2021 was quite a successful year for cybercriminals. Petit-Potam, Log4j, and many other vulnerabilities enabled attackers to infiltrate malware, take over systems, or steal data. Whether small or large, public or private sector, well or ill-prepared – organizations of all kinds and sizes were affected. In short: anyone can fall victim to a cybersecurity incident. Blue teams, system administrators, and security officers sometimes worked day and night to repel attacks, update systems, and continually raise the level of their own IT security. Nonetheless, some attacks are only discovered too late or not at all. The situation remains tense.
"Hello, Dave. I think we may be on to an explanation of the trouble with the Hal 9000 computer. We believe it started months ago when you and Frank interrogated the computer about the Mission."
In summary, we can say that 2021 was an odyssey with many shock moments from an IT security perspective. And the odyssey wasn’t over at the end of 2021; it is set to continue in 2022.
The odyssey continues
Let’s take a look at the IT security trends that 2022 has in store for us, how we can influence our odyssey, and whether it might represent more than a resurrection of existing topics.
Attacks on identities
As a logical consequence of the transition from on premise infrastructure to cloud services, attackers are targeting identities more than ever before.
They are using attack vectors like phishing and smishing to obtain login credentials. In these scenarios, attackers send e-mails or messenger texts claiming that the targeted user urgently needs to change their login information or enter it again. A variety of pretexts are used, such as an allegedly expired password or instructions from a superior.
These e-mails and messages can sometimes hardly be distinguished from the real thing and when the hyperlink they contain is clicked, the victim is sent to a fake website. Any login credentials entered there are immediately sent to the attacker’s server, and the identity theft is complete.
In addition to phishing and smishing, credential stuffing is another popular attack vector. In this approach, lists of users and passwords obtained from prior hacks are used for automated tests, to gain unauthorized access to user accounts at other sites. This type of attack is a real threat, because most people tend to be lazy when it comes to passwords: they reuse the same password for multiple sites and the user account name is often simply the e-mail address. This laziness makes it easy for criminals and other players to gain access to more systems and multiply the impact of their attacks.
Attacks on supply chains
Attackers are increasingly targeting digital supply chains as well. The objective of such attacks is to infiltrate or disrupt the main target through third parties. The motto here: the chain is only as strong as its weakest link. Most supply chain attacks are targeted and start with the most vulnerable link in the chain.
After they successfully compromise a third party, the attackers try to cause further damage by disrupting processes and dependencies or by exploiting access paths to other participants in the supply chain. What’s more, supply chain attacks aren’t just limited to organizations and their suppliers; they can also play a major role in the world of software, for example.
Modern software consists of a variety of code libraries. The combination of these code libraries forms the supply chain of a software solution. If malware is injected into one of these libraries, an attack is successful and the attackers can do further damage.
Attacks on supply chains are so effective because every link trusts every other link in the chain. This position of trust makes things simple for attackers, because once they have compromised one link, they enjoy the trust of the other members.
Ransomware: this type of cyberattack has plagued the industry for ages. Ransomware attacks all follow the same general methodology: malware is injected, encrypts systems and reproduces itself over a variety of IT systems and communication channels within an organization.
After its systems have been encrypted, the organization is prompted to pay a ransom (usually in cryptocurrency) to “release” its data. Ransomware has been an increasing occurrence, in various versions, since around 2005 (source: BSI). The most well-known wave is probably WannaCry (2017), which encrypted more than 200,000 Windows installations in over 150 countries. WannaCry was a worm that spread automatically. The injection vector was a vulnerability in Microsoft’s operating system.
Aside from these trends, developments in artificial intelligence and cloud computing are expanding potential attack vectors (deepfakes, for example) and opening up new opportunities for criminals and other players. Cybercrime-as-a-service offerings are proliferating and DDoS attacks will continue to be a problem.
„Stop Dave. Stop Dave. I am afraid. I am afraid Dave.“
– HAL 9000
2022 will continue make our odyssey difficult! Cyberattacks will continue to pose significant risks to organizations. All too often, the attack targets and vectors described above are deployed in combination with one another, or even as part of a more concentrated campaign.
This makes it all the more important to consider how organizations can respond to these increasing threats.
When answering this question, it is important to remember that there is no such thing as 100% protection. Anyone who claims the contrary is either lying or doesn’t know what they’re talking about. It is essential to have effective risk management, to assess the situation and potential attack vectors and develop appropriate countermeasures.
Nonetheless, you can take some general measures and implement measures to prepare yourself for the new year and minimize risks.
In 2022, the most important tools are still awareness and education of the people behind the IT systems. Raising awareness and promoting understanding of the processes, types of attacks, and protective mechanisms can help to prevent a majority of attacks. Both of these measures will help ensure that vulnerabilities are identified and rectified and that login credentials are better protected.
In addition to awareness and organizational measures, technological approaches – such as building a zero-trust infrastructure and implementing an SIEM to identify suspicious behavior – can also help.
Multi-factor authentication (which should ALWAYS be active anyway) and risk-based authentication and authorization can help to protect identities.
This is a security concept under which EVERYTHING and EVERYONE is generally mistrusted. There is no differentiation between internal and external services, systems, and components. Everything and everyone has to undergo authentication and all checks. This model protects against internal risks as well as external attacks.
The core components of a zero-trust model are encryption, authentication, and access permissions, along with checks of all communications.
SIEM – Security Information and Event Management
SIEM solutions make it possible to bring information and events together in a single solution, where they are interrelated and can identify suspicious activities based on defined patterns. In addition to pattern recognition, which all SIEM systems can now perform, some systems can now also be enriched through cloud and AI mechanisms. This makes it possible to identify even complex attacks and have a system that learns and improves automatically.
Risk-based authentication and authorization
Risk-based authentication and authorization enriches the classic login and authentication process with an assessment that is based on different criteria. In this approach, when authentication is requested, a variety of parameters is initially queried, such as location, IP address, device, and others. A risk level is then defined based on the composition of these parameters, which in turn decides whether authentication is successful and which accesses are allowed. Information can also be sent to the administrative unit. Through this method, even if login data is stolen, access can be prevented and the theft can be recognized.
MFA – Multi-factor authentication
It’s the year 2022 and we’ve been on this odyssey for ages. So I won’t bore you with the details of what MFA is and why it should always be active. Seriously, it’s 2022!
„My God, it's full of stars.“
2022 will continue to challenge us and we will still be far from our goal of achieving comprehensive protection against all forms of cybercrime. The potential threats are endless and our cyberspace odyssey will probably never end. But we’ll continue to do our best for you and we’ll always be here for you! Keep an eye on the trends for 2022 and STAY SAFE!
Author: Dominic Iselt, IT Security Engineering Expert