going to prevent companies from trying to discreetly meet their demands,” Hanes says. “That being said, as organizations weigh the risks of guaranteed pain now versus potential repercussions later, someone is going to be made an example of by the federal government in short order. Not knowing the law won’t be an excuse and, although jail time is unlikely, there will be organizations that are indicted in order to make them think twice about paying these criminals in the future.”
To that end, Ilia Sotnikov, a cybersecurity expert and VP of User Experience & Security Strategist at Netwrix, is convinced that cyber insurance costs will increase, and policies will mandate higher security standards in the coming year.
“With insurance payouts becoming both more frequent and more costly, the cost of cyber insurance has already skyrocketed. Prices rose 96% in the US and 73% in the UK for the third quarter of 2021 compared to the same quarter last year. We expect continued increases in 2022. Moreover, insurance policies will require the implementation of critical controls that reduce the risk of cybersecurity incidents. With attacks becoming increasingly common, insurance companies will pay in exceptional cases only,” Sotnikov says.
Chasing the Bad Guys with New Tech and Methods
Cybercrime has become a global enterprise, and with it, the organizational threats have expanded, and the villains become more covert. 2022 figures to see an increase in criminal activity and state-sponsored hacks.
Guy Caspi, the CEO and Co-Founder of Deep Instinct, a cybersecurity company that applies deep learning to cybersecurity, believes we will see more terrorist organizations globally using force through cyber means. “With cyber capabilities continuing to trickle down, I don’t believe it’s far-fetched to think of attacks on critical infrastructure, transportation, healthcare and more carried out by terrorists.”With these emerging global challenges, organizations will need to step up their risk mitigation game and prioritize how they manage cyber risk, preaches Sotnikov.
“We are in a new era of advanced technologies that can be used for both good and evil,” says Sotnikov. “Simply put, organizations need to focus on securing their most important and valuable assets from the most likely incidents and update their policies regularly. It is increasingly obvious that cyber insurance is not a lifebuoy. Risk assessment is primarily our own responsibility.”
Nadav Maman, the CTO and Co-Founder of Deep Instinct predicts that in the coming years, there will be wide usage of machine learning adaptation across the attack landscape.
“This will be specifically for advanced phishing attacks that will target organizations’ users across multiple different applications, not necessarily using e-mail. Attackers will put a significant effort into building organizational employee mapping, based on crawlers on social networks, blogs and forums, and collective points of interest, and build more robust and targeted successful campaigns, which will target the users in multiple areas, by simple usage of ML and many impressive results,” he insists.
Combatting more sophisticated attacks will motivate many companies to consolidate security services to achieve a Zero Trust footprint, according to Larry Chinski, the VP of Global IAM Strategy at One Identity, a company that delivers unified identity security solutions that help customers strengthen their overall cybersecurity posture.“The Biden administration is betting on Zero Trust as a primary means for defending against the industry-shattering cyberattacks that have occurred over the past year. However, for companies to achieve Zero Trust, they’ll need to shift away from siloed security approaches. Fifty-one percent of security professionals are using more than 25 different systems for identity management, which makes it challenging to manage access, especially in a remote work environment. To make Zero Trust a reality, organizations will need to consolidate their approach to create a unified security strategy that accurately verifies access and limits attack surfaces,” states Chinski.
He asserts that identity security will become all the more vital as the “metaverse” gains traction.
“The ‘metaverse’ is not a new concept. But as the pandemic continues to trudge on and more organizations turn to digital-native and digital-first platforms to fuel everyday communication, work, life and commerce experiences, the identity landscape will continue to grow exponentially – opening up new gateways and threat vectors to potential bad actors. Eighty-four percent of business leaders agree that the number of digital identities their organization manages today versus 10 years ago has dramatically increased,” continues Chinski, remarking that it is 0 times more than a decade ago. “What’s more, 95% of businesses report challenges managing the number of identities that currently fall under their organization’s umbrella (human, digital, RPA, etc.). As adoption of the metaverse increases, identity security and management issues will only become more profound – and a bigger threat to business resiliency.”
Keith Driver, the CTO at Titania echoes Chinski’s declaration that Zero-Trust policies will now be zero-tolerance ground rules.
“In the next year, perimeter-only defenses will no longer be fit for purpose. We have seen numerous recent cyber events breaching perimeter defenses. Network owners must assume that perimeter defenses will be compromised, and that means they must defend the internal/core network as if each node was a perimeter node. There will be a zero-tolerance policy for not implementing a zero-trust architecture,” Driver says. “A Zero Trust paradigm requires network owners to address each network asset individually and ensure it is operating within security and compliance policy requirements. Furthermore, in the coming year, network managers are going to need to continually assess all devices rather than assume they are in an acceptable state as configurations change which often results in unintended security and compliance errors.”
The Lines Have Blurred
Cybrary’s Hanes contends that the line between cybercrime and nation-state attacks will continue to blur.
“Following a cyber-attack or data breach a couple of years ago, threat intelligence companies could often assess the breadcrumbs left behind by attackers and make a reasonably accurate determination of who was behind it. This was largely in part because certain threat actors often have a ‘playbook’ that drives how to operate,” explains Hanes. “However, given the common rebranding of ransomware gangs and criminal organizations using the same tactics, techniques, and procedures (TTPs) as nation-states, some of these attacks are becoming indistinguishable from each other. Additionally, a single threat actor isn’t solely responsible for various attacks, but rather a group that all have a hand in it.”
Perhaps the most insightful assessment related to the impending transformational change in the new cybersecurity landscape comes from OnSolve CEO Mark Herrington, who predicts an operational paradigm shift based on resilience and convergence. He is confident that operational resilience will capture the attention of C-suite executives at almost all organizations that currently continue to operate in a “business unusual” environment.“Since the pandemic began, our way of working has been flipped on its head. With a hybrid and remote working environment, organizations have a more spread-out workforce to protect under Duty of Care, widening their footprint for crisis impact. We’re living in business unusual. This requires more agility than ever before, and in the next year, operational resiliency will reach a fever pitch in the boardroom,” predicts Herrington.
He also figures that the landmark events of the last 20 months have made the inevitability of cyber and physical convergence a reality.
“Security attacks like the Colonial Pipeline attack that happened this year (2021) showcased that physical and cybersecurity will ultimately converge – and we anticipate more cyber-attacks on critical infrastructure ongoing. Organizations will need to rethink how they manage security incidents and allow for more collaboration across physical and cybersecurity to ensure operational resilience. Cyber teams have the SOAR framework to automate and orchestrate an incident response. Physical security will need to create a similar framework to keep up with these threats,” concludes Herrington.
Sotnikov also warns that attackers will use residential home networks as their infrastructure, knowing that a home network is much easier to infect with malicious software than a professionally secured enterprise IT environment.
“With processing power and bandwidth connectivity in residences increasing, home networks will become more attractive to bad actors. For example, by infecting many devices, they will be able to change IP addresses or even domain names dynamically during malware campaigns, thwarting common defenses like IP blocking and DNS filtering. IT teams should keep this new threat vector in mind when reviewing their security strategies and incident response plans. Moreover, the IT industry should seek to increase user awareness and best practices adoption to reduce the number of easy victims,” he warns.
And Here We Are
Ira Winkler, cybersecurity expert, author, industry speaker and the CISO of Skyline Technology Solutions, encapsulates our look ahead in relatively simple terms.
“When we look at the Colonial Pipeline, we need to ask ourselves: why is this attack any different than Code Red, Nimda or even the Morris worm? Why didn’t anyone stay awake after those so-called wake-up calls? There is no revolutionary new attack so to speak - it’s just an evolution – simply just a progression of using available technologies to refine malware,” he reckons.
“Regarding the potential for a cyber doomsday or similar, here is the reality of the situation as I see it: there will likely be massive cyber-attacks in one way or another in the future - much like all of Facebook going down. Can someone get into a power grid and do bad things? Yes. However, people need to realize there is resiliency. I do not think in the next 5-10 years, we will be put back into the stone age or see a ‘digital Armageddon.’”
About the Author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected].