Security Long Reads: Cyber insiders reveal what’s to come in 2021

Everything changes, yet nothing does

For VMware Carbon Black’s Tom Kellerman, even though we are looking ahead from a position nobody could have predicted this time in 2019, fundamentally, not much has changed.

“Most were writing the ‘pandemic playbook’ as they went along, but ironically, one of the few certainties of the situation was that cyber criminals would take advantage of disruption to escalate campaigns,” he says. “In that sense, nothing changed, except that the opportunity was suddenly much greater.”

The effects of Covid-19 will, of course, be the biggest lasting impact on security, opening the floodgates to a surge of innovation by both attackers and defenders, which means that some of the strategies and tactics that came to the fore this year will still be felt.

Take remote working. “As business becomes more mobile than ever and remote working persists, mobile devices and operating systems will be increasingly targeted,” says Kellerman. “As employees use personal devices to review and share sensitive corporate information, these become an excellent point of ingress for attackers. If hackers can get into your Android or iPhone, they will then be able to island-hop into the corporate networks you access, whether by deactivating VPNs or breaking down firewalls.

“We will also see hackers using malware such as Shlayer to access iOS, ultimately turning Siri into their personal listening device to eavesdrop on sensitive business communications.”

Kellerman adds: “Combating these risks requires a combination of new mobile device policies and infrastructure designed to facilitate continued remote working, as well as raising employee awareness of the persistent risks and the importance of digital distancing.”

Igor Andriushchenko, director of quality and security for engineering at Snow Software, expects that, thanks to remote working, we will soon see a surge in attacks where the initial compromise is achieved via social engineering.

“People have not ever met many of their colleagues who joined companies in 2020 due to the shift towards remote work,” he says. “This makes an ordinary social engineering attack much simpler, as in this case we all know much less unique information about each of our co-workers – which is the key to proving the authenticity of an email, call or video chat.”

Ilia Kolochenko, Immuniweb founder and CEO, also sees more breaches occasioned by remote working in 2021, and believes the ongoing chaos is making it harder for security teams to work effectively.

He says the disruption has negated much of the combined effort put in by developers, IT teams and security teams to improve agility and cost-efficiency, and cut the number of breaches, and although videoconferencing and tools such as Slack alleviate some of this, they are no substitute for face-to-face contact. This lack of inter-team collaboration points to more breaches next year.

The evolution of ransomware

In other continuing trends, the much-documented pivot among ransomware gangs to neutralise traditional defences such as backup and disaster recovery tools by stealing and leaking their victims’ data will not go away, and will become an even bigger threat over the next 12 months.

Casey Ellis, founder, CTO and chair of Bugcrowd, says the increase in ransomware volumes will spur more innovation among defenders next year. “As ransomware becomes more a question of ‘when it will happen’ than ‘if it will happen’, legislators and the cyber security industry itself will be pressured to find ways to solve the ransomware problem without needing to reduce the choice to ‘pay or not pay’,” he says.

Ryan Kalember and Andrew Rose of Proofpoint foresee the increased targeting of cloud environments by ransomware crews. They write: “Many firms now house substantial portions of their sensitive data in external, cloud-based repositories and these data stores are often less visible to the security function and often not as secured or backed up in a way that adversaries can’t also encrypt. In 2021, security professionals can expect to see ransomware increasingly target cloud storage to maximise impact and increase leverage to boost profits.”

Andriushchenko also thinks ransomware gangs will begin to focus their energies a little differently in 2021. “They may shift more into the area of industrial ransomware where the attacks are targeted in order to get the competitive advantage and stop production for a long time,” he says.

Guy Propper, threat intelligence team lead at Deep Instinct, highlights the competitive advantage in the ransomware game, saying attackers have now learnt that the litmus test of a good ransomware hit is its method of extortion, and the greater the stakes for the victim, the better the likelihood of a payout.

“For this reason, in 2021 we expect to see a move towards targeting mission-critical organisations, ie those organisations that have minimal risk tolerance to having their digital systems shut down or their data stolen and exposed,” he says.

“Hospitals and educational institutions are a good example of this, with both sectors having already suffered from a wave of ransomware infections, and both schools and hospitals are under enormous pressure to keep their doors open. In the crossroads between ransomware and data privacy regulations, private companies are also more susceptible to being breached, with the added risk of being hit with large fines if found to have exposed data.”

Competitive advantage is also achieved through collaboration and resource sharing to maximise returns, something ransomware operators have also learned in 2020 – lessons they will put into practice in 2021. “Ransomware as a service is getting more traction – where ransomware creators ‘servicise’ their product and make it available to criminals at scale,” says Andriuschenko.

On this score, there is some good news – not all these collaborations will bear fruit, as Kellerman notes: “We’ll see groups disagreeing on the ethics of targeting vulnerable sectors such as healthcare.”

Healthcare will still be a juicy target

On the subject of healthcare, the impact of Covid-19 has also been particularly keenly felt in this vital sector, where Kellerman predicts risk levels will continue to spike as the world moves closer to mass vaccination and, fingers crossed, an exit route from this waking nightmare.

Bugcrowd’s Ellis says the impact of ransomware on healthcare will grow next year as the need to access patient data creates a sense of urgency that makes organisations in the sector much more likely to pay up.

This was seen earlier in 2020 when an attack in Germany was blamed at first for the death of a patient, and while prosecutors were unable to establish a legal basis of causation in German law and said that in the end, the patient would have died anyway, the first officially fatal cyber attack will surely happen very soon, and this will ramp up the pressure.

“It’s likely that other attackers will prioritise ransomware attacks on strained healthcare facilities’ critical life support systems as the urgency to save a patient’s life would put great pressure on any hospital to pay a ransom,” says Ellis.

“To prepare for potentially fatal ransomware campaigns, the healthcare sector needs to identify its critical systems and determine which are most business-critical. Then, each healthcare organisation can prioritise those critical systems for upgrades to ensure proper security for patient wellbeing.”

However, there is a little more good news here, too. “The strain on healthcare cyber security is not going unheeded,” says Kellerman. “We will see increased IT and security budgets in the sector to combat the growth in external threats.”

New risks still emerging

Kellerman is also keeping his eye on some other emergent trends, such as cloud-jacking via public clouds, which he believes will become the “island-hopping strategy of choice” for cyber criminals, thanks to what he calls a new over-reliance on public cloud infrastructure.

And this will not be the only under-threat environment – it is possible, indeed likely, that some threat actors, particularly nation-state-associated ones, will ramp up bolder and more destructive attacks against industrial control systems, critical national infrastructure, utilities, manufacturers, and more. Indeed, with the emergence in December 2020 of a massive campaign conducted through compromised SolarWinds tools, this may already be happening.

Snow Software’s Andriushchenko says the impact of the “successful” SolarWinds attack will be felt in an increasing volume of similar supply chain attacks. He warns that as companies improve their own security postures, third parties will remain a blind spot and can provide a pathway into the target. Thanks to the ongoing compromise of multiple government agencies in the US, malicious actors now know this works very well.

State-sponsored attacks from groups associated with Russia and China, and to a lesser extent Iran and North Korea, will evolve further, says BugCrowd’s Ellis, who predicts the rise of false flag attacks. We have already seen state groups conduct attacks using techniques, tools and procedures associated with rivals, and given the difficulty of attribution at the best of times, this will become a bigger problem in 2021.

“There has been ample time for state-sponsored cyber groups to improve their tactics in order to successfully launch more advanced false flag campaigns,” says Ellis. “2020 has also seen an increasing burden of proof around the effectiveness of cyber-enabled disinformation and misinformation as a tool in the hands of both foreign and domestic actors with a political goal.

“Governments should expect state-sponsored attackers to launch false-flag campaigns more frequently. As such, governments must consider information warfare and cyber warfare to have merged in their execution and outcomes and be very focused on clear and clean attribution when an attack takes place.”

AI comes into its own, for both defenders and attackers

Carbon Black’s Kellerman says 2021 will be a year of significant developments in artificial intelligence (AI) and machine learning tools that make security automation a more simplified, integrated proposition, and not just something for an organisation that has forked out millions on a security operations centre.

Snow Software’s Andriushchenko also believes AI and machine learning will become powerful tools for defenders in 2021, thanks to their utility in supporting remote workers. He explains: “Home networks, co-working spaces, café Wi-Fi – all have different threats lurking in them and require organisations to be ready to recognise and react on any issues originating from uncharted territories.

“Therefore, it is important to start employing the intelligent behaviour analysis tools that could spot an anomaly in how a supposedly legit user interacts with the corporate network and what actions it performs. Machine learning, in this case, becomes more than just a buzzword, but rather a necessity to mitigate potential issues in 2021.”

The counterpoint to this, of course, is that adversaries will also see some benefit in advancing how AI and machine learning are used for pre- and post-exploitation activities, as Deep Instinct’s Propper points out.

“As knowledge on adversarial machine learning continues to grow, that knowledge is disseminating among both sides of the cyber battle ground,” he says. “2020 saw the increased adoption of machine learning academic knowledge being used in adversarial attacks in private industry research.

“As this knowledge gradually makes the transition from academia to the wild, we expect to see malware campaigns attempting to evade products based on machine learning models, by fooling the model, learning how to subvert it, or by forcing it to shut down.

“Since machine learning-based products are becoming the market-dominant solution, it makes sense that they represent the next target for well-resourced hackers. We expect that those perpetrating the attacks will be only a select few. The bar of entry to AI-based attacks is still very high, and we therefore don’t expect it to become ‘run-of-the-mill’ malware next year.”

Kellerman adds: “As awareness of how attackers are using automation increases, we can expect defenders to fix the issue, maximising automation to spot malicious activity faster than ever before.”

Kalember and Rose at Proofpoint also have something to say about the growth of automation, suggesting it will help security teams cope with the growing skills crisis.

“The shortage of security talent has been a concern for several years, with CISOs struggling to keep fully staffed and skilled teams together for any length of time,” they say. “The only way security functions are going to survive is by automating parts of their role.

“To date, automation functionality has typically been addressed by buying additional tools or as bolt-on functions from suppliers. We expect that to change in 2021, as automation become more of a standard ‘in the box’ feature for most enterprise security tools – and for many CISOs, this can’t come soon enough.”

Some positivity: we may not be winning, but nor are we losing

To end with some positivity, there is growing awareness of cyber security in the public sphere, organisations are increasingly well-prepared in spite of all the high-profile failures documented in Computer Weekly and elsewhere, and defenders are getting better at their jobs all the time. We may not be overwhelmingly winning the fight against cyber crime, but nor can we say we are losing it.

Ellis at Bugcrowd expects positive change in security culture, with ethical hackers increasingly proving their worth, particularly when it comes to critical infrastructure and organisations. This will be spurred in part by the discourse around election security that dominated in the US in late 2020. And this is not just a US issue, it affects the UK too.

“The reality is that security researchers can test voting systems just as an adversary would to uncover exploitable vulnerabilities, and then relay that feedback to the appropriate personnel for remediation on a prioritised basis,” says Ellis. All that is needed to make this a reality, he argues, is buy-in from governments, and reform to laws, such as the UK’s Computer Misuse Act.

“These laws currently serve as barriers for security researchers to do their jobs and test voting systems in good faith, as ethical researchers fear being prosecuted for doing their jobs,” he says. “Looking ahead, as government officials start to pay closer attention to cyber security, it is possible we may see these laws revised for the betterment of our democracy.

“Governments are collectively realising the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you’re faced with an army of adversaries, an army of allies makes a lot of sense.”

Sticking with this theme, Marten Mickos, CEO of HackerOne, which could itself reasonably be described as an army of allies, perhaps unsurprisingly also predicts good times for ethical hackers.

“I predict the UK will be the next government to push to mandate vulnerability disclosure programmes (VDPs) for consumer IoT devices,” he says. “Other technically advanced and moderately transparent governments are also in line to follow. I anticipate Singapore and the Netherlands won’t be far behind – many Dutch cities already have VDPs in their local government organisations.

“The DACH region, though conservative, places a high priority on the security of its citizens. Just recently, the German armed forces unveiled their own bug bounty programme and the Swiss government has already introduced a VDP for its voting technology.”

Reports made through HackerOne have been responsible for some of the biggest bug bounty payments in security history, and Mickos also predicts that such is the scale of cyber threats today, at some point in the next few years, we will see a hacker make over $10m – a vote of confidence in the community’s talent and dedication to the cause.

Kellerman similarly believes defender confidence is actually on the rise. “This year we saw cyber defences placed under inconceivable strain and they flexed in response,” he says. “Yes, there were vulnerabilities due to the rapidity of the switch to fully remote working, but on the whole, security tools and processes are working. Defender technology is doing the job is it designed to do – and that is no small feat.

“The mission-critical nature of cyber security has never been more apparent than in 2020 as teams have risen to the challenge of uniquely difficult circumstances. In recognition of this, we will see board-level support and a much healthier relationship between IT and security teams as they collaborate to simultaneously empower and safeguard users. 2020 has been the catalyst for change for which we were more than ready.”

Nominet chief executive Russell Haworth also sees positive developments on the horizon. This year saw many governments take on more powers and responsibility for citizen cyber security, a trend he predicts will become more prominent.

“The recent establishment of a national cyber force and increased funding towards the UK’s cyber defence is the beginning of a new era,” says Haworth. “Besides the arenas of land, sea and air, cyber has been officially recognised as a new battleground. Warfare in cyber space is of a fundamentally different nature and will require new tools and collaborations to combat aggressive nation-backed activity.

“Decisive action is being taken by governments around the world to tackle cyber crime and much of this is already in collaboration with the security industry. This is a positive step, which may decrease the volume of nation-backed activity perpetrated by known APT groups.

“It would be too much to hope that attacks will cease, but we might expect less disruptive techniques and more ‘stealth’ cyber attacks, utilising espionage techniques and bringing in a number of different tactics to execute an attack. It is in this area we must next look to evolve cyber defence and for that, we will need a multi-faceted, coordinated approach across government, industry and society.”

Finally, Chris Harris, EMEA technical director at Thales, reckons 2021 will be the year when defenders turn the tables on their attackers. “The business-hacker relationship has largely always been one way, with cyber criminals attempting to break in and businesses reacting to this,” he says. “However, 2021 will see that relationship change as businesses go on the offensive and attempt to throw hackers off their game.

“Companies will start using deceptive techniques, such as deploying fake high-attraction systems to divert attackers, or leave fake credentials or breadcrumbs that lead to a fake high-value target.”