The year 2021 has been described as a terrible period for cybersecurity, and experts are suggesting 2022 might even be worse. It is a common expectation in the security community that the attacks will escalate, become more aggressive, and evolve into forms that are more difficult to detect, block, and mitigate.
In view of the expectedly worsening cyber threat landscape, it greatly helps to be acquainted with the prevailing cybersecurity trends. These trends indicate the kind of measures or courses of action that are deemed effective in addressing problems. They guide organizations in making the necessary preparations to defend themselves and make sure they are resilient enough to handle attacks and to deal with new regulatory requirements.
Ransomware, social engineering, and insider threats dominate
In the World Economic Forum's Global Cybersecurity Outlook 2022 report, ransomware, social engineering, and malicious insider activity are identified as the cyber threats organizations are most concerned about. Around 80 percent of the respondents surveyed for the report said that ransomware is "a dangerous and evolving threat to public safety." Also, social engineering remains to be a significant threat because people continue to fall for the tricks and deceptive tactics of cyber-criminals. Meanwhile, malicious insiders appear inevitable, especially for organizations that do not implement trust-less systems.
The silver lining in all of these is that cybersecurity solutions have also improved significantly. Enterprise security solutions, in particular, have incorporated strategies that make them more effective in spotting and stopping threats. The rise of extended security posture management allows enterprises to significantly improve their ability to detect, identify, and mitigate cyber-attacks. By incorporating threat-informed techniques such as breach and attack simulation and advanced purple teaming, organizations more effectively catch adversarial actions and prevent serious consequences on their IT resources.
In addition to the advanced threat-aware security solutions, there is also collaboration in the cybersecurity community. Globally accessible resources like MITRE ATT&CK have been established to make the latest cyber threat information available to everyone in a timely and organized manner. The MITRE ATT&CK framework has been integrated into cybersecurity platforms to boost their effectiveness and efficiency in dealing with threats.
The continued rampancy of ransomware, social engineering, and insider threats means that enterprises have to equip themselves with better defenses and not settle with conventional security controls. There is no room for complacency. Businesses should be taking advantage of the new security solutions and strategies available
The next-gen supply chain attack rears its ugly head
The SolarWinds debacle was definitely not the end of the supply chain cyber threat. While it imparted lessons on how to avoid similar attacks, it was only a preview of the worse things to come. Cyber-criminals have no intention of taking a break from attempting to develop new ways to leverage third-party vendors and technologies in achieving their criminal goals.
Next-generation supply chain attacks have reportedly exploded by 650 percent in 2021. They are particularly taking advantage of the growing popularity of open-source codes and the tendency of open-source to have more identifiable vulnerabilities. This new breed of supply chain attacks, employs techniques that find their way upstream into the origins of the open-source code. Thus, they are more scalable and capable of distributing malware throughout the software supply chain faster and more widely.
Going upstream to compromise open-source code repositories is not new. This has been achieved before through methods like malicious code injection and typo squatting. In 2022, however, a relatively new attack vector is gaining traction. This is called dependency confusion, a method that attempts to deceive or misguide software installer scripts into pulling a malicious software package from a public repository.
In dependency confusion, the threat actors try to figure out the names of internal packages for a specific software provider’s application, so they can come up with their own malware-laced version of the package but with a higher version number. When organizations that use software development tools update their dependencies, they may end up automatically downloading a copy with malicious software embedded in it.
Enterprises need to be more careful with the software they are using. It is crucial to secure the software supply chain at all times and configure automated application updating tools to only obtain patches or updates from legitimate sources. Carelessness is not an option, as another incident similar to SolarWinds would indicate how serious enterprise-grade attacks can be.
Cybersecurity-related regulation intensifies
Because of the growing aggressiveness of cyber threat actors, it is not surprising that governments are stepping in. New mandatory notification regimes are being introduced in response to the serious attacks not only on businesses but also on government agencies and affiliated organizations.
Last year, data breach notification requirements were put in place to prevent the concealment of security incidents, particularly those that impact consumers or citizens. This year, more regulatory actions are expected to supplement compulsory disclosure laws, especially with regard to what details should be disclosed, the timing of the disclosure, and the required recipients of the security incident information.
In the United States, the Securities and Exchange Commission is proposing a 48-hour breach reporting requirement. The government agency also intends to establish rules that compel companies to have systematic records and divulgement of cybersecurity practices, risks, and incidents. Additionally, it seeks to require businesses to submit written information security plans and incident response plans.
Other countries are doing the same as they encounter serious cyber-attacks across the board. In the United Kingdom, for example, security incident reporting laws are set to be updated. Search engines, cloud computing service providers, as well as online marketplaces will reportedly be required to report major cybersecurity cases. In the European Union, strict guidelines on data breach notifications have already been implemented since 2021. These will likely be updated and tweaked in response to the changing dynamics in the threat landscape.
New regulations are an added burden to enterprises. Aside from the added tasks for the IT department, many companies want to avoid revealing anything about being the subject of a cyber-attack because of the possible reputational damage. However, legal requirements are an unavoidable reality businesses have to face. To prevent any negative reputational impact, it is important to have a solid enterprise security posture.
Adapting and adopting
With the new cybersecurity challenges in 2022, from both the cyber-crime and regulatory fronts, enterprises need to adapt while adopting new security solutions and processes (for record-keeping and reporting). It is not going to be easy, but it is important to face everything head-on with the understanding that compromises will lead to weaknesses that have serious consequences.