Authored by Greg Foss, Senior Cyber Security Strategist, VMware Security Business Unit
COVID-19, one year later
2020 was undoubtedly a defining year for cyber security – a year that ended with the SolarWinds breach, which infiltrated US government agencies and organisations at a scale not seen in recent history.
For cyber security professionals, the nature of this attack – a sophisticated, clandestine intrusion into vendors’ networks that was then used to “island hop” onto others along their supply chains – embodied today’s threat landscape as refigured by the pandemic.
The fact is, this is not an isolated event. With COVID-19 catalysing digital transformation and a shift to cloud services, these sorts of attacks will only increase in frequency. Organisations must realise that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.
The pandemic did more than broaden the attack surface: it provided the time, capital, and opportunity for cybercrime to industrialise. E-crime groups have collaborated to form advanced enterprises, providing ransomware-as-a-Service (RaaS), selling network access points on the dark web, and executing destructive cyberattacks.
Still, 2020 was not all bad news. With new attack methods on the rise, organisations have been forced to shift their mindset and rethink their approach to security across applications, clouds and devices. Cyber security is adapting to changing conditions. The old school mentality is gone. Security teams realise they must change their architectures, adopt a cloud-first mindset, and work together to meet today’s challenges. The path they’re charting is a good one.
We took a look at what 180 incident response, cyber security, and IT professionals (including CTOs, CIOs and CISOs) from around the world saw during an unprecedented year from evolving attacker behaviours to the rise in e-crime – and most importantly what defenders can be doing to prepare in 2021 and beyond. These are the key findings of our research.
Attacker Behaviour: Amid COVID-19, the surge of sophisticated attacks and rise of ransomware-as-a-service
In response to the pandemic, organisations have accelerated the adoption of cloud technology – which in turn has created new security threats that sophisticated cybercriminals have seized the opportunity to exploit. The speed to innovation comes with broader issues such as supply chain compromise. In such instances like the SolarWinds breach – the adversary will use one organisation’s network (or cloud) to island hop to others along their supply chain.
Recognizing this growing threat, “security for trusted third parties/supply chains” was the top priority security area for organisations in 2021. In today’s threat landscape, organisations must assume that cybercriminals will also target their constituency. The burglary has turned into a home invasion – and not just one house, but the neighbourhood.
When it comes to the most observed supply chain compromise techniques, nearly half of respondents (46%) selected attackers abusing trusted relationships by leveraging accounts belonging to legitimate suppliers and other trusted third parties. Attackers leveraging connectivity/networks between third party suppliers and enterprises (22%) and loopholes in software updates (21%) also garnered a significant proportion of responses.
Increasingly destructive counter IR
A significant majority (63%) of respondents witnessed incidents of counter IR since the start of the pandemic – many of which reflect the increasingly destructive nature of cybercrime today.
For instance, the types of counter IR most observed included: security tooling disablement (33%), Denial-of-Service attacks (26%), security tooling bypass (15%), destruction of logs (11%), email monitoring (9%), and destructive attacks (7%).
These responses underscore the importance of threat hunting, as they demonstrate that there’s a human being on the other end of the system who wants to get visibility into the entire environment – while deploying increasingly destructive malware. Attackers are looking to get their foot in the door of an organisation’s network, then unhook the latch once it’s safe – soft and silently at first – before loading more advanced tool kits. It’s becoming a significant part of e-crime, and organisations need to be prepared.
The rise of RaaS and double-extortion ransomware
In 2020, we saw ransomware go mainstream. 66% of respondents report being targeted by ransomware during the past year – much of which may have been sold by e-crime groups on the dark web as RaaS.
Traditional ransomware isn’t going anywhere. However, in today’s landscape, it can be hard to tell whether a business has been hit by RaaS or traditional methods, largely because ransomware groups themselves now leverage RaaS operations and affiliate programmes.
Worse, in a growing number of cases, these ransomware attacks have gotten more sophisticated. For instance, when asked which new ransomware attack techniques were most observed, nearly 40% of respondents selected double-extortion ransomware (e.g. encryption, data exfiltration, extortion). In other words, as organisations became more effective at recovering from ransomware attacks via backups, attackers changed their tactics to exfiltrate sensitive information and use it for blackmail to ensure financial gain.
If a business is hit by ransomware today, it’s safe to assume the attacker has a second command and control post inside their infrastructure. These methods will only expand in 2021 – we expect to see triple and quadruple extortion attacks this year.
Adapting to a new threat landscape
Forced to combat increasingly sophisticated attacks – in a remote-work environment, no less – defenders have stepped up their game. 81% of respondents now have a threat hunting program in place. This represents a vital mindset shift, wherein companies and security leaders aren’t merely defending potential breaches – but assuming there is already a breach to uncover.
Organisations are beginning to recognise that security tools won’t tell them everything. Human beings are still a critical component of cyber security, for them to manually go through the information being collected to proactively look for clues and anomalies.
Now, it’s just a matter of what those threat hunts consist of and how often they’re conducted, which we recommend doing so on at least a weekly basis.
2021 security priorities and investments
In the wake of the SolarWinds breach and the move to cloud environments, it’s no surprise that security for trusted third parties/supply chain is the number one security priority for organisations in 2021. This was followed by remote access security (24%), network and endpoint security (22%), identity and access controls (21%), and hardware/physical devices security (9%).
This year, we will see security budgets activated to address these priorities. When asked which security solution their organisation planned to invest the most in for 2021, respondents shared network security (27%), cloud security (20%), end-point security (17%), data protection (16%) and managed security services (12%).
Rethinking the security stack
There’s no doubt about it: 2020 – and the vulnerabilities brought on by COVID-19 served as a catalyst for yet another evolution in the sophistication and severity of cyberattacks. As organisations continue to migrate to public and private cloud networks, support “work from anywhere” environments, and fast track digital transformation efforts, we shouldn't expect the surge of attacks to slow down anytime soon.
On the bright side, the pandemic has served as a wakeup call for security leaders as an opportunity to rethink their full security stack. In 2021, organisations will need the right mindset, investment and platforms to stay one step ahead of attackers.