If there is one constant across the landscape of cybersecurity, the strong will prey on the weak and bad actors will continue to exploit vulnerabilities both machine and human. As the work environment shifts and more of the security burden is hoisted upon workers at home, breaches and a rise in social engineering attacks are a certainty. As the COVID-19 pandemic continues to rage, specific business sectors like retail, financial, government, and particularly healthcare, will be severely impacted by state-driven and criminal cyber-attacks.
The dawn of 2021 has cybersecurity experts and solutions providers concerned about addressing the current security challenges and pending threats. We assembled the predictions and commentary from dozens of working cybersecurity professionals to help us paint a broad picture of what the new year might bring. There were almost as many stated and promised threats as there were experts asked, however, there were five persistent topics that consistently grabbed the attention of them all:
- The future of ransomware attacks
- COVID-19 changes everything
- Cybersecurity for remote workers
- Cloud configuration and vulnerabilities
- The menacing expansion of deepfakes and voice fake scams
The Scourge of Ransomware
It is the perfect storm of COVID-19 and remote working that has created the potential of a ransomware pandemic. According to a recent CrowdStrike report, 56% of organizations fell victim to a ransomware attack this year, with cybercriminals taking advantage of increased remote work-related vulnerabilities. With the COVID-19 pandemic surging around the world, ransomware attacks are likely to continue well into 2021, with nation-state organizations increasingly targeting hospitals, state and local governments, and healthcare researchers.
For Michael Rezek, VP of cybersecurity strategy at Accedian, a network performance analytics company, having IT teams build out their 2021 cybersecurity strategies with an eye on network detection and response solutions (NDR), and other complementary solutions like endpoint security platforms that can detect advanced persistent threats (APT) and malware, is strongly recommended.
“For smaller companies, managed security services such as managed defense and response are also good options. However, a comprehensive security strategy must also include educating all employees about these threats and what to watch out for. Simple cybersecurity practices like varying and updating passwords and not clicking on suspicious links can go a long way in defending against ransomware. Perhaps most importantly, since no security plan is foolproof, companies should have a plan in the event of a ransomware attack,” stresses Rezek. “This is especially important since attackers might perform months of reconnaissance before actually striking. Once they have enough data, they’ll typically move laterally inside the network in search of other prized data. Many cybercrime gangs will then install ransomware and use the stolen data as a back-up plan in case the organization refuses to pay. The more rapidly you can detect a breach and identify what information was exploited, the better your chances of mitigating this type of loss. Having a plan and the forensic data to back it up will ensure your organization and its reputation are protected.”
David Wolpoff, a career hacker and former DoD contractor, and current CTO and co-founder of the cybersecurity company Randori, warns that ransomware attacks are evolving to include enterprise extortion.
“Threat actors are evolving from high-volume/low-value attacks to high-value/low-volume attacks targeting businesses. Half of the ransomware attacks already involve data exfiltration, and in 2021, cybercriminals will incorporate extortion by weaponizing the content they’ve stolen to compel their victim to action. Ransomware attacks will shift from ‘I’ve stolen all your data, now pay me;’ to, ‘I'm going to extort your CEO with the information I’ve found in the data I’ve stolen from you, and if you don't pay, we’ll devalue your stock on Wall Street’”, says Wolpoff.
Drew Daniels, the CIO and CISO of Druva, which offers a SaaS platform for data protection across data centers, cloud applications and endpoints, shares the view that ransomware is morphing into extortionware.
“While all organizations remain at risk in part due to the work from home, I believe healthcare will be the most targeted industry in the next year. In 2021, ransomware will target healthcare even more so than in 2020. As R&D organizations scramble to find a vaccine for the COVID-19 pandemic, ransomware threat actors will similarly be scrambling to make a profit even more so than before. Threat actors will be targeting medical research laboratories, big pharma, biotechnology companies and any third-party companies that healthcare works with, as these organizations will likely be storing the patient data being analyzed in order to create a vaccine,” Daniels adds. “Biotechnology, pharma and medical organizations will have to step up their cybersecurity posture in order to keep up with the wave of new attacks. It will no longer be an option, especially given the pressure for coming up with a vaccine that is tested and safe.”
Jason Crabtree, the CEO and Co-Founder at QOMPLX, a company that makes it easier for organizations to integrate all of its disparate data sources across the enterprise into a unified analytics infrastructure, figures that Active Directory and authentication attacks will continue to dominate ransomware and breach events in 2021.
“As attackers seek dominance in victim networks, attacks against Active Directory and authentication, like the SolarWinds attack, will continue to dominate major ransomware and breach events. In particular, healthcare and manufacturing attacks will continue to accelerate, given a large amount of legacy protocol use and gaps in visibility in critical infrastructure,” Crabtree says. “Business and government entities must prioritize gaining visibility over Active Directory and using Windows Event Logs as a high-quality and low-cost source of additional insight on their networks. Ensuring visibility into privilege attack surface, data capture and coverage for security teams, and external security posture should be prioritized to ensure inside-out and outside-in analysis.”
Finally, Israel Barak, the CISO at Cybereason, a solutions provider handling cybersecurity incident response and assessment, predicts an increase in multi-stage ransomware attacks. “We can expect to see an increase in multistage ransomware embedded in hacking operations. Hospitals, banks and critical infrastructure providers are at higher risk, but many industries face this threat. Only after hackers place ransomware on every computer in the network and then complete other stages of the attack, including data theft, user password stealing and propagation across the network, will they detonate the ransomware across all compromised endpoints,” he says.
COVID-19 Pushes Workers to Edge
COVID-19 and the continuing pandemic have altered the workforce landscape, perhaps forever. In 2021, more enterprises will permanently downsize their physical spaces and give employees the flexibility to continue working from home. Yossi Naar, Chief Visionary Officer, Co-founder of Cybereason, expects this to be the year of “working from anywhere”.
“It is very much a moving target for security and privacy professionals. Coupled with a challenging home environment where devices are often shared with family members and the rapid change that occurred, there was little time to prepare and that fact has been exploited widely by hackers leveraging phishing attacks and known exploits to penetrate and maintain their hold on the remote environment. In 2021, enterprises need to focus on patching the holes in their security defenses as the majority of their workers continue to operate remotely,” explains Naar. “Mobile is the most pervasive and ubiquitous platform in our personal lives. Employees who have to learn new devices and applications will turn to their phones even more than usual because they feel familiar. Companies need to establish policies defining what can and can’t be done with mobile phones in order to get ahead of mobile threats before dealing with other devices.”
At the same time, Nico Popp, the Chief Product Officer at Forcepoint, a data and edge protection company, uses Zoom as a perfect example of the changing cybersecurity paradigm for remote workers and business operations. “With the move to mass remote working and accelerated digital transformation in 2020, cybersecurity has moved up the food chain. Cybersecurity is now a business differentiator, and it needs a category disruptor. The need for a converged, digital, cloud-delivered platform means we’ll see the emergence of the ‘Zoom of Security’ – a high-tech system that ‘just works’ and is easily accessible for the everyday consumer,” says Popp.
While working from home may have become the new normal for many organizations and has changed the profile of software and services the average company relies on, it is this environment that has caused cyber-attackers to swarm VPNs and RDPs as remote worker numbers grow.
Sounil Yu, CISO-in-Residence at YL Ventures and the former Chief Security Scientist at Bank of America, adds that the rapid move to remote work resulted in greater investments in 2020 to support remote connectivity and remote access to corporate resources and he expects that to continue in 2021.
“One major area of spend that grew dramatically was the use of SaaS offerings, such as Zoom, Gong, and Slack. What is often hidden from view is how sensitive data moves among these SaaS tools to enable useful features that support the business. In 2021, some of these hidden data flows are likely to become accidentally exposed en masse due to a misconfiguration or error on the part of one of these SaaS vendors. This exposure might also happen through Plug-Ins and Third-party Addons (what I call PITA) with overly excessive permissions that are common in these platforms. Attackers are also actively targeting users with phishing attacks that try to gain broad permission scope within common SaaS applications. Organizations will need to understand how their data is proliferating across these SaaS applications and protect against any unauthorized data movement and ungoverned SaaS usage.” Yu insists.
Corey Nachreiner, the CTO of WatchGuard, a cybersecurity provider headquartered in Seattle, says while many companies lightly leveraged both Remote Desktop Protocol (RDP) and Virtual Private Networking (VPN) solutions before, these services have become mainstays in enabling employees to access corporate data and services outside of the traditional network perimeter.
“In 2021, we expect attackers to significantly ramp up their assaults on RDP, VPN, and other remote access services. RDP is already one of the most attacked services on the Internet, but we suspect new companies are suddenly using it more as one strategy to give home users access to corporate machines. While we believe you should only use RDP with VPN, many choose to enable it on its own, offering a target for hackers. Additionally, cybercriminals know remote employees use VPN often. Though VPN offers some security to remote employees, attackers realize that if they can access a VPN, they have a wide-open door to your corporate network. Using stolen credentials, exploits, and good old-fashioned brute-forcing, we believe attacks against RDP, VPN, and remote connection servers will double,” warns Nachreiner.
Some experts like Bill Harrod, VP of Public Sector for Ivanti, an IT software provider in Salt Lake City, thinks that COVID-19 will finally be the catalyst for change in authentication and password use.
“Last year we said that passwords would be eradicated by 2025 - little did we know COVID-19 would come in and kill them four years sooner. Alongside this, one challenge we will see in 2021, is people figuring out how to go from relying on passwords for authentication to not just a second factor, but to totally removing that additional friction that passwords create for the enterprise,” Harrod says.
Migration to the Cloud Continues
The shift to the cloud will continue to be a “thing” in 2021 as it’s clear it provides agility, scalability and performance. With that said, IT is waking up to the reality that cloud deployments require steady investment in management, optimization, and security oversight. At least that is what Shauntinez Jakab, the Senior Director of Product Marketing for enterprise-level cybersecurity company Virsec Systems maintains.
“Although many organizations are adept at effectively controlling costs and getting the most of their cloud services, securing and protecting cloud resources remain both a challenge and a risk to the business. Most cloud workloads will be in jeopardy if organizations cannot address skill gaps, resource constraints, configuration mismanagement, and vulnerabilities. So, in 2021, as the scale of cloud workloads grows, expect to see organizations continuing to mischaracterize what security means in the cloud.
“The belief that containers are inherently secure and provider-based security is enough is a great misconception and one that organizations should correct. In production, security tools merely focus on providing activity visibility, policy enforcement, reporting, and encryption. They do not provide application-aware visibility, trusted execution, and attack prevention. To close security gaps and enable business, organizations should consider security implementations that ensure vulnerability protection with granular application control, system integrity assurance, and advanced memory protection at runtime for all cloud workloads,” contends Jakab.
WatchGuard’s Nachreiner continues that phishing attacks have come a long way from the 419 “Nigerian Prince” scams of old. Threat actors now have an abundance of tools to help them craft convincing spear-phishing emails that trick victims into giving up credentials or installing malware.
“Lately, we’ve seen them leverage cloud hosting to piggyback on the otherwise good reputation of Internet giants like Amazon, Microsoft, and Google. Most cloud-hosting services like Azure and AWS offer Internet-accessible data storage where users can upload anything they’d like, from database backups to individual files and more. These services are exposed to the Internet through custom subdomains or URL paths on prominent domains such as cloudfront.net, windows.net, and googleapis.com. Threat actors commonly abuse these features to host website HTML files designed to mimic the authentication form of a legitimate website like Microsoft365 or Google Drive and to steal credentials submitted by unsuspecting victims.
“This style of phish is effective because the email links to spoofed forms that resemble legitimate Microsoft, Google, or Amazon AWS links with domains owned by those companies. In 2021, we predict that these cloud-hosting providers will begin heavily cracking down on phishing and other scams by deploying automated tools and file validation that spot spoofed authentication portals,” concludes Nachreiner.
Ilia Sotnikov, a cybersecurity expert and Netwrix Vice President of Product Management for this southern California IT software company, predicts cloud misconfigurations will be one of the top causes of data breaches in 2021.
“A lack of clear understanding of the shared responsibility model due to the rapid transition to the cloud will backfire in 2021. The speed of transition coupled with prioritizing productivity over security has made misconfigurations inevitable, resulting in overexposed data,” Sotnikov says. “The shortage of cybersecurity experts will lead more organizations to turn to managed service providers (MSPs). In response, hackers will conduct targeted attacks on MSPs in order to get access to not just one organization but all of the MSP’s customers.”
No, Really, Fake News!
Perhaps the most exotic cybersecurity threat many experts predict to rise in 2021 are deepfakes and voice fakes that look to cripple enterprise operations and destroy brand credibility. In 2021, threat actors will move on from basic ransomware attacks and will weaponize stolen information about an executive or business to create fraudulent content for extortion.
“From deepfakes to voice fakes, this new type of attack will be believable to victims, and therefore, effective. For example, imagine an attacker on a video system, silently recording a board meeting, then manipulating that private information to contain false and damning information that if leaked, would create business chaos, to compel a business to pay up” says Randori’s Wolpoff.
Michael Van Gestel, the Global Head of Fraud at UK-based Onfido, a solutions provider of document and identity verification software and analytics, agrees that deepfake is trending up and its sophistication vastly improving.
“Amateur hobbyists continue to use deepfakes as a form of entertainment, for instance on social media, but sophisticated efforts are less prevalent in real-world applications due to the complexity, high-cost, and time-consuming efforts. However, open-source code by a few elite professionals may open it up to others. As increasingly sophisticated fraud attacks rise, it’s something businesses should be aware of going forward. It is pushing businesses and regulators from passive methods (a still photo for biometric analysis) to more active methods (a video or dynamic video with multi-frames). For example, we’ve seen this in the age verification requirements that form a large part of the new German gaming regulations coming into force in July 2021.
“Active methods are more sophisticated solutions in identity verification as a way to combat more sophisticated attacks. Businesses need to be aware that improvements in anti-fraud technologies will be accompanied by increasingly sophisticated and intelligent criminal attacks, so they should start putting in defenses now to stay on the offensive against outside hackers,” chides Van Gestel.
While past employment of deepfakes has largely been used in creating fake videos in misinformation campaigns on social media, change is afoot. With increased video conferences and remote work collaboration, attackers applying deepfake technologies on live, real-time collaboration is a very real possibility for impersonation and social engineering, points out Kowsik Guruswamy, the CTO of Menlo Security in Palo Alto, Calif., who warns that deepfakes are the new “phishing lures” for unsuspecting workers.
“With more distributed team members who may be less familiar with their fellow co-workers, this is a ripe opportunity for threat actors to extrapolate confidential information in what seems like a real video call. We continually see threats evolve in parallel with technology and behavior, and the surge in video conferencing creates increased opportunity for ‘vishing’ (video phishing) in the near future,” Guruswamy says.
Conclusion
Carolyn Crandall, Chief Security Advocate of Attivo Networks, a company specializing in network attack prevention solutions sums up what lies ahead for 2021 and the cybersecurity community, predicting it will be the year when cyber deception goes mainstream.
“Cyber deception platforms have matured to the point where they deliver comprehensive value and are easily operational for companies both large and small. With industry support from leading research firms to associations such as MITRE and NIST, the technology has secured its position as an essential security control for in-network threat defense," Crandall says. "Almost every cyberattack uses some form of deception to mislead users or gain access to their targets. Defenders can now combat these actions by applying well-integrated layers of deception, concealment, and disinformation to hide data and deny access to their adversaries.”
About the Author:
Steve Lasky is the Editorial Director of the Endeavor Media Security Group and is a 34-year veteran of the security industry. He can be reached at [email protected].