The macro-trend I’m most alarmed by today is the fact that attackers don’t seem to care about getting caught anymore. We have seen an increase in temerity of attacks by nation-states, such as the Russian attack on SolarWinds, and seen their attack tactics shift from targeted, stealthy operations into opportunistic hacks for potential future uses, such as the attacks attributed to Hafnium.
Such a brazen approach hasn’t been a common tactic of nation-states in the past, but now seems to be the status quo. In part, this trend may also be due to a destabilization of the international relations climate stemming from COVID-19, as well as work-from-home forcing core business services out onto the internet to facilitate employee access.
Broadly speaking, we should see China as a rising cybersecurity threat on the international stage. That has been the case for some time in terms of their economic, defense and military posture, but 2021 has quite clearly demonstrated that the relationship has deteriorated into a sort of Cold War, with espionage playing out in the cyber-domain.
Time To Head Back To The Office?
The rapid and globally synchronized shift to work-from-home was hugely impactful from a security attack surface standpoint, but we were collectively focused on the same goals. As the dust begins to settle on the pandemic, a new threat emerges: Technological disruption as a result of a transition to hybrid work, where the goals are widely varied and generally less defined. As a result, the home is now viewed as part of the attack surface, and this introduces such a vast number of new variables that it’s safe to say that we don’t really know how that works yet.
This is a disturbing development because it is so easy to determine the home address of a potential target these days, bringing the employee’s house into scope as a newly vulnerable attack surface.
Similarly, how should security measures work to protect Zoom video calls? We are all working on these same problems, but there is no easy solution because the approach to hybrid work differs for every organization. Anytime complexity increases, it also increases the potential attack surface.
We have seen increased interest in consumer internet of things (IoT) and home-router zero-day exploits, with attacks following close behind. In the past, the home as an attack vector was rarely interesting to sophisticated nation-state attackers or cybercriminal gangs, but we should expect to see more activity in this area over the coming year.
Tackling the Ransomware Elephant in the Room
Ransomware has been working well for the bad guys for quite some time now, but in 2021, it established itself as a highly effective and lucrative criminal business model. Just like any regular business, things that work tend to accelerate, receive investment, and evolve, and we should expect to see a continuing acceleration in the adoption of ransomware tools by attackers, including the criminal enterprises funded (or shielded) by nation-states.
The ransomware problem is particularly acute for the healthcare sector. Shutting down computer networks at hospitals and clinics can quickly spiral into a case of life-or-death for patients, and the increased awareness of healthcare’s critical nature makes it an attractive target to hold to ransom. I hope this predicament will force providers to innovate by developing a new category of security solutions to disrupt the economics of ransomware.
We saw a promising development in Q2 of 2021, when the insurance firm Lloyd’s of London retracted their insurance policies for ransomware payments in France. Lloyd’s adjusted their policies to not pay ransom costs anymore, likely because their actuaries told them it was irrational to insure against this problem — we’re just not very good at preventing it yet. That step will likely signal big changes coming for the insurance, fintech and security industries in the year ahead and beyond.
Priority #1: Getting Our Heads Out of the Security Sand
Perhaps the most encouraging trend of all may be the disruption of indifference to the security problem that we have seen from leaders of organizations across all types of industries and regions. 2021 has very clearly demonstrated that the cyber boogie-man is real and active, and could attack them next.
Many organizations are still stuck in “ostrich risk management”: Hoping that by burying their heads in the sand and ignoring the problem, it will cease to matter. However, the steady increase in attacker activity throughout 2021 is continuing to erode this a viable strategy, the cybersecurity problem is growing, and breaches can happen to anyone next.
Consumers are weighing in too, becoming more wary about security hacks and breaches. In turn, that awareness is influencing buyers to demand products that will make security a prime feature and market differentiator.
Casey Ellis is chairman, founder and CTO at Bugcrowd.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.