The past two years have brought a significant amount of societal change, including the way we work. This shift in lifestyle to one that is largely digital also brought about a surge in cyberattacks, which rose in both frequency and complexity last year, with several threats causing concern among industry experts into 2022.
The cyberattacks are thoroughly explored in Cisco’s latest security report, “Defending Against Critical Threats: Analyzing Key Incident Trends,” released March 10. The report examines the most significant incidents in the last year and includes insights from Cisco cybersecurity experts and analysts.
Cisco also surveyed more than 190 security and technology leaders to understand the current threat landscape. Nearly two-thirds of the respondents said the complexity and volume of cybersecurity attacks had intensified in 2021, compared with 36% who said attacks stayed consistent with the previous year.
A significant portion of the report focuses on ransomware and how it has reached a critical level for some bad actors, which has resulted in more coordinated response from the government. Ransomware was identified as the top security concern for 2022 by 38% of the respondents, followed by zero-day or heretofore undiscovered vulnerabilities (29%), exploitation of internet-facing apps (16%), phishing attacks (14%) and unauthorized access to stolen credentials (4%).
Supply chain attacks, in particular, were identified as the most challenging types of ransomware organizations face today. Forty-three percent of the respondents who participated in Cisco’s survey said they experienced a supply chain attack in 2021. The report focuses on one particular ransomware attack in 2021 affecting the Colonial Pipeline’s gas supply on the East Coast. The incident took place when a previously infected network at Colonial Pipeline became encrypted and the company’s information technology network was compromised.
The attack put pressure on the government to respond quickly to ransomware activities. Without gas supply for an extended period of time, the U.S. economy would have been negatively impacted. According to Cisco threat hunters, supply chain is one of the hardest problems in security. By blocking the avenues that attackers use, organizations can make themselves more difficult to target and therefore less likely to fall victim to ransomware.
That’s in line with my anecdotal research that has found ransomware has completely run amok impacting every industry. It’s a very difficult problem to protect against, particularly for organizations with less sophisticated security teams. I recently spoke to a Florida-based hospital that now keeps a war chest of crypto on hand, with the sole use case being paying ransomware. This isn’t ideal, but for many organizations, it’s a last resort.
Last year, Cisco observed more than 20,000 common vulnerabilities and exposures or CVEs—that’s about 55 per day. Most security teams aren’t equipped to deal with so many CVEs on a daily basis or assess which vulnerabilities pose a risk to their environment. Cisco sees the size and scale of vulnerabilities increasing this year and estimates there will be more than 23,000 CVEs in 2022.
At the end of 2021, the Cisco Talos Incident Response team tackled one specific zero-day vulnerability called Log4j, which is a Java logging library with huge exposure. Log4j is expected to make further impact and has already been spotted in the VMWare Horizon exploit. Cisco offered advice to cybersecurity professionals and defenders currently dealing with Log4j and other zero-day threats. Since exploits related to vulnerabilities grow after a vulnerability has been disclosed, defenders should first be documenting what they know and then updating as much as they can.
Another big threat of 2021 was Emotet, first identified in 2015 as a banking trojan. Emotet evolved into a widely distributed threat that could access enterprise networks and it could become the biggest threat of 2022, according to Cisco. Defenders should be using a layered approach in identifying threats such as Emotet. Knowing where the weak links are in the network and applying security controls at those points is imperative. Additionally, using the latest threat intelligence can help identify the tactics used by threat actors.
A common misconception Cisco tackled in the report is that malware doesn’t affect macOS. But in 2021, this fallacy was disproven when a new type of macOS malware called McSnip Backdoor was uncovered. The malicious binary was impersonating a screenshot tool that could be downloaded from a website instead of Apple’s App Store. There is evidence of McSnip still being leveraged now. Cisco recommends tackling a rise in macOS malware through threat modeling and also looking for changes in behavior and patterns.
There is one other issue that poses security risks and comes from within organizations: security debt. It refers to using systems that are either depreciated or improperly maintained. Over time, this manifests as security risks and makes organizations targets for attackers. An overwhelming three-quarters of the survey respondents said they are dealing with security debt, and for 13% of the respondents, it’s a huge problem.
The good news is most cybersecurity professionals are carrying out regular incident response testing. Forty-one percent are testing their plans twice a year, while 29% are testing more than three times a year. In order to identify key vulnerabilities, Cisco recommends moving to a risk-based vulnerability management system. Additionally, organizations should have a good understanding of their attack surface and where they are most vulnerable, which involves both threat modeling and communicating across multiple teams.
The report highlights that legacy security models are no longer sufficient. Protecting the company border must give way to zero-trust security, which protects critical assets. Zero trust isolates systems, data and endpoints, so if a breach occurs, the “blast radius” is minimized. Historically, zero-trust and segmentation solutions before it were very difficult to configure, but current ones are more automated to make deployment easier.
Also, given the large number of employees that will continue to work at home at least one day a week, it’s imperative that companies adopt Secure Access Service Edge or security service edge to extend corporate threat protection into the home. Lastly, security pros must shed the thinking that perceived best-of-breed everywhere leads to best-in-class threat protection. It doesn’t.
In fact, one chief information security officer I recently interviewed told me that having too many vendors leads to inconsistent policies and blind spots, leaving the company open to back door breaches. Making the shift to a security platform is critical today.
Zeus Kerravala is a principal analyst at ZK Research, a division of Kerravala Consulting. He wrote this article for SiliconANGLE.