You’ve heard it before: the pandemic accelerated digital transformation. And there doesn’t seem to be any signs of slowing down. But what does an increasingly agile and hyper-connected world mean for an organisation’s security? Trend Micro Research predicts the biggest threat and security challenges for the new year and we explore how a unified cybersecurity platform like Trend Micro One can enable a more resilient, forward-thinking security strategy to manage cyber risk across the enterprise.
Cybercriminals in the cloud
Although cybercriminals will continue to use tried and true methods, such as phishing emails, unsecured secrets, and exploiting known flaws, they will also explore new technologies like Java, Adobe Flash, and WebLogic to gain access.
Cybercriminals will also mimic the DevSecOps “shift left” approach by going to the source of an enterprise’s infrastructure. We’ll see more malicious actors compromising DevOps tools and pipelines to target software supply chains, Kubernetes environments, and infrastructure as code (IaC) deployments.
Targeting the software supply chain is an efficient way for cyber criminals to broaden their victim pool and leapfrog their attack. There are many opportunities for attack during the software development lifecycle: from committing the open source code, to building and testing, then deployment and staging in other pre-production environments, and finally, deployment to a production environment. Throughout this lifecycle, developers leverage different tools and services, expanding the attack surface. Furthermore, since DevOps pipelines hold the keys to the castle, attackers are more likely to target popular development software like Kubernetes to help them stay under the radar while penetrating multiple layers of an enterprise’s network.
Surge in supply chain attacks
Supply chain attacks will be especially prevalent, as ongoing economic shortages and disruptions will create opportunities for malicious actors to strong-arm targets for big payouts. Particularly, we predict access-as-a-service (AaaS) brokers will take special interest in gaining residence and selling it to the highest bidder.
Next, look out for the rise of quadruple extortion model: holding the victim’s critical data, threatening to leak and publicise the breach, threatening to target their customers, and attack the victim’s supply chain or partner vendors.
Beware of modern ransomware
With ransomware extortion amounts doubling, it’s no surprise 92% of respondents from our global risk survey said they’re concerned about ransomware in the future. And rightfully so—in 2021, Trend Micro blocked over 94 billion threats, a 42% increase in detections from 2020.
In 2021, we witnessed enterprises being targeted for lucrative payouts, while small and medium-sized businesses (SMBs) were exploited by ransomware as a service (RaaS) groups.
Unfortunately, ransomware will continue to evolve and remain prevalent. We predict two trends emerging: (1) modern ransomware will become increasingly targeted and prominent, mimicking traditional nation state APT attacks and (2) ransomware operators will use more complex extortion tactics such as exfiltrating data to weaponize it.
Commonly used attack vectors like VPNs, spear-phishing emails, and exposed RDP ports will remain in play, but we predict the cloud will become a bigger target as more companies continue to migrate their data. Specifically, cloud and data centre workloads will be the main playground for ransomware actors, due to an increased attack surface from less-secure homeworking environments.
Zero day and known vulnerabilities
Increased media attention and big payouts will motivate cybercriminals to launch an unprecedented number of zero-day exploits, surpassing the record-setting number in 2021.
However, security leaders still need to look out for older, known vulnerabilities. As we previously mentioned, old vulnerabilities are still traded and purchased in underground markets, as enterprises often struggle with complex patch management. In 2022, we’ll see malicious actors continuing to take advantage of the growing “patch gap” within enterprises.
Compromising the connected car
The automotive industry will also see an uptick in targeted attacks, as cybercriminals move beyond hijacking IoT gadgets and cash-in on the goldmine of data delivered by connected cars via cameras, lasers, and other sensors. Forbes predicted the demand for smart car information will be valued around US$450 to US$750 billion by 2030; evidently, malicious actors are poised to turn a hefty profit from the booming connected car industry.
Future-proofing your security strategy
Understanding the current trends of cyberattacks is the first step to establishing a strong cybersecurity strategy. Next, you need a security strategy to effectively address continuously evolving threat trends and cyber risk across your enterprise. As a part of that strategy, the use of a unified cybersecurity platform with broad third-party integrations that fit into your existing security stack can be very effective. Look for a platform with the capabilities to support these three cyber risk mitigation strategies:
1. Attack surface management (ASM)
Software supply chain and other types of attacks can seem daunting, especially since the majority of proprietary software includes open source code, which is notoriously difficult to manage and introduces significant potential risk. Introducing attack surface management (ASM).
According to Tech Target, “attack surface management is the continuous discovery, inventory, classification, and monitoring of an organisation’s IT infrastructure.” The difference between ASM and asset discovery and monitoring is ASM evaluates security gaps from the attacker’s perspective.
By approaching security from the eyes of an attacker, organisations can better prioritise and address risky areas of the attack surface. As the attack surface is constantly evolving and expanding, it’s critical to continuously monitor your environment to prevent vulnerabilities from going unnoticed. Regular testing will shore up any potential risks such as weak passwords, unpatched software, encryption issues, misconfigurations, and any pesky Shadow Cloud within the development lifecycle.
Ideally, you should select a platform that can help you discover and understand the risks of your attack surface, giving you comprehensive visibility as it continuously changes. This is especially important if you’re building in a multi- or hybrid-cloud environment with resources living in disparate environments. Leveraging automation, ASM will ensure your organisation’s attack surface is secure, without slowing down development workflows, enabling developers to meet business objectives.
2. Ransomware mitigation
We often get asked: “Should I pay the ransom?” In an ideal world: no. It perpetuates the crime and proves you’re a victim willing to pay, which puts a bigger target on your back. However, during a crisis, it can be challenging to thoroughly explore all options. Just like cybercriminals plan an attack, enterprises need to plan a response.
It’s crucial to establish a ransomware playbook addressing the entire impact across all stakeholders, how to mitigate operational risks, ensure business continuity, and even ransomware negotiation strategies. This typically includes using cyber insurance, which now require the use of advanced detection and response capabilities in order to qualify for coverage.
Another popular question is: “What are the early warning signs of a ransomware attack?” Remember, ransomware is a post-breach attack, so stopping the initial access is the top priority but being able to also see what’s happing across the attack surface and being able to detect and respond fast is critical.
The zero trust approach is a great way to keep the bad guys out. Follow the mantra “never trust, always verify” before granting users, devices, and applications access to your network. After initial validation, remember to continuously monitor users, devices, and applications for the usual tactics, techniques, and procedures (TTPs) used in a traditional breach, such as unusual sign-on attempts from multiple locations at the same time.
You can’t stop what you can’t see. To successfully apply the zero trust approach, choose a unified cybersecurity platform that provides comprehensive native visibility across endpoints, email, network, servers, and cloud. Look for a platform with XDR capabilities to collect and correlate data from native sensors and across your IT ecosystem for deeper insights and less false positives, enabling security teams to use their valuable time investigating the most critical alerts.
3. Vulnerability and patch management
2021 was a record-breaking year with over 80 zero-day vulnerabilities used in attacks. Effective vulnerability management starts with hardening admin, critical app, and database accounts with MFA, patching, and advanced detection technologies like machine learning, AI, and behaviour monitoring.
Patch management is very important and oftentimes very difficult for organisations to manage. The sheer volume of patches is overwhelming—it seems every Patch Tuesday has nearly 100 patches. And that’s just Microsoft’s patches. If you’re using several vendors, it can seem nearly impossible to 1) decide what to patch and 2) actually patch.
The rapidly shrinking time to exploit doesn’t help patch management either. In previous years, it took 30-45 days on average before you would see a vulnerability in the wild or a proof of concept (POC) was created on a disclosed vulnerability. Today, this all happens within hours, giving organisations less time to react.
Preparation is key. Like the ransomware playbook, establish a patching action plan is crucial, so you can react quickly and limit the scope of the attack.
Don’t approach patching as a “defend all or defend none” situation. Evaluate which area can do most harm if infiltrated so you can prioritise protecting and understanding the vulnerabilities associated with your critical data, systems, and hardware. Also look for risk mitigation options like virtual patching that can shield vulnerable systems from attack until patching can happen.
For additional insights into Trend Micro One security capabilities, click here. You can also check out the following resources to learn more about attack surface management and cyber risk.