The end of the year is a time for reflection. In the world of cybersecurity, that means looking back at how the threat landscape has evolved and what changes we can make to better prepare for the year ahead. ThreatLabz monitors security trends every single day, and publishes research throughout the year in addition to using it to continuously improve the protections of our platform. Here are some of the lessons we’ve learned and resulting guidance for the new year ahead.
Top attacks in 2021
2021 has been an eventful year with a number of impactful cyberattacks. The biggest and most concerning attacks that we’ve seen have fallen into the following four categories, which we expect to persist as top threats in 2022:
- Ransomware. 2021 saw a continuation of trends that began in late 2019 with ransomware attacks reaching new levels of sophistication. This includes the prevalence of:
- Ransomware-as-a-service. Ransomware is no longer being waged by single threat actors. Large market places of for-hire ransomware operators and readymade malware are now available to willing bidders, increasing the size and scope of attacks that can
- Double-extortion attacks, which now make up over 50% of ransomware attacks. In double-extortion attacks, threat actors steal data in addition to encrypting it, granting them greater leverage to demand large ransoms.
- Attacks against large enterprises. Due to ransomware-as-a-service and double-extortion trends described above, many large businesses are getting hit by ransomware, often with global impact. Attacks against Colonial Pipeline, CNA Financial, and the Health Service Executive of Ireland are three examples of such high-profile attacks.
- Supply chain attacks. The State of Encrypted Attacks report revealed that SSL attacks against technology companies increased 2,344% in 2021 when compared to 2020. One big reason is the attractiveness of targeting software code. If attackers can successfully infect the code, they can then wage second-stage “supply chain” attacks on all the software vendor’s customers. Two major examples of this stand out:
- SolarWinds SUNBURST attack. While technically in 2020, organizations were still dealing with the fallout of the SolarWinds attack well into 2021. In that attack, threat actors exploited a backdoor in the SolarWinds Orion product that pushed malicious code to 18,000 customers.
- Kaseya attack. The REvil ransomware group exploited a zero-day vulnerability in the Kaseya VSA remote monitoring tool, pushing ransomware out to Kaseya customers. Over 1,000 businesses using the on-premises version of Kaseya software had their data encrypted.
- Zero-day exploits. Zero days are not unique to 2021, but we may have just experienced the worst one in a decade with the recent Log4Shell attack targeting the highly popular Apache Log4j JAVA library. Earlier this year, we saw the Microsoft Exchange Server attack, which took advantage of not just one but four different vulnerabilities. These incidents underscore the need to reduce your attack surface (particularly by reducing application exposure to the internet), and to limit the impact of any exploits by implementing granular microsegmentation.
- Advanced persistent threats (APTs). While ransomware has dominated many of the headlines this year, APTs remain the most ominous threats due to their resources and extreme sophistication. In 2021, notable attacks included:
- Cloudfall, in which the CloudAtlas APT group targeted researchers and scientists with Microsoft Word-based attack.
- DarkHotel, an APT group that targets executives through luxury hotel WiFi systems.
Some of the most concerning trends of this year involved overlaps of the above four categories. An example of this is ransomware gangs' use of supply chain vectors to target large numbers of enterprises, as was evident in the Kaseya supply chain attack. Additionally, nation state actors continued taking advantage of zero day exploits like the Exchange Server vulnerability and, more recently, Log4Shell.
Guidance for 2022
To optimize your security posture for 2022, here are the tips we’d recommend to you:
- Reduce your attack surface. Threat actors can only attack what they can see. Rather than publishing applications to the internet, move them behind a cloud-based proxy that brokers access based on identity and context.
- Enforce a consistent security policy to prevent initial compromise. With a distributed workforce, it is important for organizations to implement a security service edge (SSE) architecture that can monitor and enforce consistent security policy no matter where the users are working (in-office or remotely).
- Inspect encrypted traffic. Over 80% of all threats now utilize encrypted channels. Decrypt, detect, and prevent threats in all HTTPS traffic with a cloud-native proxy-based architecture that can inspect all traffic for every user.
- Quarantine unknown attacks and stop patient-zero malware with an AI-driven sandbox that holds suspicious content for analysis, unlike firewall-based passthrough approaches.
- Implement zero trust network access (ZTNA) architecture. Segment environments as granularly as possible and implement dynamic least-privileged access controls to eliminate lateral movement and reduce the external attack surface. This includes user-to-app, app-to-app and app-to-internet communications that can disrupt supply chain attacks, among others.
- Deploy in-line data loss prevention. Inspecting outgoing traffic is as important as inspecting incoming traffic. Prevent exfiltration of sensitive information with trust-based data loss prevention tools and policies to thwart data theft.
- Keep software and training up-to-date. Apply software security patches and conduct regular security awareness employee training to reduce vulnerabilities that can be exploited by cybercriminals.
- Have a response plan. Prepare for the worst with cyber-insurance, a data backup plan, and a response plan as part of your overall business continuity and disaster recovery program.