COVID-19, one year later
2020 was undoubtedly a defining year for cybersecurity – a year that ended with the SolarWinds breach, which infiltrated US government agencies and organisations at a scale not seen in recent history.
For cybersecurity professionals, the nature of this attack – a sophisticated, clandestine intrusion into vendors’ networks that was then used to “island hop” onto others along their supply chains – embodied today’s threat landscape as refigured by the pandemic.
“This is not an isolated event,” notes Tom Kellermann, Head of Cybersecurity Strategy, VMware Security Business Unit. “With COVID-19 catalysing digital transformation and a shift to cloud services, these sorts of attacks will only increase in frequency. Organisations have to realise that it’s no longer simply about whether breaches along their supply chains can be leveraged to attack them, but whether they themselves can be used to attack their customers.”
The pandemic did more than broaden the attack surface: it provided the time, capital, and opportunity for cybercrime to industrialise. E-crime groups have collaborated to form advanced enterprises, providing ransomware-as-a-Service (RaaS), selling network access points on the dark web, and executing destructive cyberattacks.
As Greg Foss, Senior Cybersecurity Strategist, VMware Security Business Unit, puts it, “Since 2019, we’ve seen e-crime shift from covert shadow groups into these pseudo-legitimate businesses, replete with customer service channels, clear business sites, and increasingly sophisticated attack methods.”
Still, 2020 was not all bad news. With new attack methods on the rise, organisations have been forced to shift their mindset and rethink their approach to security across applications, clouds, and devices.
“Cybersecurity is adapting to changing conditions,” observes Rick McElroy, Principal Cybersecurity Strategist, VMware Security Business Unit. “The old school mentality is gone. Security teams realise they must change their architectures, adopt a cloud-first mindset, and work together to meet today’s challenges. The path they’re charting is a good one.”
Here’s a look at what organisations saw during an unprecedented year from evolving attacker behaviours to the rise in e-crime – and most importantly what defenders can be doing to prepare in 2021 and beyond.
- Ransomware attacks are getting increasingly sophisticated: nearly 40% of respondents said double-extortion ransomware was the most observed new ransomware attack technique in 2020.
- A growing number of attackers are fighting back: 63% of respondents witnessed counter incident response (IR) since the start of the pandemic. Security tooling disablement was the most observed technique.
- Attackers are leveraging a number of counter IR techniques, the top techniques observed included: security tool disablement (33%); DDoS (Denial-of-service) attacks (26%); Security tool bypass (15%); Destruction of logs (11%).
- Security teams now know it’s not a matter of if they’ll get attacked, but when – and have adopted a proactive mindset: 81% of organisations reported having a threat hunting program.
- Island hopping is increasingly prevalent, as attackers “hop” from one network to another along its supply chain: Nearly half (44%) of respondents said they witnessed island hopping in more than 25% of all IR engagements; 13% witnessed it in over 50% of engagements.
- This year, the top security priorities for organisations include: security for trusted third parties/supply chain (24%); remote access security (24%); network and endpoint security (22%); identity and access controls (21%); hardware/physical device security (9%).
Attacker Behaviour: Amid COVID-19, the surge of sophisticated attacks and rise of ransomware-as-a-service
In response to the pandemic, organisations have accelerated the adoption of cloud technology – which in turn has created new security threats that sophisticated cybercriminals have seized the opportunity to exploit. The speed to innovation comes with broader issues such as supply chain compromise. In such instances like the SolarWinds breach – the adversary will use one organisation’s network (or cloud) to island hop to others along their supply chain. Recognising this growing threat, “security for trusted third parties/supply chains” was the top priority security area for organisations in 2021.
“In today’s threat landscape, organisations must assume that cybercriminals will also target their constituency,” said Kellermann. “The burglary has turned into a home invasion – and not just one house, but the neighbourhood.”
When it comes to the most observed supply chain compromise techniques, nearly half of respondents (46%) selected attackers abusing trusted relationships by leveraging accounts belonging to legitimate suppliers and other trusted third parties. Attackers leveraging connectivity/networks between third party suppliers and enterprises (22%) and loopholes in software updates (21%) also garnered a significant proportion of responses.
“Too often organisations offload security issues around third-party vendors, which include time-consuming paperwork to properly vet upfront,” Foss adds. “Organisations say, ‘they’ve filled out the questionnaire, passed our barometer.’ And even if they do put all the right checks in place, bad actors can still take advantage.”
Increasingly destructive counter IR
A significant majority (63%) of respondents witnessed incidents of counter IR since the start of the pandemic – many of which reflect the increasingly destructive nature of cybercrime today.
For instance, the types of counter IR most observed included: security tooling disablement (33%), Denial-of-Service attacks (26%), security tooling bypass (15%), destruction of logs (11%), email monitoring (9%), and destructive attacks (7%).
“These responses underscore the importance of threat hunting,” says McElroy. “They demonstrate that there’s a human being on the other end of the system who wants to get visibility into the entire environment – while deploying increasingly destructive malware.”
Foss also notes: “Attackers are looking to get their foot in the door of your network, then unhook the latch once it’s safe – all very soft and silently at first – before loading more advanced tool kits. It’s becoming a significant part of e-crime.”
The rise of RaaS and double-extortion ransomware
In 2020, we saw ransomware go mainstream. Sixty-six per cent of respondents report being targeted by ransomware during the past year – much of which may have been sold by e-crime groups on the dark web as RaaS.
“Traditional ransomware isn’t going anywhere,” Foss says, “But it can be hard to tell nowadays whether you’ve been hit by RaaS or traditional methods, largely because ransomware groups themselves now leverage RaaS operations and affiliate programs.”
Worse, in a growing number of cases, these ransomware attacks have gotten more sophisticated. For instance, when asked which new ransomware attack techniques were most observed, nearly 40% of respondents selected double-extortion ransomware (e.g., encryption, data exfiltration, extortion). In other words, as organisations became more effective at recovering from ransomware attacks via backups, attackers changed their tactics to exfiltrate sensitive information and use it for blackmail to ensure a financial gain.
“If you’re hit by ransomware today, it’s safe to assume the attacker has a second command and control post inside your infrastructure,” says Kellermann. “And these methods will only expand in 2021 – we expect to see triple and quadruple extortion attacks this year.”
Defender Behaviour: How security teams have adapted – and what they need to know for 2021
Adapting to a new threat landscape
Forced to combat increasingly sophisticated attacks – in a remote-work environment, no less – defenders have stepped up their game. Eighty-one per cent of respondents now have a threat hunting program in place. This represents a vital mindset shift, wherein companies and security leaders aren’t merely defending potential breaches – but assuming there is already a breach to uncover.
“Organisations recognise security tools won’t tell them everything,” Foss explains. “You need human beings to manually go through the information being collected to proactively look for clues and anomalies.”
Now, it’s just a matter of what those threat hunts consist of and how often they’re conducted (VMware cybersecurity strategists recommend doing so on at least a weekly basis).
2021 security priorities and investments
In the wake of the SolarWinds breach and the move to cloud environments, it’s no surprise that security for trusted third parties/supply chain is the number one security priority for organisations in 2021. This was followed by remote access security (24%), network and endpoint security (22%), identity and access controls (21%), and hardware/physical devices security (9%).
This year, we will see security budgets activated to address these priorities. When asked which security solution their organisation planned to invest the most in for 2021, respondents shared network security (27%), cloud security (20%), endpoint security (17%), data protection (16%) and managed security services (12%).
Rethinking the security stack
There’s no doubt about it: 2020 – and the vulnerabilities brought on by COVID-19 served as a catalyst for yet another evolution in the sophistication and severity of cyberattacks. As organisations continue to migrate to public and private cloud networks, support “work from anywhere” environments, and fast track digital transformation efforts, we shouldn’t expect the surge of attacks to slow down anytime soon.
On the bright side, the pandemic has served as a wakeup call for security leaders as an opportunity to rethink their full security stack. In 2021, organisations will need the right mindset, investment, and platforms to stay one step ahead of attackers.
So, what are some of the best practices for security teams to fight back in 2021? Stayed tuned for the next blog in this series with expert advice from The Howlers.