The Threat Landscape
It was a staple element of old war movies. They always included a scene set in command HQ with officers huddled around a plotting table displaying a map. Using tools like a croupier’s rake, they moved models of planes, tanks, ships, and men around the map. They were trying to track the location of their resources, and those of the enemy so that they could double-guess and out-maneuver the enemy.
The cybersecurity threat landscape is like that map. Some of your defenses are arrayed at the perimeter of your network and some are sited deeper within your network. Others are deployed at any remote or cloud locations you are responsible for. The threat actors are moving on the landscape. They are looking for networks with vulnerabilities that they can compromise. They are mounting email phishing attacks and trying to directly manipulate the people on the inside of your network.
The threat landscape isn’t static. Sure, some old favorite cyberattacks are still alive and well and making money for the threat actors. But new threats are developed, existing threats are improved, and new vulnerabilities are discovered all the time.
No one who lived through 2020 will ever forget it and the changes it brought to our work lives and home lives. And 2020 changed the threat landscape too. Along with the massive shift to working from home under lockdown, the COVID-19 pandemic gave email phishing campaigns a new and compelling topic for the subject lines of their malicious emails. Cyberattacks leveraging the new normal will continue.
Not all innovation in the cybercriminal’s camp is COVID-19 inspired though. These are the trends to watch out for in 2021.
More Cyberattack Automation and AI
Some cyberattacks are targeted directly at the victim. The ransomware attacks on health facilities and hospitals during the COVID-19 pandemic were—in the threat actors’ eyes—nothing more than an opportunity to make money. They reasoned that the hospitals would take the path of least resistance and accept the penalty of the ransom if it was the fastest way to get their systems back online.
Other targets are not selected in advance. They inadvertently nominate themselves as a victim by having detectable vulnerabilities. Automated software scans IP addresses and looks for common, open ports. These ports are probed and further information deduced from the responses. Default passwords and other tricks are tried on them. If the software finds a vulnerability that can be exploited it is reported to the threat actors.
AI is making these types of vulnerability scanning and probing packages much smarter so that they require less human interaction. In terms of connected devices, the internet is growing all the time. According to Cisco, in 2021 there will be 27.1 billion internet-connected devices. The cybercriminals have no choice. They can’t manually sift through that. Dumb scanning won’t cut it either. They have to use smarter techniques and smarter applications.
AI is already in use in some attacks on social media, with chatbots posing as real humans and eliciting information from victims. Spear phishing attacks are more labor-intensive than regular phishing attacks. A phishing attack is a generic email sent to thousands of potential victims. It carries a malicious attachment or a link to a malicious website. They harvest user credentials and install malware such as ransomware and remote access trojans (RATs).
By contrast, a spear-phishing attack requires a conversation to be conducted. Typically, the threat actor poses as someone in a senior position within the organization. They email someone in the finance department and try to get them to make a transfer of funds, ostensibly a bona fide but urgent business transaction but in reality, the money is sent to the cybercriminal’s account. A variant sees the threat actor trying to coerce a specific individual to log into a specific—high value—account so that they can harvest their credentials.
Without automation, these attack models don’t scale. Without AI the email conversation isn’t going to be sufficiently convincing to entrap the victim.
Attacks Due to Homeworking Will Rise
The COVID-19 crisis didn’t just drive the massive change from a mostly on-premises workforce to a mostly off-premises workforce—it made that change happen with urgency. For businesses without the infrastructure already in place, this meant a scramble to try to implement a robust solution. Others did what they had to do to comply with government directives and healthcare guidelines in the time they had. The result was a stopgap solution that they intended to come back to and improve once the initial dust of the exodus had settled.
Both of these approaches have risks, the latter more clearly than the former. Once something is in and working it can be difficult to return to it and restructure it, replace it, or even reconfigure it. And even more so if it is seen as a temporary solution. So there is a concern about the rigor that was brought to bear on some of the remote working solutions that were hastily implemented.
There’s also an issue with supporting a mixture of corporate and domestic devices. If the newly-remote staff have to use their domestic computer to connect to your corporate network or cloud you can be faced with issues such as unsupported operating systems and poor or no endpoint security suite.
Data protection and privacy policies might need to be revisited if company-sensitive or personal data is being processed at new locations—like employees’ homes.
In 2021, maintaining cybersecurity will continue to be challenging because the attack surface and number of remote devices have increased, and it is more difficult to enforce policies on remote workers. It’s also difficult to tell someone what they must do with their own computer, although few would balk at a free copy of the corporate endpoint protection suite.
Cyberattack Fatalities
With cyberattacks aimed at critical infrastructure and services like hospitals, energy generation plants, and transport hubs it was only a matter of time before someone lost their life.
On Sept. 9th, 2020, Düsseldorf University Hospital was hit by a ransomware attack. A female patient was scheduled for life-saving treatment that couldn’t be delayed. The ransomware attack left the hospital unable to perform the procedure so she was transferred by ambulance to a hospital 19 miles away in Wuppertal. Sadly the patient died before the treatment could commence at Wuppertal. The as-yet unidentified cybercriminals will face charges of negligent homicide.
Advanced Persistent Threat groups (APTs) are likely to target critical infrastructure in a serious cyber offensive. The potential for loss of life is tremendous. But it doesn’t take a state-sponsored hacking unit to cause tragedies. There is some suspicion that the cybercriminals responsible for the Düsseldorf University Hospital attack had messed up and hit the wrong target. They may have been intending to infect a completely different university.
With cyberattack tools readily available on the Dark Web—and in some cases on the clear web—and the source code for proof-of-concept exploits on Github, anyone with criminal intent can join the cybercriminal fraternity. That’s putting life-threatening capabilities in the hands of anyone reckless enough to use them.
The Internet of Things Will See Security Improvements
Unfortunately, the low-price and drive to make the devices as easy as possible to fit—another selling point—security gets trimmed back, bolted on as an afterthought, or completely ignored. This makes them an easy stepping stone into your main network.
The U.S. government signed off on the Internet of Things Cybersecurity Improvement Act of 2019 which will bring into force standards that include These standards include “minimum information security requirements for managing cybersecurity risks associated with [IoT] devices.”
Similarly, the government of the United Kingdom is finalizing a Code of Practice for Consumer IoT Security aimed to regulate the cybersecurity of IoT, comparable to the State of California’s Information Privacy: Connected Devices.
You can take steps right now to tighten your IoT security. Make sure the default passwords are changed to unobvious, robust passwords, and don’t use device names like camera_1, camera_2, and so on. Ensure devices are regularly updated with security patches from the vendor and don’t use devices from vendors who don’t provide security patches. Create a separate Wi-Fi network for your IoT device, much like your guest Wi-Fi network for visitors.
Ransomware Incorporating A Second Blackmail
With more organizations having solid, rehearsed cyber-incident plans that make recovery from a relatively calm process of following a playbook, many victims are less likely to hand over the ransom to the threat actors. To counter this, the ransomware isn’t triggered immediately. It is delayed until the threat actors are convinced the malware is in the backups.
Meanwhile, the threat actors exfiltrate company confidential and sensitive information. They threaten to release the proprietary information into the public domain if the ransom isn’t paid.
Immutable backups will protect the integrity of your disaster recovery capabilities, but that doesn’t prevent the public posting of your private information.
The answer is to avoid infection in the first instance. This means staff awareness training in cybersecurity. Business compromise by email (BCE) is still—by far—the most common method of distributing ransomware. Your staff answer business emails day in and day out, so it only makes sense that you invest in their ability to defend your business and, potentially, their livelihoods.
Cloud Attacks Will Continue
In the scramble to accommodate the sudden need to work from home, some companies took the decision to use that as an opportunity to move to the cloud. Why put the budget into creating a remote working infrastructure if the cloud was on your roadmap? It makes sense to go straight to the cloud and cut out the temporary middle step.
That’s a sound plan—if you have time to properly understand and configure your cloud solution, and can properly appraise and select the right tools and platforms. If you only know enough to just about get it working, you don’t know enough to make it secure.
Online databases are also often left wide open, often to human-error mistakes or IT personnel not knowing the implications of changes they make. French newspaper Le Figaro accidentally exposed 7.8 billion records of personal data to the outside world due to an Elasticsearch database administration error.
As well as the personal data breach implications and the fines from data privacy watchdogs, this type of breach can be used to inject ransomware into the cloud system, or to distribute malware to the remote end-users of the database.
Cybersecurity is an Endless Process
Cybersecurity is an ongoing process for vendors of security products, cybercriminals, and security professionals alike. It’s easy to make predictions but difficult to get them right. Based on previous actions and behaviors of the threat actors, the effects of the pandemic, and the emerging technologies such as AI, these are our expectations for the coming year.