For us as cybersecurity leaders, the challenges we all face are real and significant. As life returns to "normal" in fits and starts, the relentless flow of headlines about ransomware attacks, software supply chain threats, and high-profile breaches can seem overwhelming. In talking with other CISOs, I have pulled together some insights on what we see happening with the threat landscape in the coming year.
Obviously, there is a heightened threat environment at the moment and organizations around the world are on alert. In fact, the update and recent recommendations from the Biden-Harris Administration regarding protection against potential cyber attack is important and timely. Cyber risk always exists, but recent geopolitical concerns are leading many organizations to examine their security more closely. Now is the time for organizations and individuals to both focus on basic cybersecurity hygiene and to be alert for IT anomalies that could be harbingers of disruptive or destructive activity. Yet, at the same time, we cannot take our eye off the ball of other cyber threat risks that exist.
Unfortunately, the growth of ransomware over the past several years has provided a more reliable income stream for cyber criminals than with earlier tactics like botnets. As a result, their recent efforts have been better funded. Governments in the U.S. and elsewhere urge organizations not to pay the ransoms demanded by attackers, and many do not. But in a significant minority of cases, the victim entity sees no alternative but to pay up.
Steady and significant income from ransomware both incentivizes threat actors to send more ransomware and gives them the financial resources to do so. It also gives them the opportunity to invest in more sophisticated approaches in an effort to stay ahead of security measures that better prepared and cyber savvy organizations are putting in place.
More volume. In this context, cyber criminals have learned how to deliver a greater volume of ransomware—especially to smaller businesses and local government entities that have fewer resources with which to fight back.
Streamlined processes. At the same time, attackers have become more sophisticated in the way they execute their business plans. “Ransomware-as-a-Service” providers, for example, have moved beyond where they were a few years ago—akin to a Craigslist ad offering “mom-and-pop” cybercrime services—to more of a corporatized and franchised managed services model.
Greater speed. More money and better processes also enable bad actors to work more quickly. Our recent FortiGuard Labs threat report analyzed that Log4j demonstrates the dramatic speed of exploit organizations face today. In fact, despite emerging in the second week of December, exploitation activity escalated quickly enough, in less than a month, to make it the most prevalent IPS detection of the entire second half of 2021.
That is bad news when it comes to dealing with zero-day vulnerabilities. Organizations no longer have weeks or months to take care of these problems; they must remediate them in virtual real time. But that is often easier said than done. A company might have thousands of applications that contain Log4j, for example, and some will be easier to update than others.
However, I would be remiss if I did not point out that around 80% of exploits still target the top 10 existing vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database—all of which have patches and updates available. Some of these CVEs are as much as 10 years old! And while there are hundreds of thousands of CVEs, only around 4% of them are ever exploited and detected in the wild. Recent analyses have shown that basic hygiene is effective at stopping more than 75% of all cyberattacks. It is a reminder that basic cyber hygiene is fundamental and should be at the core of any cybersecurity program.
I see several trends that will collectively make APC even more advanced and dangerous than it is now. In my opinion, “hybrid” is the operative word that ties them together. Just as hybrid work patterns are clearly here to stay after being jumpstarted by a global pandemic, cyber criminals are increasingly using hybrid approaches to maximize their chances of having a successful attack. I see three areas where cyber criminals will employ hybrid practices in 2022:
1. Hybrid AI+human exploits. Adversaries will continue to expand their use of artificial intelligence (AI) to make their attacks faster, more numerous, and more effective. Tactics like spear phishing may benefit from this. It is increasingly easy for attackers to run stolen emails through open-source AI to make their forged emails appear more legitimate. Your mother and your boss might both be in your email address book, and working from a relatively small sample of your emails, AI-tuned spear phishing might match the subject and syntax you would use in talking to each of them.
2. Hybrid multi-impact threats. We saw the emergence of hybrid threats with ransomware in 2020 and 2021. Classic ransomware attacks focused on shutting down a network or system and demanding a ransom for the ability to restore it. But as organizations deployed more robust business continuity strategies in areas like backups and disaster recovery, it was more likely that organizations could fail over to an unaffected system rather than paying the ransom.
Adversaries responded by exfiltrating sensitive data as a part of the attack. This enables them to add a second threat against their victims—doxing or offering data for sale. By the end of 2021, this was almost the default strategy of ransomware attackers.
Another multi-impact strategy involves using a denial-of-service (DoS) attack as a distraction in order to make a spear-phishing campaign more successful. Network administrators and security professionals focused on maintaining connectivity and safeguarding core services may be more likely to overlook a wave of spear-phishing emails—and an update on the status of the network is an attractive lure with which to catch users stressed at trying to accomplish their work under degraded IT conditions.
3. Hybrid multi-mode malicious cyber activity. When NotPetya was deployed in an attack targeting Ukraine in 2017, it was an early example of a multi-mode attack. It was not a worm but acted like one in that it had three different ways it could spread from target to target.
Given the current geopolitical climate, organizations should be aware of the potential of becoming collateral damage from state-sponsored cyberattacks—even if there are no direct political or geographical connections between an organization and the target. And as with NotPetya, financially motivated bad actors will also move in to repurpose these exploits to advance their criminal agenda.
Given these trends, how should IT and security leaders at large enterprises respond? In my mind, comprehensive and accurate cyber threat intelligence (CTI) is key, and it is even more important than before for effective decision-making. Having a complete enterprise view of the threat landscape is essential for both day-to-day security management and strategic cybersecurity planning.
CTI is an essential tool for understanding how the threat landscape changes over time, as with the transition of ransomware to a multi-impact threat that can no longer be solved with backups alone. It is also critical when business processes need to change, as with the sudden switch to remote work in 2020.
What do I mean when I say CTI? I would say that there are three levels:
Most organizations spend 99% of their time dealing with threats in the tactical realm, and this is human nature. But organizations need to move beyond that. There are many sources for operational and strategic intelligence, both formal and informal, and security leaders need to be consuming these resources and using them to inform effective strategy.
IT leaders routinely adapt their networks to accommodate the needs of digital transformation and to drive business outcomes. They must also make adjustments in response to cyber threat trends. And comprehensive CTI is non-negotiable to do that well.