Introduction

It’s an understatement to say that 2020 brought a few unexpected events, but it has taught everyone to stay humble and think twice before making any overly bold assertions when trying to predict the year ahead.  For cyber security predictions though, there are a few clear areas that organizations can give some thought to in order to better prepare for the year ahead.

Let’s explore a few of the prominent topics and trends we expect to see.

Ransomware

Don’t be fooled, this isn’t business as usual. Ransomware is a completely different beast than it was just a few years ago, and it’s only going to get more vicious in 2021. The most notable difference here is the way ransomware gets deployed. It used to come in the form of an email attachment or link. When the victim opens the attachment, the machine they used to read the email would have its files encrypted, made inaccessible, and held hostage by the ransomware.

mute
Today, ransomware actors aren’t satisfied with taking control of a single, random, likely low value machine. Instead, they precede their ransomware deployment with a full network intrusion. Accomplishing a network intrusion is a lot more work no doubt, but they can deploy ransomware on critical business servers rather than workstations used to read an email. Attacking critical business servers can impact the entire business, its partners, and its customers, not just a single employee.  If the attackers can take the business down, instead of asking for a few thousand dollars, they can ask for a few millions. Preceding the ransomware deployment with an intrusion also allows them to control the timing the ransomware is deployed, which usually is in the evening hours or weekends.  This timing allows them to maximize confusion and impacting furthering the leverage they have to extort a higher ransom. Since they’re in the network, they’re not just limited to a single machine, so ransomware incidents today often involved hundreds or thousands of servers rather than a single workstation. 

Seems bad? It gets worse.

Since they’re already in the network, and on the critical business servers, there’s nothing stopping them from stealing important data before deploying the ransomware, and that’s exactly what they do. 

Now victims face a double extortion. First, “If you want access to your files, you’ll need to pay the ransom.” Second, “If you don’t want me to publish your customer PII, executive emails, and intellectual property to a public website, you’ll need to pay the ransom.” The second type of extortion is tricky because it has the potential to bring business consequences not seen in the first type of extortion such as regulatory and legal consequences. While good backups might save organizations from the first type of extortion, they don’t help at all with an actor threatening to make private data public.

Ransomware actors have become more business-savvy. They operate affiliate programs and have built out an ecosystem of cybercrime activity. They know how to exert maximum leverage and aren’t afraid to disclose the breach and stolen private data to the victim’s regulators, local media, customers, or even competitors. 


SEE:CrowdStrike Holdings: Growing niche


These tactics came into play in earnest in 2020 and attackers are now asking for ransoms in the millions and sometimes tens of millions of dollars. In 2021, it’s critical that organizations think carefully about ransomware. Perform Ransomware Defense Assessments, and treat the problem of ransomware as human intrusion into your network rather than malware infections.  Remember the typical modern attack chain of ransomware is to 1) break into the network 2) steal credentials which give access to the servers 3) move laterally to the servers 4) steal the data on the servers, 5) deploy the ransomware on the servers.  If you treat ransomware as if it is a malware problem, you’re starting to defend yourself only once the attacker has reached step 5 which is too late.  If you treat ransomware as if it is a human intrusion problem, you’re defending yourself right at the start of the attack on step 1.  Detecting intrusions is not easy and lots of organization outsource this ability to Managed Detection & Response services.

Cloud Security

Singapore and other countries in Asia Pacific are warming more and more to the cloud. The benefits of cloud are undeniable, and even those organizations that resisted cloud most strongly are starting to find ways to embrace it.

However, the cloud brings its own security challenges. Smaller organizations venturing into the cloud for the first time may not have the expertise to manage cloud security and could make rookie mistakes. Larger organization may be leveraging the cloud so heavily that they may have trouble getting a handle on and properly managing all of their cloud assets. 

Companies of all sizes need to understand that security in the cloud is different. They need to first understand what cloud assets they have, and this list may be changing all the time as assets get spun up and down. They then need to understand if those assets are secured in accordance with best practices. And lastly, they need enforcement and governance over the entire process. All of this needs to fit within the shared responsibility model laid out by the cloud vendors.

In 2021, more cloud adoption means more cloud breaches. The good news is that most of these cloud breaches are preventable because they most commonly result from misconfiguration errors. Organizations expanding their cloud posture in 2021 need to think about security while they are architecting those solutions, not as an afterthought.

Security Validation

A few years back I remember giving talks, as well as hearing talks from others, where the theme was, “Cyber security is a business problem and needs to be addressed by the board of directors”. Business leaders at the time saw cyber security as a technology issue rather than a business issue, and so they relegated ownership to their IT teams. “Let IT handle it” was the thinking of many. That message of cyber security being a business problem was reinforced by an endless string of news stories discussing business impacting breaches followed by CEO resignations.

Cyber professionals have gotten what they asked for and now CIOs and CISOs are presenting to the board of directors (BOD)—and the board has questions, lots of questions. How secure are we? Is our security posture trending up? By how much? How are you quantifying it? HR, Finance and other departments are all answering questions such as these with concrete metrics, but for security teams, these quantitative measurements are more difficult. How can security be measured when an organization has 50 different security controls all in different places and all doing different things against a constantly changing threat landscape?

Enter Security Validation. Security Validation is not focused on stopping attacks, but rather on measuring the effectiveness of security controls so that CISOs can give quantifiable answers to their BOD. This is an area that almost every organization struggles with. Just think back to the most recent cyber security headline highlighting a new and dangerous vulnerability. Many organizations called up their cyber security vendors and asked if they are protected rather than being able to answer the question by doing their own effectiveness measurements.

In 2021 boards will demand better, and CISOs will need to look for ways to have a more formal approach to measuring effectiveness and cyber risk. Security Validation is perfectly positioned to provide this capability to CISOs, risk & governance, and audit & compliance teams alike.

Conclusion

If you’d like to learn more about FireEye predictions for the year ahead, read our 2021 predictions blog post, and report, or check out our webinar.

By: Steve Ledzian, Vice President and C­TO – APAC, FireEye