2022 trends and predictions from Cybereason’s CEO

Issue 1 2022 Information Security

In the world of cybersecurity, the end of the year brings an avalanche of predictions for what the threat landscape will look like in the year ahead. It’s a fun tradition, but it can also provide valuable insight into coming trends to help defenders be prepared for what’s on the horizon.

As I review predictions from previous years and look at some of the 2022 predictions that are already hitting the Internet, I have noticed that a lot of them are not really ‘predictions’ – they are just a list of buzzwords or topics that are already gaining momentum that someone has put together to ‘predict’ that those things will still be relevant next year. Things like AI/ML, cloud computing, the cybersecurity skills gap and ransomware are not really predictions but instead blatantly obvious. Of course, those things will continue to get attention, but it doesn’t take a security expert or any special insight to ‘predict’ that.

Lior Div.

To borrow a poker metaphor, those topics are table stakes. Looking ahead to what Cybereason and our customers need to be aware of for 2022, it’s important to keep those things in mind, but let us consider the broader threat landscape – and what we are seeing in terms of emerging attacks and current threat research – to identify key risks that defenders need to prepare for.

With that in mind, here are the risks that stand out as unique above and beyond the buzzwords.

RansomOps: The new kill chain

Ransomware as a threat is already established and well known. Ransomware attacks occur on a daily basis and 2021 has seen multiple ransomware events that have had a significant impact. The risk that doesn’t get enough attention and that defenders need to understand is that ransomware has evolved.

It started out as a variant of traditional malware – just a different way for threat actors to make a profit when compromising a target. What we see today is not that simple. We now have ransomware cartels – like REvil, Conti, DarkSide and others – and ransomware is not a piece of malware, but rather comprehensive ransomware operations, or RansomOps, where the execution of the ransomware itself is just the final piece of a much longer attack chain.

There is too much focus on the ransomware executable, or how to recover once an organisation’s servers and data are already encrypted. That’s like fighting terrorism by focusing only on the explosive device or waiting to hear the ‘boom’ to know where to focus resources.

RansomOps take a low and slow approach, infiltrating the network and spending time moving laterally and conducting reconnaissance to identify and exfiltrate valuable data. Threat actors might be in the network for days, or even weeks. It’s important to understand how RansomOps work and be able to recognise Indicators of Behaviour (IOBs) that enable you to detect and stop the threat actor before the point of ‘detonation’ when the data is actually encrypted and a ransom demand is made.

Supply chain – amplifying reach of attacks

This also doesn’t feel like much of a ‘prediction’ at face value. IT professionals are very familiar with the concept of a supply chain attack thanks to the SolarWinds attacks. You need to have a broader perspective on the concept of supply chain, though. It is not always a function of compromising a device or application that is then distributed to others down the chain.

It would be more accurate to call it ‘low hanging fruit’. SolarWinds is one example of a threat actor finding a way to compromise one company and leveraging that attack to allow them to compromise the customers of the initial target. Our research into DeadRinger (www.securitysa.com/*cr1) and GhostShell (www.securitysa.com/*cr2) illustrates examples of a different approach with a similar outcome. Threat actors gained access to telecommunications providers, which then enabled them to access and monitor communications for customers of those providers.

In both cases, the concept is the same. There is a growing trend of threat actors realising the value of targeting a supplier or provider up the chain in order to compromise exponentially more targets downstream. Rather than attacking 100&nbps;or&nbps;1000&nbps;separate organisations, they can successfully exploit one company that unlocks the door to all the rest. It is the path of least resistance.

The attacks we have seen have been part of cyber espionage campaigns from nation-state adversaries. Those attacks will likely continue and we will see a rise in cybercriminals adopting the strategy as well. Companies that act as suppliers or providers need to be more vigilant and all organisations need to be aware of the potential risk posed from the companies they trust.

Microsoft: living with the Microsoft risk

The simple truth is that in one way or another, Microsoft products are directly involved in the vast majority of cyber-attacks (www.securitysa.com/*cr3). Threat actors invest their time and effort identifying vulnerabilities and developing exploits for the platforms and applications their potential victims are using. Microsoft has a dominant role across operating systems, cloud platforms and applications that make it fairly ubiquitous.

By developing software riddled with vulnerabilities and not always accepting responsibility or acting to address issues, Microsoft bears some responsibility.

However, it is not always a matter of exploiting vulnerabilities. Google analysed 80 million ransomware samples (www.securitysa.com/*cr4) and determined that 95% were Windows-based executables or DLLs. Only about 5% of the samples actually used exploits, but most of those targeted Windows as well.

Microsoft will continue to be the primary focus for cyber-attacks in 2022. That isn’t really a revelation. Defenders need to understand the risk of relying on Microsoft to protect them when they can’t even protect themselves. Organisations that depend on Microsoft for security will find themselves making headlines for the wrong reasons.

I’m not suggesting that organisations not use Microsoft products or services, but it is important to understand the risks and have a layered approach to defending those products and services against attacks.

Cybersecurity is national security

The line no longer exists between national security and cybersecurity. Sometimes a nation-state adversary attacks a private company as part of a broader campaign. Russia did it with SolarWinds. China did it with HAFNIUM. Iran did it with GhostShell. Sometimes, cybercriminals launch attacks with national security implications. The flow of oil and the food supply chain were both seriously disrupted in 2021 by ransomware attacks.

What we need to be aware of as we go into 2022 is the increasing cooperation and collaboration between these threat actors. Nation-state adversaries are not directly controlling many of these operations, but a combination of state-sanctioned, state-condoned and state-ignored attacks create an environment where failure to act is equivalent to tacit approval and indicates that even if they are not actively working together, their objectives are often aligned.

The US government has made progress and will continue to work to improve the cyber defences of federal agencies. They will also coordinate efforts with private sector tech and cybersecurity companies, as well as nation-state allies around the world to address the Cyber Cold War, protect effectively against threats and work together to bring threat actors to justice.

XDR: improving protection with AI

With the shift to work-from-home or hybrid work models, the rollout of 5G wireless and the explosion of IoT (Internet-of-Things) devices, virtually everything is connected today. This connectivity provides a variety of benefits in terms of productivity and convenience, but it also exposes organisations to significant risk which makes Extended Detection and Response (XDR) crucial.

The question is, “What is XDR?” Many vendors have an offering they are calling XDR, but not all XDR is created equally. There is almost universal agreement that XDR is the next thing, but the definition of what XDR is and the best way to achieve it is still being debated.

The industry will reach some consensus in 2022 and leaders will emerge as the dust settles some in the XDR market. Regardless of how we define XDR, the scope and volume of threats demands that artificial intelligence (AI) plays a central role in making it effective.

Get ready for 2022

Hopefully, these insights will help you prepare more effectively for the cybersecurity challenges you will face in 2022. The threat landscape is constantly shifting, but understanding how threat actors think and having insight into emerging trends enables you to stay ahead of the curve and defend more effectively.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

New ransomware using BitLocker to encrypt data
Technews Publishing Information Security Residential Estate (Industry)
Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. It can detect specific Windows versions and enable BitLocker according to those versions.

Create order from chaos
Information Security
The task of managing and interpreting vast amounts of data is akin to finding a needle in a haystack. Cyberthreats are growing in complexity and frequency, demanding sophisticated solutions that not only detect, but also prevent, malicious activities effectively.

Trend Micro launches first security solutions for consumer AI PCs
Information Security News & Events
Trend Micro unveiled its first consumer security solutions tailored to safeguard against emerging threats in the era of AI PCs. Trend will bring these advanced capabilities to consumers in late 2024.

Kaspersky finds 24 vulnerabilities in biometric access systems
Technews Publishing Information Security
Customers urged to update firmware. Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco, allowing a nefarious actor to bypass the verification process and gain unauthorised access.

Responsible AI boosts software security
Information Security
While the prevalence of high-severity security flaws in applications has dropped slightly in recent years, the risks posed by software vulnerabilities remain high, and remediating these vulnerabilities could hinder new application development.

AI and ransomware: cutting through the hype
AI & Data Analytics Information Security
It might be the great paradox of 2024: artificial intelligence (AI). Everyone is bored of hearing it, but we cannot stop talking about it. It is not going away, so we had better get used to it.

NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

iOCO collaboration protection secures Office 365
Information Security Infrastructure
The cloud, in general, and Office 365, in particular, have played a significant role in enabling collaboration, but it has also created a security headache as organisations store valuable information on the platform.

Cybercriminals embracing AI
Information Security Security Services & Risk Management
Organisations of all sizes are exploring how artificial intelligence (AI) and generative AI, in particular, can benefit their businesses. While they are still figuring out how best to use AI, cybercriminals have fully embraced it.

A strong cybersecurity foundation
Milestone Systems Information Security
The data collected by cameras, connected sensors, and video management software can make a VMS an attractive target for malicious actors; therefore, being aware of the risks of an insecure video surveillance system and how to mitigate these are critical skills.