Headline-grabbing attacks such as Solarwinds, Kaseya, Colonial Pipeline, JBS Foods and the Log4j vulnerability kept infosec professionals on their toes all year long. Cybercriminals targeted supply chain, infrastructure and technology providers with the hopes of causing as much chaos and damage as possible. We asked our CTO and Co-Founder, David Kennedy (@hackingdave), as well as our VP of Threat Hunting and Counterintelligence, Randy Pargman (@rpargman) to share their thoughts on what happened in 2021, as well as offer advice to organizations on what to watch for in 2022 on the threat landscape.
We started the year with Solarwinds and are ending with Log4j … what are the biggest takeaways from this year in terms of the large-scale threats and vulnerabilities we saw?
KENNEDY: The biggest takeaway is that attackers continue to progress their capabilities and figure out weaknesses within technology systems. We saw a larger emphasis this year on supply chain attacks and going to a one-to-many type style which yielded more return on investment for adversaries. These types of attacks are not traditional in nature that our security programs build in from a threat model perspective and they often can go undetected for a long period of time. We saw ransomware groups leverage supply chain attacks, specifically with Kaseya ,with the hopes of impacting more.
Log4j was an interesting one due to the prominence in other technologies. Instead of a simple fix, it was something that was embedded deep in coding of a lot of third-party applications and technology.
I think what 2021 demonstrated is that we will continue to be surprised at various attacks.
PARGMAN:
I echo Dave’s statement in that nobody can predict where the next big vulnerability will be found, but everyone can be prepared to deal with it when it becomes known. All the hard work of monitoring network and endpoint events, keeping hardware and software inventories up to date, and constantly testing and refining security policies will pay great dividends when it counts most: keeping your organization on solid footing while others are knocked down by the crisis. When your security posture is strong and well organized, you will be able to quickly answer the most important questions immediately:
- Which assets are affected and how exposed are they?
- Have any of the vulnerable systems already been exploited?
- What actions has the attacker taken?
Although it’s uncomfortable to have to track down and evict an intruder that you know about, it’s much less stressful than being in the dark when the attacker is calling all the shots. Preparation and the “boring” everyday work of security makes all the difference to give you the upper hand when it matters.
What do you think we’ll see in 2022? Anything new that organizations should watch and prepare for?
PARGMAN: Ransomware is big (criminal) business and still growing. We’re likely to see more collaboration between criminal groups in the underground service economy. More crimeware services will be offered to lower the barrier to entry and allow even more would-be criminals to participate.
The good news is that we have even greater opportunities to collaborate among the security community and make it much harder for criminals to succeed. Sharing knowledge and supporting each other with opportunities to sharpen our security skills are keys to winning.
KENNEDY: Supply chain is still my number one biggest fear of what keeps me up at night. Trusting third parties is our trust model for any business and organization. We don’t develop our own operating systems, and often don’t develop applications or other components of technology. We rely every day on these third parties as a major mechanism for security. These are largely out of our control and it’s not as if we can not use third parties. It’ll be interesting to see what happens in 2022 around these areas.
We’ll continue to see advancements with ransomware groups unless serious ramifications geopolitically occur and we hold countries accountable for harboring these groups. The capabilities of ransomware groups will continue to expand and security programs need to remain dynamic in nature to handle them.
What advice can you give to companies on what they should prioritize in 2022 to stay out of the crosshairs of an attack?
KENNEDY: Focus on “what if an attacker is successful.” What does that look like in your organization? What are the patterns commonly used to attack an organization, spread laterally and how you identify those? Regardless if it’s a supply chain attack, ransomware attack, nation state attack, or anything else—the attackers still need to move from system to system to meet their objectives. These techniques aren’t secret sauce and often easy to spot if you are looking for them.
While you continue to bolster your defenses, continue to expand your visibility into your infrastructure and cloud with the ability to look for unusual behavior and common attacks within your organization to spot these earlier in the phase of an attack versus weeks or months later.
PARGMAN: Every successful company is always in the crosshairs of the next attack attempt, but those who recognize that can be prepared to win. Invest in people first, and trust the people on your team to choose the right tools they need to support their work. If you ask any CISO or security leader what would make the biggest difference in their team’s effectiveness, they will tell you that they need more skilled people, and that’s exactly right. Whether it’s more employees, partnering with a service provider, or both, having the right people on your side is the most important factor to succeeding against even the most determined and well-funded attackers.