One of the most challenging jobs every CISO faces is preparing for the next round of threats designed to disrupt their business, compromise critical devices and systems, steal or destroy data, and extort money. The trick is to take current threat trends and combine them with evolving attack strategies and technologies to look around the corner at what may be next. Derek Manky, Chief of Security Insights and Global Threat Alliances at FortiGuard Labs—Fortinet's global threat intelligence and research team—publishes an annual Threat Predictions report designed to do just that.
According to this new report, CISOs can expect to see continued growth in ransomware, combined with new malware targeting what will be a banner year in newly discovered vulnerabilities (CVEs) or zero-days. Last year, the US Department of Justice (DOJ) charged a NetWalker affiliate who walked away with $28M. This action was one of the first times that law enforcement has gone after the business partner and not just the developer. Even though the amount of attention that some operations like this have garnered has forced a few ransomware operators to announce that they were ceasing operations altogether, ransomware is not on the decline. And as the potential attack surface continues to expand, cybercriminals will be looking to target every possible attack vector. These new attacks will be targeting new hybrid networks and work environments, remote workers and evolving connectivity options, and new business-critical applications being deployed in the cloud and accessed from anywhere.
In addition to increasingly sophisticated attacks, CISOs should also gear up for a growing volume of attacks due to the expanding Crime-as-a-Service market. In addition to the continued sale of highly lucrative ransomware and other malware-as-a-service offerings (the US Treasury's Financial Crimes Enforcement Network (FinCEN) reported nearly $600 million in ransomware payouts in the first half of 2021), new criminal solutions are likely to emerge, including phishing and botnets-as-a-service and an increase in the sale of access to pre-compromised targets.
This spike in new attacks will soon include Linux platforms. Linux still runs the back-end systems of most networks, and until recently, it has been largely ignored by cybercriminals. But new attacks, like Vermilion Strike, use remote access capabilities to target Linux systems without being detected. And as the Linux footprint expands, so will attacks. Microsoft, for example, is actively integrating WSL (their Windows Subsystem for Linux) into Windows 11 (also likely to be highly targeted) so organizations can natively run Linux binary executables on Windows. There have already been malicious test files with malicious payloads targeting WSL discovered in the wild. We are also seeing more botnet malware being written for Linux platforms. This expands the attack surface further, out to the network edge.
As with Linux, we expect to see more activity targeting edge devices traditionally overlooked by cybercriminals. For example, there will also likely be new exploits targeting today's half-dozen satellite internet providers, such as Starlink, which currently has over 4,000 satellites in place and is planning to eventually deploy over 30,000 interconnected satellites. Organizations that use satellite-based connectivity to deliver critical services to remote locations or provide services to clients in motion, such as cruise liners, cargo ships, and commercial airlines, should use appropriate caution, as we have already begun to see threats targeting satellite-based networks. ICARUS, for example, is a proof-of-concept DDoS attack that leverages direct global accessibility to satellites to launch attacks. Ransomware is not far behind.
Given the recent attacks on critical infrastructure, we expect to see more cybercriminals targeting Operational Technology (OT) systems. According to a recent CISA (US Cybersecurity & Infrastructure Security Agency) report, ransomware attacks are increasingly targeting critical infrastructure and "have demonstrated the rising threat of ransomware to operational technology assets and control systems." This is being spurred by the near-universal convergence of IT and OT networks, which adds new attack vectors to traditionally isolated environments.
Historically, OT attacks were the domain of highly specialized threat actors who knew how to exploit ICS and SCADA systems. But many of those highly specialized tools are now being packaged as attack kits on the dark web, making them available to a much broader set of far less technical attackers.
Defending your organization against this new wave of threats requires a holistic, integrated approach to security. Point products need to be replaced with security devices designed to operate as a unified solution to consistently protect every user, device, and application with a policy that can follow data and transactions. This approach also enables centralized management to ensure that policies are enforced consistently, configurations and updates are delivered promptly, and suspicious events are centrally collected and correlated.
Organizations are also strongly urged to harden their Linux systems and OT environments, including adding tools designed to protect, detect, and respond to threats in real-time. Similarly, organizations need to take a security-first approach when adopting new technologies, whether upgrading Windows systems or adding satellite-based connectivity, to ensure protections are in place before adding them to your network. Additionally, behavioral analytics should be deployed to discover and block attacks during initial reconnaissance and probing efforts to prevent problems that can arise when they are only found later in the attack chain.
AI and machine learning capabilities should also be deployed across the network to baseline normal behavior, correlate threat data, respond instantly to changes, and detect and disable sophisticated threats before they can execute their payloads. Deception technologies should also be considered to turn traditionally passive security into active defense systems.
2022 is likely to set new records in terms of the volume and ferocity of cyberattacks. If your network and security tools are not ready to work as an integrated, proactive cybersecurity mesh architecture to protect your organization from the next generation of threats now, tomorrow may be too late to make the critical changes you need. Broad deployment, deep integration, and dynamic automation—including solutions designed to protect today's hybrid networks that rely on hyperperformance and hyperscalability—should be the hallmarks of any security system used to protect today's networks.