Beware the ticking clock

Use of deep fake tech, 'killerware', ransomware and insider threats are all forecast to rise in 2022

As a follow-up to our 2022 Predictions feature in the last issue, we've been canvassing opinions from across the industry on how they see security shaping up as we move through the year.

"Yes, the clock is ticking, but the fuse has also become shorter," notes Peter Stelzhammer, co-founder AV-Comparatives: "The times of patting each other on the back are over - cybercrime is now an organised activity that has become an extremely professional operation.

"In the media, you read again and again about the all too bad ransomware attacks. However, these are increasingly becoming 'killerware' attacks when they hit systems in the health sector and put human lives in danger. Almost forgotten are the other malware attacks that are just as bad, but not as visible. Many more Zombie systems exist with 'normal' malware than systems infected with ransomware, which are equally as devastating."

The most important measures against cybercrime, he says. are still a multi-level security system consisting of firewall, server security and endpoint security, supplemented with a secure backup strategy. "It is equally important to keep the software up to date and patched. Cybersecurity is still an overlooked issue in many companies. This must change: IT security absolutely belongs to the business area of management. The survival of your company could depend on it."

MAJOR TRENDS AND SHIFTS Meanwhile, the organisers of Infosecurity Europe asked their network of CISOs and analysts to comment on the major trends and shifts they foresee shaping the next several months. Their response was that, while 2022's dominant cyber threats will largely mirror those faced last year, criminals will evolve their modus operandi to boost disruption and monetisation.

"Cyber-criminals are sharpening their skills and techniques, with a focus on using existing attack methods in new ways to hit organisations harder in 2022," says Nicole Mills, exhibition director at Infosecurity Group. "Enterprises must be aware of the tactics attackers are likely to use to access their networks, systems and data, and prepare to respond effectively."

The conference programme at Infosecurity Europe 2022 - 21-23 June at ExCeL London - will cover the topics raised by the CISOs and analysts who contributed their thoughts, with presentations, talks and workshops exploring the themes across the different theatres.

Egress CEO Tony Pepper sees ransomware attacks continuing to be a big problem in 2022. "The most important step that organisations can take this year is to tackle the problem of phishing. Over 90% of malware is delivered via email. The worst thing about ransomware is that, once it's in your organisation's systems, it's incredibly difficult to stop. By making it harder for cybercriminals to gain access in the first place, organisations can protect themselves." They can take back control by stopping entry in the first place and the best way to do that, he says, is to invest in "intelligent anti-phishing technology that can detect the most sophisticated phishing attacks".

Peter Stelzhammer, AVComparatives: yes, the clock is ticking, but the fuse has also become shorter.

Pepper anticipates that the supply chain will become the least trusted channel in 2022, following the high-profile attacks against Kaseya and SolarWinds over the last few years. "Protecting against supply-chain attacks will be at the top of every CISO's priorities this year and loss of trust in the supply chain will drive adoption of the zero-trust approach. However, as zero trust concepts become more popular throughout 2022, organisations should be wary of vendors that claim to singlehandedly be a silver bullet. Instead, organisations should layer combinations of technologies to achieve a truly zero trust approach."

He also expects accidental data breaches to continue to be a problem, while also foreseeing many organisations beginning to realise the scale of their data loss problems and that they will look to a "combination of encryption, intelligent data loss prevention and security awareness training measures to help secure their data on email".

"It is likely 2022 will be a more eventful year in cybersecurity," says Todd Carroll, CISO at CybelAngel. "When there is uncertainty, it's best to gain as much knowledge as possible, so you can plan effectively. Something we are seeing is organisations heavily investing in cloud-based security solutions and cloud-based monitoring services, in addition to skilled staff [internal or external] and security awareness training." His top three suggested priorities for the rest of 2022 would be to:

  • Be proactive - look for external threats, search for data leaks, locate shadow IT and monitor for Dark Web mentions.
  • The faster you find the danger, the sooner you can fix it
  • Help your third parties - if sophisticated companies have data lakes, smaller vendors will, too. You must monitor your data, so that, when a vendor's data leaks, you know earlier and can help them secure your company and your data.

"Be aware of your surroundings," Carroll advises. "Ransomware gangs and other cybercriminals love striking on holidays or just before peak business times when companies are distracted. Make sure you have enough staff to stay on top of threats and can also build in time to let the team rest. InfoSec is a never-ending fight and you must rotate your cyber troops to minimise burnout."

According to Justin Lie, founder and CEO of SHIELD, as the world opens up and travel restarts, fraud prevention solutions must be able to scale to keep up with resurging growth. "However, the effects of the pandemic will have a lasting impact on the way fraud is conducted.," he says. "For example, the shift to online banking has been a goldmine for fraudsters. As more users migrate to online channels, companies with weak cybersecurity measures will be more at risk. The race to win new customers has companies fighting for dominance where the key differentiator will be the balance between user experience and security. We can't let bad actors through the gate, as it's a sure way to lose existing customers while also making it hard to obtain new customers."

Roland Carandang, Protiviti: if 2021 and 2020 have taught us anything, it's that change is the only constant.

As companies scale their growth, they should also make sure they scale their systems and infrastructure - specifically their fraud prevention solution. "This means increasing the volume their platform can take, as well as making sure the coverage of the fraud prevention solution can cover more ground and be effective in fighting new fraud use cases. It also means detecting behaviour that has never been seen before and is more complex," Lie advises.

Next, it will be essential for companies to invest in AI and machine learning if they haven't done so already. "Harnessing machine learning and AI is not just to keep up with the level of fraud attacks, but to stay ahead of them."

Ransomware attacks are expected to continue rising in 2022, but are likely to look different, as hackers become aware that the return on investment they can achieve by encrypting data is diminishing. "Criminals are busy exploring alternative means of monetisation," comments Rik Ferguson, vice president of Security Research, Trend Micro. "The act of encrypting data and denying the owner access to it is actually a minor way of making money.

"Criminals will focus on their secondary and tertiary means of extorting money - for example, threatening to release data for public exposure, contacting people who are a part of the data set and trying to exploit them, or piling denial of service attacks on top of encryption."

This view is echoed by Barry Coatesworth, director - Risk, Compliance and Security, Guidehouse. "Ransomware will continue to evolve and the sophistication of the techniques criminals use will improve," he states. "They will become more astute in what situations their victims want to avoid, to maximise payment. Attacks affecting the supply chain will probably also increase - including managed service providers (MSPs) that manage parts of infrastructure or software for other organisations, because, if adversaries can get to them, they can also get to many of their clients."

Rik Ferguson, Trend Micro: criminals are busy exploring alternative means of monetisation.

Coatesworth anticipates an increase in social engineering, which tricks users into making security mistakes or giving away information. "Threat actors have been recruiting insiders with the promise of millions of dollars if they help them gain access to an organisation's system to install malware," he says.

"This, combined with growing attacks against operational technology (OT) systems and critical infrastructure services, could result in serious disruption, potentially even endangering human life. Improvements in deep fake technology for instance have allowed threat actors to bypass multi-factor authentication [MFA] and also elicit fraud by using faked audio." Countering these threats will require organisations to improve their preparedness for incidents and build their ability to respond effectively.

For Munawar Valiji, CISO, Trainline, the recalibration of tooling and capability for the post-pandemic world will be a priority. "Organisations need to validate their use of basic security tooling - such as vulnerability management, and virus and malware protection - to make sure that they haven't degraded against the performance expected of them. There will be more centralisation of those functions, and increased focus on automation and orchestration."

Independent researcher David Edwards believes that cybersecurity will attract more senior leadership attention in the coming year. "I think we'll see an increase in boards taking more interest in cyber risk, as spend increases. Meanwhile, vendors will align their product strategy to empower Zero Trust; however, we'll see slow adoption throughout 2022, as a result of businesses starting to compete more aggressively in the digital landscape."

Meanwhile, Rick Jones, CEO, DigitalXRAID, recalls how everyone spent 2021 wondering what a post-Covid world might look like "and, if recent history has taught us anything, it's that we should expect the unexpected. Every week, we are seeing new cybersecurity threats that can seriously harm businesses and we will see many more by the end of 2022", he predicts.

Tony Pepper, Egress: organisations can take back control by stopping entry in the first place and the best way is to invest in intelligent anti-phishing technology.

"Developing an holistic cybersecurity strategy is essential to protecting against more frequent attacks and businesses can do this by prioritising three key areas: people, processes and technology."

States Cloudflare chief security officer Joe Sullivan: "With any luck, 2022 will see the waning of the pandemic that drove us to isolation - but one thing will not return to pre-Covid times: our dependence on the Internet. We rely so much more on online connectivity for commercial transactions and interpersonal connections.

"That's why we felt the pain of cyber security issues so deeply in 2021 - whether it was ransomware or currency theft or nation-state actions. And that is why we need to do more for security in 2022." Businesses need to accept that investing in security is good for business, he advises. "It starts with employing dedicated security professionals who can help build the right security controls. They can help the business own its online presence more by securing their websites, so consumers can trust them. And especially in the more distributed workforce world we live in now, every business needs to invest in zero-trust approaches to reduce the risk of their employees' online accounts being stolen.

"Account compromises are often the easiest way for an attacker to get into a company environment," cautions Sullivan. "And, last but not least, a third area of investment should be in security awareness for employees, ideally with that message reflected in the right tone from the top of the organisation."

If 2021 and 2020 have taught us anything, it's that change is the only constant, states Roland Carandang, managing director at Protiviti. "This is partly because of the ‘Big C’ [Covid] and also because of unrelated innovations, including advancements in quantum computing, neuroscience, materials science, even space travel. And really, who could have predicted the rise of NFTs? As a leader in information security, how best to plan for such a dynamic future? By embracing uncertainty and embracing our people."

Here are some other Cs that Carandang recommends, in order to achieve that: Connection and Control: "Our people have spent nearly two years adjusting to disruption in their personal and professional lives. Many of us just want to feel connected again... to other people. Even before the pandemic, scientists like Daniel Pink presented solid evidence that people want control - over what they do, who they do it with and when they do it." Light Coupling of Capabilities: "2021 delivered continued improvements in technological capability, driven in large part by underlying advancements in artificial intelligence and ecosystem integration. While some vendors are taking this opportunity to take over their customers' architecture, others have embraced openness and integration. In a world where uncertainty is high and, practically, where availability of 'hot product' skillsets are low, the latter path feels most sensible."

Creativity: "2021 also brought improvements in low/no code platforms and increased use of innovation systems, like LUMA, and tools, like Mural," adds Carandang. "The start of the year is often a time to enable our people for success. While this certainly includes technical training, complementing this with innovation training will help with the other Cs presented here by helping our people better engage with each other to envision possibilities and deliver meaningful change in their organisations."

Infosec professionals need to expect the surge to continue - especially as attack tools and their 'as-a-service' variants adapt to increased awareness and strengthened defences, warns Sean Newman, vice president, Product Management, Corero Network Security.

"An area that experienced major growth was Ransom DDoS [Distributed Denial of Service] attacks that saw an 29% year-on-year increase, according to data from Cloudflare," he points out. "These types of attacks have the benefit of being open-loop - or asymmetrical - as an organisation can be attacked without the perpetrator needing to gain access to internal systems, establishing command and control or receiving any exfiltrated data.

"Worse still, traditional business continuity plans, such as multiple data centres for resiliency or data backups, are rendered useless, as these attacks aim to overwhelm a victim's ability to benefit from the Internet or access online services. Organisations must evaluate their preparedness to counter these types of attacks and put in place suitable countermeasures to ensure they don't become the next victim."

Although supply chains have been exploited by cybercriminals for many years now as an easier route to penetrating even the best guarded organisations, the last 12 months have seen a spate of high-profile incidents that have had a massive knock-on effect. "These have not gone unnoticed by the criminal gangs," continues Newman. "The recent Log4J vulnerability disclosure highlights the broadness of that 'supply chain' definition and organisations would be wise to start examining all their suppliers, as they could be introducing this and other weaknesses, into your environment, for attackers to exploit."

An associated, and often-overlooked, area is service suppliers such as ISPs, UC and hosting providers. The DDoS attack last year against Voipfone, a highly regarded UC provider, impacted connected businesses across multiple weeks and highlights that the customers of such providers need to verify they can demonstrate not just protection against DDoS, but also contingency plans to ensure service continuity. This year, organisations need to start having these types of blunt conversations with suppliers - not putting it off until it's too late.

"Organisations should also think about doing some testing of their protective measures," adds Newman. "Will our defences work, if we are the target of a DDoS attack? What happens if our ISP or hosting provider goes down? If the last few years of global pandemic has taught us anything, we all need to have a 'Plan B'."