By T.J. Minichillo and Celine Gravelines
Cybersecurity, like life itself, underwent cataclysmic changes as COVID-19 spread around the world during 2020. Millions of employees everywhere were suddenly working from home remotely, stretching network perimeters far beyond their organization’s headquarters. To stay afloat amid the economic downturn while supporting their distributed workforce, many organizations had to quickly retool their business strategies and operations.
In the process, IT departments struggled to manage complex security and connectivity issues for workers in far-flung locations, never expecting to support a remote workforce exposing organizational data on such a wide scale and creating a much greater attack surface. While rewriting their playbook for securing company networks and remote endpoints on the fly, many security operations, incident response and adversarial hunting teams lost visibility into their remote endpoint – the gateway to their companies’ crown jewels.
Cyber criminals, meanwhile, took full advantage of the greatly expanded attack surface and pandemic- and economy-related fears by luring unsuspecting remote workers into clicking on malicious email links, seeking to spread malware and exfiltrate individual and company data. Cybercrime is big business, and these bad actors are experts at tapping into human fears, always ready to capitalize on the latest crisis using easily available scamming tools and techniques.
According to SophosLabs, the volume of COVID email phishing scams nearly tripled during March 2020 as worries about the global pandemic escalated.
With the past year as prologue, here are the top cybersecurity trends and threats we see unfolding in 2021:
1. Your Network Perimeter is Now Wherever Data Flows
Just as COVID short-circuited many business and technology strategies last year, the realities of porous home-based work environments and the use of personal devices by remote employees to access sensitive company information significantly escalate the risks of a cyber attack.
As more firms decide to extend remote work in 2021, and as network boundaries inside and outside organizations continue to blur, opportunities for threat actors to steal data, compromise credentials, infiltrate vulnerable networks and exploit weaknesses in public clouds rise exponentially.
With the frequency and severity of risks multiplying due to a greater attack surface, we predict data breaches will inevitably increase among remote workers as organizations attempt to restrict where business data can travel. Threat actors will continue to develop exfiltration malware and use tactics designed to exploit attack surface weaknesses via remote access protocols and unpatched vulnerabilities.
Over the past decade, most organizations focused their operational mindset and IT resources on shoring up their network perimeter to monitor and defend everything within their environment. That optimism eventually wore off, as the enormity of securing every nook and cranny of a network hit home.
Now, the new network perimeter is anywhere and everywhere data goes. With cyber criminals attacking from every direction, and malware often lurking in networks for months or years before being detected, we see more organizations shifting their traditional systems’ focus to one that’s more data centric. Securing email gateways, web gateways and endpoints – and the endless river of data flowing through those channels – have since become a bigger business priority and an even greater challenge to protect.
2. Nation-State Hacks are Bolder
As we enter 2021, the lines are blurring between sponsors of shadowy cybercrime enterprises and those from hostile nation-states such as China, Russia, North Korea and Iran.
Nation-state criminals will continue to target vulnerable supply chains, leverage legitimate remote access services, and use effective phishing tactics to support their nefarious objectives. These well-funded, profitable cybercrime groups and rogue cyber gangs are experts at concealing state involvement or sponsorship.
Cyber criminals will continue to develop hard-to-detect malware to take down their targets, waiting patiently for the right moment to strike. Once data is exfiltrated, cyber criminals try to sell their stolen wares to the highest bidder, whether it’s back to a corporate ransomware victim or to an adversarial nation-state government.
Nation-state criminals are also becoming bolder and using more destructive attacks aimed at targets with the highest payoff potential or the most geopolitical gain. Pharmaceutical companies, hospitals and medical suppliers are particularly vulnerable in 2021 because COVID-related intellectual property – from clinical trial research to vaccine formulas – have enormous value on the dark web.
According to Microsoft’s Digital Defense Report, nation-state cyber attacks in 2020 most often took the form of reconnaissance, credential harvesting, malware and virtual private network exploits. Their most frequently targeted sector last year was non-governmental organizations (NGOs), such as think tanks focused on public policy, international affairs or security. Criminals also zoomed in on professional services firms, government, international organizations, IT firms and higher education. Within the critical infrastructure sector, 60% of nation-state threats were directed at IT organizations, commercial facilities, critical manufacturing, financial services and the defense industrial base.
In these attacks, Microsoft found that nation-state threat actors most often sought trade secrets and intellectual property, government correspondence, proprietary business data, insights into government policy and personal contacts. Their goals: espionage, disruption or destruction of data or physical assets.
Officials suspect Russian hackers were behind the massive FireEye and SolarWinds breaches reported last month, which may have gone undetected as far back as October 2019. So far, the networks of at least six federal agencies, major U.S. corporations including Microsoft and other technology giants, were compromised using extremely covert, never-before-seen cyber tools that zeroed in on a vulnerability in supply chain software widely used by the U.S. government and many businesses. According to FireEye, the malware used in the attack, SUNBURST, can spread itself through lateral movement as well as steal data. The vast unknown: whether the attackers stole data and, if so, the nature of that data and whether the perpetrators are still lurking in compromised systems. Since the attack occurred so long ago, companies may no longer have – if they ever did – the data forensics to help intelligence and cyber experts piece all the facts together.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Office of the Director of National Intelligence are investigating, although Russia has denied responsibility for a threat that CISA calls “a grave risk.”
We predict that data breaches of this magnitude and sophistication by nation-states will not only continue but intensify in 2021 and for years to come.
3. The Rise of AI in Cyber Crime
Another trend that demands greater vigilance this year is the increased use of artificial intelligence (AI) and machine learning to facilitate cybercrime using bot networks and data poisoning attacks as well as for producing deepfakes to commit fraud.
Deepfakes are synthetically created forms of identification that look and sound convincing but aren’t real. These fake IDs range from still images, audio and video to biometrics, such as facial holograms. They can be either machine-generated using AI software or created by humans.
Distinguishing fake from real is becoming one of the most difficult scams to spot and circumvent. CEOs of publicly traded companies are particularly vulnerable to deepfake attacks, since quarterly earnings calls and in-person appearances provide criminals with a rich source of audio and video content for the AI to manipulate.
Last year, a CEO at a U.K. energy firm thought he was speaking to his boss on the phone but was instead interacting with criminals using AI-generated software to impersonate the boss’ voice and speech inflections. This voice deepfake was so convincing that the CEO was scammed out of $243,000.
Criminals have also been known to cobble together fragments of identifiable information about an individual whose data had been breached and to use AI to replicate that person’s voice using audio from YouTube videos.
A study published in Crime Science identified multiple ways AI could be used to facilitate fraud. These were ranked in order of the harm they could cause, the potential for criminal profit or gain, how easy they would be to carry out and how difficult they would be to stop.
Since few technologies exist today to combat deepfakes, we predict fraudulent digital impersonations will continue increasing in 2021.
So, as AI and machine learning become a cyber criminal’s weapon of choice to carry out effective scams, how can anyone retain control over their true identity and protect their company from similar schemes?
Strong security requires a multilayered, defense-in-depth approach:
- Limit access to your voice and images. Deepfake scammers rely on photos, audio recordings and video footage for content. Some biometrics can be spoofed (e.g., fingerprints can be lifted) while physical security tokens and smartphones can be stolen. Behavioral biometrics (such as keystroke dynamics or gait analysis) can be more difficult to crack, providing some of the strongest security. Limit where your likeness appears on social media or turn on privacy functions.
- Safeguard your identity. Multifactor authentication (MFA) requires at least two or more types of verification to confirm that a person is actually he or she who claims to be. More banks and financial services firms are using live images, biometric identification and electronic signatures for authentication. When signing onto a system with MFA enabled, a user must provide at least two of the following methods of authentication:
- Something you know, such as a password or PIN
- Something you have, such as a physical token or code on a mobile device
- Something you are, such as fingerprints or facial recognition
- Trust, but verify. Check the veracity of every email by inspecting the domain of the sender (it could even be your company’s domain if it’s been spoofed). If the message asks you to click on a link, use your mouse to hover over, but do NOT click, on that link to find its true URL. If the URL doesn’t match the domain of the sender’s email, stay clear! Emails can include weaponized attachments containing malware, so don’t click on attachments from senders you don’t know. If the email body copy contains grammar and spelling errors, it’s a dead giveaway of a phishing attempt.
- Create strong passwords. Poor password hygiene habits are still commonplace in the workplace, with 20% of employees using the same password across multiple systems and 42% of employees still physically writing down their passwords. Don’t use defaults for system passwords. Instead, use strong, random password generators that are difficult to crack or guess.
- Use security tools. Install anti-virus software, activate all automated Windows updates to patch security vulnerabilities, set privacy and security settings in frequently used software (e.g., Microsoft Outlook) and enable browsers to block malicious websites on every computing device – from laptops to smartphones.
4. A New Arrow in the Hack-Detection Quiver
Data epidemiologyTM is another security trend emerging on the 2021 horizon. The process of gathering and analyzing information about where your data has traveled, who’s accessed it, on what type of device and whether access was granted or denied is often pieced together only after a phishing campaign or malware attempt that potentially exposed an organization’s data.
Data scientists in the cybersecurity industry are adapting techniques from the world of biological epidemiology to bridge gaps in their own understanding of their organizations’ attack surface by adopting threat modeling frameworks like Mitre ATT&CK, Microsoft STRIDE and the Common Vulnerability Scoring System.
In 2021, challenges will remain for organizations to quickly understand exposures related to data exfiltration malware and whether their data was compromised somewhere in their supply chain.
Because data will inevitably travel outside their control where they have zero visibility, most organizations have difficulty answering questions such as, “How much data exfiltration malware is actually affecting our customers week over week, and how much of that are we detecting? What percentage of our customers’ computing devices are infected with undetected malware? How many spearphishing emails go undetected where sensitive data was compromised?”
Many firms have implemented Security Event and Information Management (SEIM) designed to correlate disparate data points and are now adopting incident response automation through Security Orchestration, Automation and Response (SOAR). These technologies can enable businesses to quickly collect and analyze large amounts of data from various sources about potential security threats, then prioritize incident responses based on the perceived threat level. SOAR can also be used to react to and act against detected phishing, malware or other cyber threats transmitted on a network and endpoints.
We predict SOAR will find a place in more cybersecurity professionals’ threat hunting tool kit this year for increasingly valuable insight and to take automated action when seeking the proverbial needle in a haystack. If data epidemiology about where data has traveled outside of controls is not factored into a SEIM correlation engine, however, organizations will keep struggling to implement response automation with technologies like SOAR.
Because data is the lifeblood of every organization, it has become the high-value target of choice for threat actors. With remote workers stretching the limits of their organizations’ boundary-less network perimeters and bolder nation-state attacks to steal data, the risks of a serious breach have never been greater.
Realistically, no one can – nor should they – stop data from streaming in and out of an organization. To run efficiently, every business depends on the constant ebb and flow of information. What we can control, however, is shrinking a company’s attack surface, empowering data to protect itself wherever it travels and arming cybersecurity teams with deep data visibility and control to never again lose sight of their organization’s crown jewels.
Considering the severity and scope of the latest cyber attacks, we predict more U.S. firms and government agencies will re-architect their security and breach-prevention strategies in 2021.
Fortunately, technology exists today that makes virtually any type of data — whether it’s an email, Word document, text file, photo, audio recording or video — un-stealable, easily and affordably.
Last year, Keyavi launched a market first: multilayered encryption technology that enables data to self-protect using intelligence embedded in the data itself. This groundbreaking technology makes real-time decisions about where data is being accessed, by whom, when, how and on what device – and prevents unauthorized access forever, regardless of where data is stored or where an employee works. Should an unauthorized user try to gain access or steal data without appropriate permission, the data self-protects, much like a scene from “Mission Impossible.” Any data shared with third parties – be they business partners, contractors or suppliers – stays locked down yet retains collaborative flexibility.
Our technology also embeds powerful forensic reporting capabilities, such as possession, custody and control logging into our toolsets. Keyavi customers get deep forensic insight through documentation of successful and unsuccessful access attempts on Keyavi-provisioned systems as well as “chain of custody” control.
Learn more from T.J. and Celine about how to reduce your attack surface from this on-demand webinar.
T.J. Minichillo is Keyavi’s chief information security officer (CISO) and VP of cyber threat & intelligence. He is a nationally renowned cybersecurity and intelligence expert, helping to detect and thwart many of the world’s significant cyber threats. He has held strategic intelligence roles in financial services, the military and energy, including global head of threat intelligence at both National Grid and Morgan Stanley, deputy director at Citigroup’s Cyber Intelligence Center, chief cyber intelligence officer at Merrill Lynch, and senior intelligence special agent at the Department of Defense. Follow him on Twitter and LinkedIn.
Celine Gravelines is Keyavi’s director of professional services and a senior cybersecurity analyst specializing in security research. Her expertise includes policy development, incident response, data classification, security metrics and threat intelligence. Follow her on LinkedIn.