2020 was anything but ordinary. Here’s a look at what the world was thinking about over the last 12 months, and here’s some highlights of what occurred in cybersecurity, but we’re not going to dwell on the past right now. Instead, let’s take a look at what’s in store for 2021. While no one has a crystal ball, this is how we see things unfolding based on what we know today.
Ransomware – We Haven’t Seen Anything Yet
Not only will the ransomware epidemic continue, it will get worse. Attacks will become more sophisticated and attack frequency and associated ransom demands will increase for several reasons.
First, attackers have grown to understand the profile of an easy target, which has proved for now to be municipalities and local government organisations. These targets hold limited resources, are slow to patch, utilize legacy defense solutions and employ yesterday’s technology and best practices in an attempt to solve tomorrow’s problems.
The most effective way to combat a ransomware attack is not to get hit in the first place, which can only be achieved through closing the gap on attacker sophistication and modernizing defenses. Unfortunately, bureaucratic budgeting and procurement processes will make it impossible for government agencies and towns to keep up with today’s attackers.
Public sector budgets for the following year are typically allocated by July 1st, which means that public sector organisations will firmly remain 18-24 months behind the security curve. Additional funding to replace outdated legacy systems will not be available in the short-term.
Second, ransomware is a profit-driven business and it’s a bull market. Following Baltimore, where a demand of $76,000 was not met resulting in damages of more than $18M, a trend of municipalities forgoing advice of the FBI to not pay attackers has emerged. This trend will likely continue as cyber insurance, which was once considered a nice-to-have, is now a necessity and paying attackers out under claims is far more appealing than damages totaling eight figures.
Attack Sophistication Will Become the New ‘Normal’
Anyone following the latest discoveries on the SolarWinds attacks understands that this kind of scale and sophistication is here to stay. While the line between nation state actors and financially motivated cybercrime organisations is getting blurry, the tactics being used these days have never been seen before.
Stealing a certificate to sign a malicious update for software widely used by federal and state entities to begin with, making a custom DLL for communications while using existing API calls and domains and remaining stealthy for months…these are TTPs that go beyond what most organisations and security software are currently built to resist.
That means all of us, as defenders, must reconsider how we protect. None of the above TTPs can be detected by traditional monitoring and security tools; to detect these one needs to establish a good baseline, to keep on looking for anomalies, to investigate each one and to make sure each and every endpoint has on-device detection mechanisms that are not dependent on traffic or network discovery. If one leaves an endpoint unprotected, it is likely to become an entry point to the rest of the network. In fact, one can find security solutions that rely on this aspect to detect incoming attempts, also known as the deception market.
The take-away for us as defenders is simple: “eat your vegetables” – meaning, start with the basics, ensure a good baseline and detect anomalies, put in layers of defense that can speak to one another and ensure your endpoints are protected with behavioral-based detection to catch it as it happens.
Deepfake Is Coming of Age…And We’re Not Ready For It
Back in the far-far past, before The Fall, there was little yibber about a spesh story that many would have missed if they didn’t sivvy for it. It’s all true true, not a yarn I tell you.
Cloud Atlas and pandemic references aside, the story broke in, made a little noise and then seemed to disappear. This telling of the event by Forbes was published 3rd September 2019, almost a lifetime ago by todays standards.
But it is a significant one nonetheless. A UK based CEO was phoned by the German CEO of the parent company, and ordered to transfer €220,000 to the bank account of a Hungarian supplier. Sounds dodgy, right? Well the UK CEO wasn’t concerned because he happened to know the CEO personally, and recognised “the subtle German accent in his boss’s voice and moreover that it carried the man’s ‘melody’.” The money was duly transferred.
It was only after a second and third subsequent call that the UK CEO became suspicious, picking up on other clues. The criminals had used what researchers believe to be the first instance of AI voice mimicry for fraud, or deepfake.
With us all working from home still for the foreseeable future, and even post pandemic, more likely to work from home for greater parts of the week anyway, this kind of fraud will become more commonplace. People won’t be able to chat to nearby workers, or shoulder tap someone to check if a request is legitimate or not.
The criminals will get better as the deepfake technology becomes cheaper, computers more powerful, and their targets more disenfranchised from their workplace. And so we come to my prediction… In 2021, I believe we will see the first successful video based deepfake phishing attack, resulting in either significant financial or data loss. I really hope I am wrong, but I think all the pieces are in place.
And that right there is a scarysome yarn we can yibber about until the Next Fall.
The Supply Chain Risk Becomes Real for Everyone
So the FireEye/Solarwinds breach at the end of 2020 is still evolving, but the scope of this supply chain attack is staggering. To add to that, the US DOD CMMC regulations really start to be enforced in 2021. Any company that supplies any product or service to the DOD and all of those company’s subcontractors and suppliers must meet CMMC standards. So expect much more robust controls and focus on cyber security in the supply chain.
Here to Stay | May The Remote Workforce Be With You
The shift to a remote workforce in 2020 was one of the single biggest transformations in how people work in the past 100 years. As year compliance and certification audits and CMMC hit in 2021, cyber programs will have to change to really bake in processes in this remote work environment. Items like vulnerability management and visibility on remote internet-only machines will become a mandatory reality for many companies that have struggled to meet these requirements in 2020.
A Change in Perspective | Security As Essential Infrastructure
Another prediction for next year is that security will continue to move away from being considered a liability on the business and growth and instead move toward being viewed as essential infrastructure that can ensure the sustainability of the business.
Judgement Day is Coming for Apple’s Approach to Security
There is a war going on in the Apple ecosystem, though you’d hardly know it from following the usual security feeds. This war revolves around a central philosophical debate in security about which approach is safer, open or closed technology? Apple argues that keeping everybody, including security researchers, out of certain areas of its hardware and software makes the macOS and iOS operating systems safer. Security researchers argue that determined attackers will find a way in anyway, but the closed nature of Apple’s systems means victims may never know they’ve been compromised.
If you’re on the ‘open’ side of the argument, then you’ll be relieved to hear that in the final week of 2020, a court judge ruled against Apple’s attempt to shutdown security research outfit Corellium, although the legal battle will undoubtedly continue into 2021 as Apple seeks to appeal that decision.
Arguably, history also favours the ‘open’ approach as there are countless examples of the failures of ‘security by obscurity’. A couple of examples from 2020: on macOS, Apple’s opaque Notarization system has been bypassed by commodity malware on a number of occasions; on iOS, a researcher wrote a 30,000 word paper earlier this month detailing a zero-click Wifi exploit that could steal user photos. Zero-click? No interaction needed, and the exploit can be triggered over the air.
The £64 million dollar question is: will we see threat actors exploiting macOS and iOS vulnerabilities in the wild during 2021? In my view, given the early state of vulnerability research into macOS Big Sur and unfixable vulnerabilities in a wide range of iOS devices due to checkra1n, 2021 would be an extraordinary year in cybersecurity if we didn’t. Protect your Apple devices in the same way as you would any others. There’s no magic, or security, in obscurity.