2020 has ended with a stunning display of nation-state cyber capabilities. The Kremlin’s SVR shocked the cybersecurity industry and U.S. government with its intrusions into FireEye and the U.S. Office of the Treasury by way of SolarWinds, revealing only traces of its long-term, sophisticated campaigns.
These breaches are reminders that no organization is immune to cyber risk or to hacking. Every company is subject to the same reality: compromise is inevitable.
While many companies are not likely to directly face nation-state attacks, the threat landscape is steadily changing, forcing security programs of all sizes to remain agile and resilient. The pandemic changed our way of life so quickly that IT infrastructure drastically shifted to keep up and this changed the shape of organizations’ attack surfaces.
Security decision makers are already performing calculus to adapt to their new organizational reality. As a red teamer with more than a decade and 100% success in cracking my clients, here’s my take on how hackers will approach the year ahead:
Deepfakes and voice fakes come to the enterprise
In 2021, threat actors will move on from basic ransomware attacks and will weaponize stolen information about an executive or business to create fraudulent content for extortion.
From deepfakes to voice fakes, this new type of attack will be believable to victims, and therefore, effective. For example, imagine an attacker on a video system, silently recording a board meeting, then manipulating that private information to contain false and damning information that if leaked, would create business chaos, to compel a business to pay up.
Ransomware evolves to enterprise extortion
Threat actors are evolving from high-volume/low-value attacks, to high-value/low-volume attacks targeting businesses. Half of ransomware attacks already involve data exfiltration, and in 2021, cybercriminals will incorporate extortion by weaponizing the content they’ve stolen to compel their victim to action.
Ransomware attacks will shift from “I’ve stolen all your data, now pay me;” to, “I’m going to extort your CEO with information I’ve found in the data I’ve stolen from you, and if you don’t pay, we’ll devalue your stock on Wall Street.”
Cloud infrastructure ransom attacks
Threat actors are beginning to sift through exfiltrated data from ransomware attacks for high value content, and their pot of gold? Cloud infrastructure credentials that could allow them to hold a company infrastructure for ransom.
It takes adversarial creativity, but the reward is high and the kill chain is simple enough. Maybe they find keys in the data directly, or maybe the attacker can gain access to an app like Slack and find keys shared there. Maybe they go so far as to send spoofed messages to convince unwitting victims to share cloud login credentials (heads up, IT).
With a little information and a bit of persistence, an attacker can turn their ransomware access into high-privilege AWS tokens, log into the cloud infrastructure and hold it for ransom.
The threat of turning off the business with the click of a button is a highly effective extortion technique. Many CISOs don’t know when and where highly privileged passwords have been recorded (in an old Slack message from 2 years ago?) – this is a big risk for companies mid-cloud migration.
A skills gap crisis in the US government
Chris Krebs’ unceremonious post-election ousting may be the proverbial sour cherry on top of the Trump administration’s treatment of cybersecurity talent in the White House. Under the administration, turnover at the senior leadership level of the National Security Council was record-breaking and we will witness the first downstream effects on our national global cybersecurity ability in 2021.
We’re already seeing this skills gap exacerbating the effects of the SolarWinds breach. You frequently hear when companies are attacked that it happened because they didn’t have cyber leadership. You need experts in-house to respond to such high-profile incidents. US national cyber policy and our global cybersecurity posture will take a hit, and tactically but crucially, government hiring of cyber talent will stall. These will have lasting impact on our cyber leadership that will take 10-20 years to correct.
Antitrust / anti-tech reckoning in 2021
Democratic institutions rely on common information and facts, which have been challenged in light of disinformation and misinformation proliferating across social platforms. With antitrust sentiment slowly taking over Washington, it’s becoming more apparent that technology and social platforms are unregulated domains that have been damaging to truth, and the functioning of democratic processes.
In 2021, I expect antitrust hearings to come about as a matter of national security, and the force of the government extended against social platforms and tech monopolies in the next year or so.
While no CISO has access to a crystal ball demystifying how their organization will be attacked, they should know that in 2021, attacks will happen. Whether by a ransomware attack compromising your cloud infrastructure or a traditional phishing attack, security leaders must prepare for all possibilities. That doesn’t mean sweating every software patch, but instead applying a mindset of probability and likelihood, then deploying controls to prevent accidental changes to baseline security.