FeatureSometimes the most impactful trends materialise completely out of the left field and we have all been reminded and humbled by this in 2020.
BeyondTrusts’ annual cybersecurity predictions are projections of possibilities we see emerging based on shifts in technology, threat actor habits, and culture. However, sometimes the most impactful trends materialise completely out of left field. We have all been reminded and humbled by this in 2020.
As machine learning becomes more widespread within enterprises for making automated decisions, attackers have a new vector to consider. After a threat actor steals a copy of the original training data, they will begin to manipulate the models generated by injecting poisoned data into the training pool, creating a system that has learned something it should not.
This manipulation will have a multiplying effect due to the automatic processing by downstream applications, destroying the integrity of any legitimately processed data. Accompanying this devious attack will be a ransom note to be paid to restore the original data models. This new form of ransomware will be notoriously difficult to detect, and almost insurmountable to recover from, which makes paying the ransom seem like an enticing option for the victim.
In 2021, threat actors will leverage machine learning ML to accelerate attacks on networks and systems. ML engines will be trained with data from successful attacks. This will allow the ML to identify patterns in the defenses to quickly pinpoint vulnerabilities that have been found in similar systems, environments.
Data from all subsequent attacks will be used to continue to train the cyberattack engine. This approach will allow attackers to zero in on entry points in environments far more quickly and stealthily as they will be targeting fewer vulnerabilities with each attack, evading tools that need a volume of activity to identify wrongdoing.
While deepfake videos, photos, and audio have entered public consciousness over the past few years, 2020 saw a drastic improvement in their quality and realism. There are now commercial products that leverage deepfake technology for everything from artificial intelligence-based voiceovers to enabling people actors, political figures, etc. to appear in new videos and movies.
Deepfakes are already convincing to most humans. However, in 2021, researchers, companies, and threat actors are not stopping with deepfaked videos, photos, and audio. Expect to encounter a new wave of deepfakes that challenges us to believe whether the entity on the other side of an interactive chat window or video call is human or not.
For instance, you could soon have interactive sessions with past presidents, or even deceased love ones. Deepfakes will creep into our daily lives. We will increasingly be in situations, unbeknownst to us, where we are engaged in communication with deepfake technology rather than with a real person.
In 2020, we have witnessed the explosive expansion of the network edge and continued decentralisation. The seismic shift to remote working spurred by COVID-19 was a key driver of this trend. Remote workers are clearly more relaxed operating in the comfort of home. However, this casualness can leave them more prone to letting their cybersecurity guard down. This laxness in security could not come at a worse time as cybercriminals have ramped up social engineering and ransomware attacks.
Home-based employees are also more likely to use personal devices and home networks that are not hardened to the same degree as corporate devices and networks. We now have systems behind consumer network infrastructure that is, in many cases, not even being configured away from defaults.
In 2021, new attack vectors will target remote workers and remote access pathways. In 2020, we learned that not even the era of social physical distancing can slow down social engineering threats. Cybercriminals will continue to wage social engineering attacks and also try to exploit common home devices that can be used to compromise an individual and allow for lateral movement into a business.
Social engineering attacks will primarily involve various forms of phishing, including by email, voice, text, instant messaging, and even third-party applications. Organisations should also not overlook the threat of disgruntled insiders who feel less observed in their own homes.
The increase in drive-by and opportunist attacks seeking to exploit home networks will necessitate heightened attention to securing systems independently, away from continuous corporate connectivity. With all that said, we foresee remote workers to reign as the number one attack vector for exploitation in 2021.
In 2020, the European Union, EU court system overturned the governance for protection provided by the EU-US, United States Privacy Shield. Prior to the court ruling, the agreement had allowed for the transfer of data containing personally identifiable information between EU and US organisations.
The 2020 ruling essentially eroded the agreement for businesses to operate in either region and share relevant information. This regulatory implosion will impact data privacy based on region, country, and state. Throughout 2021, businesses will scramble to adapt to this expansion of data privacy regulations and the potential implosion of established policies based on challenges in the court systems.
International businesses will have to adapt quickly to reengineer how they process client data. Businesses that operate in multiple states must consider how they manage data per state, process it in a centralised location, and codify how they develop procedures around data deletion and breach notification.
Social media has proven to be a medium of choice for election tampering, fake news, and other attacks. In 2021, expect attackers to move beyond just targeting individuals to targeting businesses as well. Poor authentication and verification practices will allow social media-based attacks to be successful.
For example, a threat actor’s post about hosting a webinar or announcing a new product may mimic that of a legitimate business. However, the illicit registration URL may instead lead to a malicious website to perform a drive by attack, collect personally identifiable information, or even request credentials in an attempt to compromise multifactor authentication solutions.
Malicious QR codes or abbreviated URL’s could also be employed to obfuscate the malicious website These attacks could either occur on the legitimate page of the business itself, or via rogue accounts using similar names. Since the social media controls around posting, verification, and URL redirection are so poorly managed, expect new attacks to flourish.
As the volume and cost of breaches increase, organisations processing data on behalf of their customers will be forced to carry comprehensive cyber insurance to reduce any contractual risks. Naturally, this will come with a cost to the organisation, but it also will provide attackers a new stream of income. Cybercriminals will target large brands with insurance policies that will pay out to release stolen data rather than face paying out on the policy to cover any remedial action.
The majority of successful attacks still hinge on exploiting well-known and entirely preventable vulnerabilities. While some of the vulnerabilities may be relatively new, there is usually plenty of time to address them before compromise occurs. If you cannot get on top of your vulnerabilities, layer your security so that attackers find themselves without access to privilege when they do infiltrate your network. An exploitable vulnerability is a problem, but considerably less so when it does not lead to privileged access.
Every year we say it, but every year it is worth saying again: being prepared for what is ahead makes all the difference between being proactive and reactive. There is copious data showing that those enterprises with more proactive IT security postures prevent more threats, identify potential security issues faster, incur fewer breaches, and minimise damage from attacks more effectively than less prepared organisations.
