In many ways, 2021 ended in much the same way it started: On a near-weekly basis, cybersecurity companies announced new exploits and urged customers to patch immediately. Meanwhile, disruptive attacks, nation-state campaigns, and cybercriminal activity seemed as prevalent as ever.
On Dec. 10, various security agencies and analysts (both in the U.S. and overseas) warned about a critical flaw in Log4j, a Java-based logging utility used in multiple applications that is part of the Apache Logging Services. Within a few days of discovery and disclosure, the U.S. Cybersecurity and Infrastructure Security Agency issued a warning that federal agencies must fix this bug, as threat actors had rapidly begun exploiting it for various purposes.
At about the same time, security researchers such as Advanced Intelligence noted that ransomware gangs (in this instance, a notorious group called Conti) were actively using the Log4j bug to distribute their crypto-locking malware.
The Log4j vulnerability serves as a useful illustration of not only how cybercrime and other threats developed in 2021, but where the security industry is headed over the next 12 months. This includes the continuing concerns over COVID-19 and how the pandemic continues to change the way employees work, adding to overall cybersecurity concerns.
“The unifying element behind the major cyberattacks we saw in 2021 was that they directly targeted people, requiring some form of human interaction by the victim—from clicking a link to entering credit card info—to succeed,” Lucia Milică, global resident CISO at security firm Proofpoint, told Dice. “People-centric attacks will continue in 2022 and likely cause even more damage as organizations struggle to protect hybrid workforces while dealing with a security skills gap made worse by the Great Resignation.”
With cybersecurity among some of the highest priorities for organizations both large and small, here is a look at three trends in cybercrime and other threats that will shape the next 12 months for IT and security professionals alike.
In a series of interviews, security experts noted that ransomware remains the number one concern for their profession at the start of 2022. And while full statics are not yet complete for 2021, the numbers we have suggest why ransomware remains a top threat.
In the FBI's Internet Crime Complaint Center report published in August, the bureau reported more than 2,080 ransomware complaints between January and July 31, 2021, a 62 percent year-over-year increase. Another study by the U.S. Treasury's Financial Crimes Enforcement Network found $590 million in financial activity related to ransomware in the first six months of 2021. (By comparison, there was a reported $460 million in ransomware-related financial activity for all of 2020.)
Throw in the critical organizations and government agencies targeted in 2021 (Colonial Pipeline, Kaseya, JBS, and Sinclair Broadcasting, to name a few) and the burden of these attacks is a big reason for concern in 2022.
“Ransomware has been working well for the bad guys for quite some time now, but in 2021, it established itself as a highly effective and lucrative criminal business model,” Casey Ellis, founder and CTO of bug bounty firm Bugcrowd, told Dice. “Just like any regular business, things that work tend to accelerate, receive investment and evolve, and we should expect to see a continuing acceleration in the adoption of ransomware tools by attackers, including the criminal enterprises funded—or shielded—by nation-states.”
Ellis noted that critical infrastructure, such as hospitals and healthcare facilities, will likely see increases in ransomware attacks in 2022, and this will require more investment in security tools and other preventative measures.
“The ransomware problem is particularly acute for the healthcare sector,” Ellis added. “Shutting down computer networks at hospitals and clinics can quickly spiral into a case of life or death for patients, and the increased awareness of healthcare's critical nature makes it an attractive target to hold to ransom. I hope this predicament will force providers to innovate by developing a new category of security solutions to disrupt the economics of ransomware.”
Others see the continuing growth of the ransomware-as-a-service model, which could have wide-ranging consequences for critical infrastructure, operational technology networks and organizations that rely heavily on Internet of Things (IoT) and other connected devices within their infrastructure.
“This method helps bad actors execute even quicker by using proven techniques to stage an attack, while efficiently outsourcing the backend commodity infrastructure to save time,” Bud Broomhead, CEO at security firm Viakoo, told Dice. “Organizations should pay more attention to not only critical services and systems supporting employees and customers, but also secondary systems that are less obvious prey. These systems may not contain sensitive data, but can inadvertently provide access to the more desirable targets.”
While the SolarWinds supply-chain attack was uncovered in December 2020, most of the investigation into this cyber incident (including the Biden administration accusing Russian intelligence of pulling it off) happened throughout 2021.
SolarWinds remains under investigation, and many of the details of what happened and the lasting damage the attack caused are still unknown, but the incident put supply chain security on the map. “Cybercriminals recognize there is still much work to be done for most organizations when it comes to securing their software supply chain—especially for organizations that haven’t been proactive about their cybersecurity from the beginning,” said Marten Mickos, the CEO of HackerOne. “This is because software supply chains are inherently complex and this complexity will only increase over time.”
John Hellickson, a cyber executive advisor at consulting firm Coalfire, noted how the presidential executive order on cybersecurity, especially those provisions related to how federal government agencies evaluate and buy third-party software, will affect how organizations handle supply-chain security in 2022.
“The expectation is that everything that is used within or can affect your software, such as open source, is understood, versions tracked, scrutinized for security issues and risks, assessed for vulnerabilities, and monitored, just as you do with any in-house developed code,” Hellickson told Dice. “This will have an impact on organizations that both consume and those who deliver software services. Considering this can be very manual and time-consuming, we could expect that third-party risk management teams will likely play a key role in developing programs to track and assess software supply chain security, especially considering they are usually the front line team who also receives inbound security questionnaires from their business partners.”
Talent Impact on Security
Several analysts and experts noted that their biggest concern for 2022 is not a specific type of attack, but organizations lacking the specific talent with the right type of skills to respond to various incidents, whether a data breach, ransomware attack or another type of threat.
For many, the Great Resignation trend that started in the summer of 2021 will continue to have a far-reaching effect in 2022, even for companies that have outsourced part of their cybersecurity to third parties. Organizations of all sizes still need specific IT and security talent in-house to ensure the infrastructure and networks are secure, said Tim Wade, the technical director of the CTO Team at Vectra.
“While managed security services will continue to grow in volume, a non-trivial subset of organizations will meet talent shortfalls with automation, orchestration and analyst-augmenting AI,” Wade told Dice. “They’ll recognize that outsourcing business context to an external entity can be exceptionally difficult, and a few well-equipped and supported internal resources can be more effective than an army of external resources.”
John Bambenek, a principal threat hunter at security firm Netenrich, noted that many organizations will likely have to rely on more automation of certain security functions in 2022, as finding talent will become more challenging, especially for smaller firms with less budget and hiring resources.
“Organizations will continue to face resource challenges as they look to fill existing and new IT positions,” Bambenek told Dice. “Ultimately, they will have to hire more people, rely on vendors for services, or invest in automation. The end state will likely be some form of all three. The work needs doing regardless of headcount, so allowing automation to handle the basic problems enables IT experts to focus and resolve the more critical issues. Companies can also focus on their IT workers’ well-being with balanced workloads to retain valued staff.”