It’s December, so you know what that means: Predictions for what’s to come for cyber in 2021. We brought together a number of IronNet experts, from executives to researchers, to speculate on what the Year of the Ox has in store for the cyber world.
From Anthony Grenga, Director of IronNet’s Security Operations Center:
1. 2021 will be the year of the client-side exploit
During pre-COVID and early COVID, there was a large spike in client side exploitation and COVID-related phishing. We saw a 300% increase in card skimming as most new work-from-home employees experienced a disruption in what was considered normal productivity, including a lot more eCommerce traffic. Then, during COVID and even now, as the VPN and remote access noise drastically increased due to extended remote work, N-Day remote access vulnerabilities were the soup du jour (Citrix Gateway, Pulse Secure, Fortigate, and others). We observed warnings from CISA / FBI and NSA to update these vulnerabilities that came out almost a half a year ago, but were already being abused heavily by attackers living off the land.
2. Ransomware will evolve to “access as a service”
Ransomware might have almost doubled from $11.5B to $20B in damages in 2020, but the cybersecurity community predicted this increase, so the ridiculous cost was mundane. Ransomware will continue to play a major role in 2021 with the steady move to “access as a service” and access marketplaces, where skilled attackers not willing to take the heat of monetizing their efforts will move to underground forums to sell off implants and credentials that will likely get flipped to ransomware deployments.
From Jon “JP” Perez, IronNet’s Director of Emerging Threats & Detection Research:
3. COVID will put job seekers at risk
To no one’s surprise, I’m sure we’ll be seeing a strong continuation of COVID-themed attacks — phishing (information stealing), apps, malspam, etc., — as treatments and vaccines become available and users become more vulnerable to that type of pretext.
I would also predict that in 2021 we will see an increase in resume or job-seeker-themed attacks as the pandemic continues. Much like sectors that have become vulnerable due to the outbreak, malicious actors will catch on and start targeting groups/demographics that have been impacted and as a result will be easier to attack.
4. Old malware will continue to morph, and new vulnerabilities will emerge
Offense will overcome defense, defense will then detect and negate offense, over and over. More discovery of APT-like attacks that weren’t previously known publicly will continue from time to time as well. In 2020, we saw Drovorub and XDSpy come to light, both of which were significant, and in October, a new UEFI rootkit that’s suspected of Chinese parentage. There will always be more malware out there that nobody knows about. Could be more traditional firmware/router/printer/IoT/etc implants. It could be alternative exfil/C2 methodology, involving things like sound, light, heat, or electrical field transmission media or even detection and disclosure of something usurping other (i.e. non-DNS) legit protocols for exfil/C2 paths, that has gone undetected for years.
In 2020, as always, some of the old (i.e. Emotet, Taidoor) has become new again, and ransomware has evolved from a blind, automated forget-and-fire to a more tailored/custom set of techniques, sometimes including evolution into low-level anti-detection techniques (i.e. more in-memory, disk I/O without timestamp modifications, etc.). This is a trend we will see evolve even more in the new year.
Things don’t truly go away, especially APT-type and criminally-lucrative items, they just lay low for a bit then change infrastructure and keep evolving to evade current detection scenarios until they’re caught again. Once they’re detected, various security groups are adept at illustrating the modified versions of software components, and illustrating commonality in code sequences within them, when that occurs.
From John Ford, IronNet Cyber Strategist & Former Healthcare CISO:
5. Changes to HIPAA regulations will be debated
We have to take a long, hard look at our current healthcare cybersecurity regulations and consider an update to HIPAA. With the advances to telehealth capabilities prior to COVID-19 many providers had to wrestle with maintaining compliance to HIPAA, but once the pandemic flipped the world on its head, decisions such as providing necessary care or complying to a regulation put providers in a difficult position. The fact that they went to medical school to practice medicine and not become compliance experts needs to serve as a reality check for the healthcare industry. When an event of this magnitude takes place, any precautionary measures that were being taken go out the window to save lives. It is true that certain HIPAA safeguards were relaxed but now that telehealth has become the norm, is it not the time to modify components of this regulation? It’s time for regulators to go back and say what did we learn from this type of environment that should be incorporated into our existing privacy and security safeguards? If not, I suspect there will be a groundswell of discontent amongst the provider community.
6. The Internet of Behaviors (IoB) will make its official debut
There is a relatively new concept called internet of behaviors (IoB), and while we’ve heard whispers of it this year, in 2021 we will see the use of IoB really take hold. Its ability to influence our emotions, decisions, perceptions, and may seem a bit too “big brother” for our comfort, but in these uncertain times, I wouldn’t be surprised if we see it play a major role in efforts to return to work…and once it’s introduced the applications will only grow.
For instance, as we return to a modified office environment, companies may introduce the use of cameras at workstations to help them monitor employees’ behaviors for items related to social distance practices, and mask wearing adherence. The IoB application would then be able to use the camera to trigger an email reprimanding the employee. Even if you can see the need here, the bigger question becomes how far will they take it? What if this extends to work-related screen time, or water-cooler discussions? Monitoring for COVID restrictions will our workplace norms even though the intent is not to do so. And this could also be applied to remote workers to some degree which could open the door to a host of emotional and privacy issues especially for those who cross paths with European organizations.
7. Cyber will finally be considered a national emergency
Near-term updates to DFAR’s 252.204-7012 through an interim rule, and the progression of the Cybersecurity Maturity Model Certification (CMMC), speak to acceptance that cybersecurity attacks in the Department of Defense (DoD), and the Defense Industrial Base (DIB) have risen to the level of a national emergency. DoD’s reliance on the private sector has been acknowledged for years; however, the number of small firms supporting the prime contractors may have been overlooked in terms of the vulnerabilities they represent to these contracts and ultimately to the mission of DoD.
I fully believe that the DFAR’s interim rule is the path forward, but I also believe that these small firms will need significant financial relief and helping hands from services organizations to achieve the levels of maturity aligned to the work they are performing. The notion that full rollout of CMMC will take an estimated five years still signals areas of significant risk – so we need to get to work now with these firms and help them on their maturity journey.
From Brett Williams, IronNet Chief Operating Officer:
8. Collaboration will increase among adversarial groups
At the nation-state level, the recent reporting to the public about China’s focus on critical infrastructure attacks rather than the typical theft of intellectual property is significant. DHS is seeing enough of these types of attacks to make them publicly known. To me, this shows that nation-state adversaries aren’t giving the US any more “away games,” and are instead bringing the competition to the U.S. playing field. This changes the dynamic significantly because our public isn’t prepared to deal with this level of involvement, if the first blows are struck at home. It shouldn’t come as a surprise to say that people would freak out if they lost Netflix for a day, so we certainly can’t afford something more serious that would disrupt their lifestyles or livelihood in a more impactful way with an attack on the electrical grid or a serious disruption to the financial sector.
What we’re seeing is shared expertise between nation states when, for example, Iran is adopting more of a Russian and Chinese approach where the lines are blurring between government and private sector criminal activities. Tools are increasingly being shared and the same infrastructure is being used, meaning a country like Iran has more resources and can become more aggressive in their coordinated attacks. This strategy will only continue to evolve, making the imperative for effective public/private information sharing more important to counter a threat that is certainly working in concert with other adversaries.
9. Ransomware will evolve into large-scale extortion
Ransomware and extortion will get more sophisticated. Extortion is an extension of ransomware, and people are going to increasingly realize that you can extort major companies with complex logistics for example, (i.e. shipping industry, manufacturing, etc.) by holding those systems at risk and demanding money to get them back up and running. In the past, ransomware typically just locked systems up in the first 90 seconds of the event. Now attackers are getting into the networks, exfiltrating the data they want so they can encrypt it not only to charge to get it back, but also threatening to leak it if the ransom isn’t paid. We’ve seen how effective this strategy is over the past year and there’s a potential to see this applied in a sophisticated way to affect business operations.
From Jamil Jaffer, IronNet’s SVP for Strategy, Partnerships & Corporate Development:
10. Disinformation remains mainstream — and not well managed
After the 2016 election, we learned about the very real threat posed by Russian disinformation. Yet over the past four years, including during this election cycle, we continued to fall prey to it, and our elected officials (as well as those running for office) amplified these efforts through their own conduct. And while the 2020 election was largely unaffected with direct electoral manipulation, it — along with the COVID pandemic — demonstrated that other key players, including the Chinese and the Iranians, are entering the ring to engage in active disinformation efforts. There will almost certainly be another reckoning coming out of this election cycle and its aftermath, including the ongoing judicial challenges to ballots, as confidence in our electoral system, our elected officials, and our rule of law institutions continues to be undermined.
Moreover, the U.S. will likely see more disinformation associated with the post-election period than we did in 2016. The question is, To what end? Given that the election outcome remains indeterminate and it is shown, down the road, that foreign influence played a role in undermining confidence in the system (as it undoubtedly will), there will continue to be very difficult conversations about how to address these threats. The last thing that ought to be done, however, is short-sighted regulation targeted at America’s most innovative sector or ham-handed efforts at speech suppression. Rather, we ought to identify concrete ways to make our population more resilient to such covert influence operations as well as encouraging platforms and popular media sources to provide more information on who is speaking out and access to reliable information when facts are in dispute. To effectively address these threats, we must come together to collectively defend as a nation against these threats instead of falling prey to the very division our adversaries hope to sow within our population.