2020 became a four-letter word in itself and the subject of many memes. However, we did mobilize the largest remote workforce…ever. We have catalyzed how we do business and even managed to burn less fossil fuels. The question now is what will 2021 hold for us all in a globalized, connected, and perhaps new-normal world?
Here are a few likely moves from the cyber adversaries in 2021 and where the risk lies.
Risks associated with working from home in 2021 (Contributed by: Yossi Naar, Chief Visionary Officer & Co-founder, Cybereason)
A major change in the world due to Covid-19 has been a swift and encompassing move to working from home. This change brought many challenges to IT departments and with those challenges — many opportunities that hackers like to exploit.
We can expect more of the same in 2021 as remote working continues and enterprises permanently downsize their physical space and give employees the flexibility to continue working from home.
The home environment has always been cause for concern for many in the security industry. Home equipment is often unpatched, unmanaged, and exploited with no one ever becoming aware. Home routers are notoriously vulnerable and many routers remain unpatched and in some cases —unpatchable as vulnerabilities aren’t always fixed for older equipment.
Coupled with a challenging home environment where devices are often shared with family members and the rapid change that occurred — there was little time to prepare and that fact has been exploited widely by hackers leveraging phishing attacks and known exploits to penetrate and maintain their hold on the remote environment.
Organizations that have taken their time with the move from home, relying on a perimeter protection approach remain particularly vulnerable to the move to a remote workforce. Many organizations still have not had the time to prepare and upgrade their environments to deal with the new reality.
The positive of all of this is that we’re seeing progress in the adoption of zero trust and a fundamental change in the way IT is viewing cloud workloads, and remote monitoring of devices. There’s an understanding that working from home is here to stay — and this understanding encouraged and accelerated a paradigm shift in IT management and security operations.
Many devices that live on the home network like printers, routers, and newer IoT devices that have poor security present perfect opportunities for hackers to gain a permanent foothold into a local home environment. When threats make their way through emerging vulnerabilities such as zerologon to take over unpatched networks — these threats can spread and gain a hold back in the home environment.
The risk of cross-infection between environments pushes us to accelerate the adoption of endpoint-based protections that increase what you know and see in every environment. Hackers have had to adapt quickly as well, those targeting enterprises now look more at home environments as a lucrative entry point. They too needed time to adapt — and they are adapting fast.
2021 can be a transformational year for global cyber-security — defenders and attackers now live in the same battleground, whereas before many considered the internal organizational network as fundamentally secure — this illusion no longer holds. This shift is a positive development because it promotes a healthier, safer understanding of the true battleground, as well as a healthier and more secure home environment.
A rise in cyber threats facing SMBs in 2021 (Contributed by: Israel Barak, CISO, Cybereason)
Small and medium-sized enterprises (SMBs) are very often ‘victims of opportunity’ — a combination of untargeted attack campaigns that happen to include enterprise assets like email or IP addresses.
A vulnerable enterprise security perimeter often leading to a breach that can escalate into causing business impacts, like ransomware or denial of service.
SMBs are often targeted by cybercriminals for the value of the data or services that they provide (e.g. credit card information), when attackers assume that the value of the compromised data will justify the effort in breaching what appears to be an inadequately protected target (“low value for a low effort”).
SMBs that offer managed or professional services for larger organizations are often ‘staging targets’ — they are targeted to serve as a jump-off point to provide the attacker with access to their customers’ data or into their customers’ systems.
For SMBs, the biggest security risks in 2021 will involve:
- Mobile Devices
- Accelerated Cloud Services Adoptions
- Increases in attacks on Managed/Professional Service Providers
Mobile technologies, bring your own device, and remote work challenge businesses by amplifying risk and require re-thinking of security architecture and technology Business executives and network operation personnel will represent higher risk since their access to business-critical systems is not commonly restricted by the same higher degree of protection and limits that is imposed on other employees.
Accelerated adoption of Cloud Services to host systems and data will amplify the risk of data breaches and service disruptions in poorly managed enterprise cloud environments. The COVID-19 crisis has accelerated digital transformation initiatives and cloud adoption and we’ll see continued acceleration in 2021, but most small and medium enterprises still lack the security controls, processes and skill-set to ensure visibility into their cloud assets and adequately secure their cloud footprint.
Managed and professional services providers are going to be increasingly targeted because of the type of data they process, services they deliver or systems that they have access to.
Multi-state ransomware attacks increase in regularity (Contributed by: Israel Barak, CISO, Cybereason)
In 2020, Cybereason continued to see fewer strains of ransomware in total across networks, yet the existing strains raked in more gains. Hackers do this by better targeting and making more money from each target. In 2021, we can expect to see an increase in multistage ransomware embedded into hacking operations.
Hospitals, banks and critical infrastructure providers were at higher risk but many industries faced this threat. Only after hackers place ransomware on every computer in the network and then complete other stages of the attack, including data theft, user password stealing and propagation across the network, will they detonate the ransomware across all compromised endpoints.
The good news, however, is that defenders with a rapid detection and response process to detect the attack at its early stages, can respond effectively before ransomware is able to impact the environment.
To do this, first and foremost, enterprises need to minimize the amount of time it takes to respond to threats. This is best achieved by deploying threat hunting services around the clock.
In addition, resilience and security can no longer be an afterthought. It is very important for next-generation networks to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead.
In addition, enterprises should partner with the experts that have vast knowledge of cyber threats with the public and private sectors working closely together to protect the networks of our banks, hospitals, oil & gas companies, aviation industry and other critical infrastructure.
And finally, test, test, test. Tabletop exercises that enable a red and blue team to role play different scenarios and the real time response to those scenarios is critical for enterprises when having to actually have to deal with a threat in real time. Never underestimate the value of tabletop exercises in shoring up weakened defenses and helping executives understand the importance of security.
XDR: A future with extended detection and response (Contributed by Yonatan Streim-Amit, CTO & Co-founder, Cybereason)
We are in a new world where recent surveys estimate that in 2021 nearly half of employers intend to allow employees to remotely work from home on a permanent basis. This means employees need anywhere, anytime access while at the same time the quantity and complexity of the cyber attacks we face have ramped up.
Does your enterprise deploy the technologies to stop correlated attacks across all users, devices and endpoints in your network? If you answered no, 2021 could be a rough and tumble year. XDR should allow organizations to be able to readily detect, correlate, and end sophisticated attacks wherever they start on the network. By fusing together endpoint telemetry with behavioral analytics for XDR, security teams can protect users and assets wherever they are in the world.
Finding the right XDR solution doesn’t have to be a painful process if you understand what the solution should look like. First, security begins with knowing what to protect. An XDR solution should empower analysts of all skill levels to quickly dig into the details of an attack without the need to craft complicated queries. XDR is intended to extend traditional detection and response capabilities from the endpoint out to critical SaaS services, email, and cloud infrastructure.
XDR solutions should also deliver superior visibility and enhanced correlations across both Indicators of Compromise (IOCs) and key Indicators of Behavior (IOBs), the more subtle signs of network compromise. XDR detections also need to identify suspicious user access and insider threats.
And last but not least, XDR solutions should make it simple for analysts to understand the full attack story immediately, and remediation actions such as kill process, quarantine asset and remote shell should be automated or accomplished remotely with a simple click. A solution should also offer automation options for immediate remediation of threats and continuous threat hunting.
XDR is a promising approach that can reverse the attacker advantage and return the high ground to the defenders by extending detection and response capabilities across the broader IT ecosystem that makes up modern enterprise environments. This unified detection and response capability can automatically surface Malops across the entire IT stack including endpoint, network and cloud deployments.
Defender threats (Contributed by: Sam Curry, CSO, Cybereason)
Another year and another lament for the security gap. It seems to keep growing in spite of producing more cyber graduates than ever before. It doesn’t have to be this way.
We can do more to bring in new talent from new sources. This starts with continuing trends in diversity that have only really just started: we need more women, more transgender, moreneurodiverse, more everything.
We want the most talented people, and we need to make sure that wherever they are, whatever their backgrounds, that they have a chance to join us.
We can also do more to advance the state of the art, to improve curricula and to consciously encourage others to try. We can and should do this morally, but it’s also a competitive advantage. The adversary is diverse, so why aren’t we? In diversity lies flexibility, options, perspectives.
The key to winning will be for everyone to get a shot at cyber if that’s what they want to do or might want to do. In a sense, we have to get more Agile at doing the right thing. For years, we’ve advocated getting more Agile in how we do security. Now we have to get more Agile in how we adapt and move forward.
Why not retrospectives on how it’s going? Why not sprints on diversity? If we burn down tech debt and now security debt, why don’t we burn down that talent gap in the same manner? Let’s do that in 2021!
High level takeaways
We banned IoT from the Enterprise. Who knew that the Enterprise would come to IoT! The new Enterprise address space is consumer ISPs, and the bad guys know it. 2021 will contain a resurfacing of old exploits that target out of data printers and routers, repurposing of DLP techniques for the dark purpose of exploring the world around compromised endpoints and bots. Worst of all, the ubiquity of IoT, starting with poorly protected home automation will begin.
The dark side has not been idle and can use commodity voice-to-text capacity to compromise IP stacks in homes to mine for intelligence and spy with the very best cameras, microphones, storage and access. The time is now for someone to create a new business to bring IT-level support, maintenance, security and maybe even privacy services to the home.
If Enterprises will pay 10s of thousands for employees to sit in an office, will they perhaps subsidize and protect employee homes one day through outsource contracts at a fraction of the cost to keep us all safe and productive?
2021 will be about ‘work from anywhere’ and it is very much a moving target for security and privacy professionals. We must understand the adversary is moving into a new normal as well. They may not yet have found ways to exploit all weaknesses or even any given weakness. They too are pursuing the lowest hanging fruit while investing in some longer term R&D as they continue to develop new attacks specifically for the home environment.
Threat actors may be purchasing tools from cybercriminals, mining existing botnets to see what IP is on those already-compromised machines or targeting home automation, printers and routers after triangulating IP addresses and digital locations for targets. In the year ahead, targeting new dimensions of technical diversity and innovating to develop new attack vectors will be the name of the game for the bad guys.
Once upon a time, hackers fell in neat behavioral buckets that made their motivations and goals discernible. Or at least they appeared to do and for the most conformed cleanly. However, over time they have become less clear: nation states like North Korea hack for profit to deal with economic sanctions, cybercrime rent out their services to any and all takers, and ransomware has become a tool of the state too.
To further complicate matters, nation states like Iran publish tools to seed back doors in the criminal world and to provide healthy background noise, and government employees for offensive agencies from China to Russia moonlight or go private, without even taking into account the possibility of false flag operations.
While clear modus operandi are still possible to help guide investigations and make them more efficient, the net result is that neat categorization schema generally and attribution specifically serve less and less use. This trend will continue, so it’s important to prepare for all potential attackers and to some extent to avoid blindspots produced by a false sense of certainty in who the enemy is.