1. Ransomware continues its march; policy complexities follow
The surge of ransomware attacks against organizations was *the* central cyber threat theme of 2020. We have seen more and more groups adopting the double extortion model based on data theft and public victim blogs. A perfect storm of factors has contributed to the success of this criminal enterprise. We expect criminal groups to continue in this vein, evolving their tools and finding ways to collaborate. This will result in a greater number of effective attacks.
We also anticipate increased use of ransomware-like attacks by unscrupulous state actors, both for financial gain, as well as for disruptive attack under a false flag. Recent advisories by US Treasury bodies are a first sign of policy complexities to come, with legislation around ransom payment likely to emerge in a number of countries. Financial institutions, especially those offering cyber insurance, will need to watch this space closely in 2021. Whether policy measures are sufficient to stop the scourge of ransomware attacks remains to be seen; collaborative defensive and increased pursuit of the criminals is also likely required.
2. Synthetic media goes mainstream, and threat actors capitalize
Technological developments in synthetic media (AI-generated faces, voices, etc.) have boomed in 2020 and will continue to do so in 2021. The benefits of this could be many-fold. For example, NVIDIA has proposed an AI-based mechanism to minimize bandwidth use in videoconferencing, with impressive results. However, time has told us that threat actors are always quick to exploit technological advances to support their goals. The immediate use of deep fakes for disinformation will be in the interests of several different threat actor groups with political or subversive goals. Synthetic media will also be increasingly used for new twists on social engineering – e.g., AI-generated faces on social media profiles, fictitious personnel at spoofed/front companies, etc., and an array of potential uses of this technology for cybercrime and fraud are likely to be seen in the wild. A scenario in which your CEO requests over Zoom that a wire transfer is made, when in reality it is a real-time deep fake video overlay and audio from a cyber-criminal, is increasingly a possibility.
3. Hacking-for-hire becomes a booming industry and intrigue abounds into the hirers.
2020 has seen a massive increase in disclosure of threat activity constituting ‘hacking for hire.’ Often referred to as corporate or industrial espionage or ‘mercenary’ activity, an increasing number of threat groups and corresponding companies have been implicated in this. We predict that further to the apparent nexuses for these companies in India and Russia, more groups and centers will appear. To date, organizations and individuals in legal, financial services, and government sectors have been heavily targeted, but the ultimate hirers of this activity remain unclear. We expect more investigative effort will shine a light on this ecosystem in 2021.
4. The implications of remote working become clearer
Much has been written about the potential implications of increased remote working on organizational security, with particular attention to increased attack surface through additional devices and different connectivity mechanisms. Survey data has suggested a lack of awareness around security best practices has led to an increased rate of data breaches. There have been reports of WFH compromise leading to organizational compromise – although it is unclear whether these would have occurred from the office anyway.
Definitive trends in whether remote working has led to increased prevalence of specific attack paths are currently unclear. However, we expect further attention from both attackers and defenders in 2021. As a global movement to work from home has shifted the enterprise last mile to include consumer network-enabled technology, 2021 shapes up to be the beginning of a new revolution in adversary tactics, tools, and strategy.
5. Organizations go back to basics to shore up defenses
“Doing the basics right” has been a mantra of many cybersecurity standards bodies for many years. Continuing a trend we saw in 2020, we expect an additional emphasis on this in 2021 as organizations realize that implementation of patching regimes and appropriate authentication controls are a pre-requisite for good security – and those complex technical solutions are rarely the answer in and of themselves.
This has particular relevance for preventing ransomware attacks, where board recognition of the threat and preparedness for the attack – both in response and ensuring that backups are functioning and resilient to attack – are vital. The transition to the cloud has been undoubtedly accelerated by the COVID pandemic, further shifting monitoring away from the enterprise for early warning. The Verizon DBIR 2020 highlighted the rise of breaches due to cloud misconfigurations (pre-pandemic) – this is likely to feature heavily next year, too but is a ‘basic’ that should receive increased emphasis.
Bio: James Muir leads on thematic and technology threat research at BAE Systems Applied Intelligence. His current research interests are in the ransomware threat, hackers-for-hire, and threats to operational technology. Muir is a secondee with the UK government’s National Cyber Security Centre’s Industry 100 scheme. Dr. Muir also holds a PhD in Neuroscience from University College London.
Contributors
