Another strange year is coming to an end, or so my calendar tells me. Events in the real world are still disrupting timelines for many of us, but if my calendar says it’s almost December 2021, I’ll have to believe it. As is traditional at this point each year, people tend to reflect on what has occurred and what will happen during the coming year. Rather than defy tradition, we’ll embrace it and reflect on 2021 from a business cybersecurity perspective and then look at what industry experts, and internet security trends in general, predict 2022 will bring on the security front.
Cyberattacks hit the news headlines a lot this year. Ransomware attacks, in particular, were widespread and impacted both traditional IT services and physical infrastructure in the real world. If we were going to coin a name for 2021, then “the year of ransomware” wouldn’t be too far from the mark. Infamous attacks that had a significant impact this year included:
Using a compromised password, the Darkside ransomware gang was able to infiltrate the IT systems that managed an essential petroleum transfer pipeline running from Texas to the densely populated US north-eastern region. This resulted in a shutdown in the flow of fuel and several days off shortages. The Colonial Pipeline operator reportedly paid a ransom of $4.4 million to get a decryption key from the cybercriminals (of which the FBI allegedly recovered $2.3 million).
A ransomware-as-a-service attack by the Conti ransomware gang severely disrupted the medical records and clinical systems used by the Irish Health Service Executive (HSE). This led to canceled medical procedures and weeks of disruption. The Conti gang also targeted other healthcare providers in all global regions.
The REvil ransomware gang disrupted the systems of JBS Foods. They are one of the largest producers in the United States food supply chain. This led to disruption in the just-in-time supply chains that food processors and product producers rely on.
The Darkside gang also attacked Toshiba with ransomware in 2021. The attack started in the European subsidiary of Toshiba, and attackers stole significant amounts of data and demanded a ransom payment. As far as is known, Toshiba did not pay any ransom to the criminals trying to extort them.
Taiwan-based Acer was also the victim of an REvil ransomware attack this year. This attack led to the release of stolen sensitive data by the criminal gang and one of the largest ransom demands ever at $50 million. It is unknown if Acer paid anything to the gang.
This is just a sample. Ransomware was rampant in 2021 and made up 79% of the attacks that Sophos’s Rapid Response team had to deal with (as outlined in our previous blog What is Ransomware, and How Do I Stop it?) Ransomware is such a problem now that it is firmly on the radar of Governments and nation-state law enforcement agencies. Governments in countries that are the primary targets for ransomware have told the governments in the countries where the gangs operate that attacks on critical infrastructure will be classified as terrorist activity and elicit similar responses. This has been a major change in 2021. It’ll be interesting to see if it has a dampening effect on the gangs as they come under local and international law enforcement scrutiny.
Ransomware wasn’t the only attack type used in 2021. However, it was the largest by volume due to the returns available and the availability of ransomware-as-a-service tools that allow criminals without IT skills to mount attacks.
Supply-chain attacks also made the headlines this year. These come in two types: 1. software supply chain attacks that seek to compromise software tools used in multiple organizations (like the SolarWinds attack discovered in 2020 that was still causing issues in 2021) and 2. Attacks against companies in the supply chain with the aim to then jump from them to larger targets over digital connections. These latter types of supply chain attacks tend to use vectors like phishing and malware drive-by attacks rather than a compromised software tool.
This year, cybercriminals also continued to use other attack types such as malware, phishing, business email compromise (BEC) attacks, data theft, cryptocurrency miners, and more. But Ransomware was the number one attack vector by a large margin.
A common theme from many cybersecurity analysts looking forward to 2022, is that cybercriminals will use what they have learned in 2021 to supercharge their attacks in 2022. This year has shown that they can quickly adapt to emerging threat opportunities and retool their techniques to attack organizations of all sizes. This will still be the case in 2022, even as organizations use the knowledge gained in 2021 to shore up cyber defenses.
What specific attack vectors will need watching and defending against in 2022? Reading across many cybersecurity company sources points to the following list.
No big surprise here. The ransomware gangs have had substantial financial returns, and they will continue their attacks in 2022. There are some indications that the focus on the prominent gangs from law enforcement agencies will have a chilling effect. But given the availability of easy-to-use tools that even non-experts can use to mount attacks, we can expect other groups to fill any gaps that result from successful countermeasures. In addition, many adversarial nation-states will use ransomware attack techniques for destructive attacks. In these, they trigger encryption but don’t ask for a ransom, as the goal is disruption.
The metaphor of an arms race is often used to describe how cybersecurity teams strive to stay ahead of the criminals and their goal to discover and exploit new vulnerabilities. Business cybersecurity teams will need to be ready to deploy newly released updates and security patches as soon as they are made public. Cybercriminals are watching for recently announced patches and immediately start to scan systems on the internet to try and find vulnerable servers. All unpatched servers are essentially zero-day attack vectors for the criminals until you apply fixes. Dealing with rapid patching will be crucial in 2022 and beyond.
The vulnerability discovered in the widely used Java Log4j logging framework, which was made public on the 9th of December 2021, is the latest in a long line of exploitable issues discovered in software systems. Incidentally, there is evidence of the Log4j issue being used by attackers as early as the 1st of December. We provided guidance on how the Log4j issue impacts the Progress Kemp and Progress Flowmon solutions in this recent support article.
Several regimes tolerate the activity of cybercriminal gangs operating from their jurisdictions. This has led to Government warnings that they will class cyber attacks from these regions as terrorism. Head of State summits have put countering ransomware on summit agendas. Analysts expect the rhetoric in this area to ramp up in 2022, and some industry commentators say that there could be military responses against gangs or national assets if there are attacks against critical infrastructure or healthcare systems.
The criminals know that the supply chain provides many weak links that they can target and exploit when looking to attack partner organizations. This means that in 2022 and beyond, company cybersecurity defenses and strategies will need to take the cybersecurity posture of business partners and the supply chain into account. Just focusing on your own infrastructure and endpoint devices will not be enough.
Vulnerabilities in open source tools and libraries, microservices, and commercial software products used by many organizations will continue to be a target and an entry point for sophisticated attackers. This technique will continue to be used by nation-state teams that have the blessing of adversarial regimes.
Most commentators agree that the working model in 2022 and beyond will have much more home and shared space working. A return to the pre-pandemic office first workplace will not happen for a majority of information workers. This will continue the uptake of more mobile endpoint technology solutions as a primary work device. This will expand the security perimeter for organizations so widely that the concept of a network perimeter will be essentially obsolete. Attackers will target mobile and home workers with technological and social engineering based attacks. The deployment of zero-trust networking and frequent company cybersecurity awareness training will increase to improve security in this new world of work.
Mobile devices are ubiquitous in all global regions. These devices hold a lot of information valuable to attackers. In 2022 there will be an increase in the number of applications designed to steal this data and pass it to criminals. Both Apple and Google are doing a lot to prevent these applications from being accepted on their app stores, but the criminals are good at hiding their malware-infested apps in plain sight. Controlling what apps can be installed on devices that access corporate networks has always been essential, and in 2022 and beyond will only become more crucial.
Many cybersecurity defense organizations use tools to do penetration tests to find vulnerabilities and security gaps in their client’s networks. Many of these tools are similar to those that the criminals use. Recently, there has been some movement in the other direction as criminals have started to use suites created for defenders, such as the Cobalt Strike advisory and red-team operations suite. Sophos reported that attackers used Cobalt Strike in 6% of the engagements their Rapid Response unit dealt with in 2021. Many commentators expect this to rise in 2022.
Attacks that use multiple attack vectors and techniques at the same time will be increasingly common in 2022. This means that if an attack vector gets discovered, there should be an assumption that other attack methods not yet found are also in progress.
Just as machine learning (ML) has become common in all IT and business analytics sectors, the bad actors also use it. Many researchers expect attackers to use ML-based systems to generate believable content and images for fake sites used in Phishing and other social engineering based attacks. They also expect ML-based brute force attacks designed to guess passwords to become more widespread. Business cybersecurity professionals will need to keep pace with the attackers and deploy rapid ML-based security tools to augment their human cybersecurity.
There is a global shortage of skilled cybersecurity professionals and technical staff more generally. The pandemic has only worsened this shortage, with significant numbers of people switching jobs or leaving the industry entirely. Those company cybersecurity workers still in place have had severe pressure over the last 18 months. A VMware survey of cybersecurity professionals reported that 51% of respondents had experienced extreme stress and burnout. HR experts expect the skills shortage to worsen in 2022.
The number and financial impact of ransomware attacks up to 2021 will change the market for cyber insurance in 2022. Companies looking to obtain or renew their insurance against cyberattacks will need to demonstrate that they have taken all the precautions they can. Experts appointed by insurance companies will want to audit the business cybersecurity measures that are in place. Even when businesses can purchase insurance, the premiums and the deductibles will be higher. In many reported cases towards the end of 2021, the costs are significantly higher than in previous years. This trend will continue into 2022, and industry experts expect this pressure from insurance companies to be a driving force in an overall improvement in business cybersecurity practices. Money talks, as the saying goes.
As Governments focus more on the threats from cyberattacks against critical infrastructure, they will also want to regulate how impacted organizations respond. Mandatory reporting of ransomware attacks, data breaches, and possibly a ban on paying attackers are all likely to be enacted in several countries in 2022.
These are the main areas that analysts in cybersecurity circles are discussing. I’m sure that other surprising and unpredictable things will happen in 2022 as well.
Defending against current and future cyberattacks requires a range of cybersecurity tools and techniques deployed at all levels across people and technology. But even with the best tools, highly informed staff, and expert business cybersecurity experts in place, there cannot be a 100% guarantee of protection. People make mistakes (we all do), and company cybersecurity planning needs to account for this and assume a network breach will occur at some point. The question becomes what to do when this happens.
Flowmon Anomaly Detection System (ADS) provides a pivotal part of any company cybersecurity defense system. ADS is a security solution that uses machine learning to detect anomalies hidden in the network traffic. It complements conventional security tools and creates a multi-layered protection system capable of uncovering threats at every stage of compromise.
Deploying ADS to monitor the network enables anomalous behavior to be detected early. If the anomaly is due to cybercriminals, their activity can be isolated and analyzed. Then the attackers can be expelled from the network before any spread or damage has occurred.
The coming year will be another interesting and busy one for company cybersecurity teams, and manages security service providers. To be forewarned is to be prepared, so hopefully, this overview of what industry experts predict for 2022 will be helpful. In any event, here’s to a prosperous and safe new year!