#IMOS21: Global Threat Brief – The Most Dangerous Attack Techniques in 2021
During Infosecurity Magazine’s North American Online Summit, editorial director Eleanor Dallaway moderated a session dedicated to the most dangerous attack techniques in 2021. In her opening statement, she stated that the last two years have seen a huge amount of change and evolution, and cyber attack vectors and attack techniques have been no exception.
Dallaway was joined by an expert panel including Brad LaPorte, partner of High Tide Advisors, Miranda Richie, director of cyber threat operations at Orbia; and Michael F.D. Anaya, head of attack surface analysis, Palo Alto Networks & ex-cyber special agent, FBI.
Cyber Attacks and COVID-19
The opening question of the Q&A concerned the speed of cyber-attacks changing in the context of COVID-19. LaPorte brought up that crimeware-as-a-service (CaaS) has become widespread. He pointed out that around 2018, criminals changed their hacking approach. In effect, cyber-criminals have become managed service providers. The attack surface is now “everywhere” because of hybrid work models. Moreover, cyber-threat groups are more extensive and can now make a lot of money. Anaya responded to the question by stating that criminals will always find new opportunities. Phishing is still a big thing; it is easy to execute and will not disappear anytime soon, he noted. Richie raised the topic of initial access brokers, who she claims are enjoying rich pickings amid the COVID-19 chaos. LaPorte points out that alongside crime-as-a-service, DDoS-as-a-service and ransomware-as-a-service have become very popular during the pandemic. Additionally, hacker groups can easily break into companies and then sell the keys to the highest bidder.
Anaya, agreeing with the points raised by the other two panelists, emphasized that while it’s true that threats are also evolving because of the amount of information sharing on the dark web, it’s also happening on open forums. At this stage, Richie asks Anaya whether this typically goes beyond collaborative efforts. What about the mafia? Anaya claimed that it is hard for law enforcement to obtain the identities of threat actors because of the factor of anonymity.
Threat Actors and Competition
The second question concerned whether there is an ostensible competition between threats actors? Anaya gave a succinct response, claiming that, unlike most organizations that struggle to share information because of legal barriers, there are no obvious barriers between threat actors. However, this is something that needs to change, according to Anaya, because organizations must share information more freely and effectively.
“International hacker networks, nation-states and gangs are all collaborating”Brad LaPorte
Threat Actors Working Together
Dallaway shifted the question to the topic of money and how threats actors work together. LaPorte responded, stating that it makes sense to work together if no person’s wallet is affected. If people do not believe that threat actors are working together, people need to “wake up,” he said, adding that international hacker networks, nation-states and gangs are all collaborating.
The first audience poll asked viewers which of the following attack techniques do they consider to be the most dangerous. The results were as follows:
Supply chain attack (46%)
DDoS as a ransom (26%)
API attacks (12%)
The conversation shifted at this stage when Dallaway raised the question of ransomware-as-a-service. To this question, Richie explained what ransomware-as-a-service is while emphasizing the rise of double-extortion techniques, particularly exfiltration and encryption. Anaya emphasized that when publicly sharing information when an organization is a victim of a ransomware attack, there is no regulation to force an organization to disclose it publically. LaPorte drew attention to 2018 when one third of ransomware victims would report an attack. However, in 2021 that number has shrunk to 13%. Unfortunately, even the FBI doesn’t have relevant information since many organizations don’t come forward.
Off the back of this point, Dallaway asked whether fewer people are paying up. LaPorte contended that cyber-attacks are increasing in frequency, but also ransom demands are increasing. Essentially, attacks are still happening. Worryingly, hackers will look at other ways to get organizations to pay. Moreover, the costs associated with breaches are also increasing. Miranda Ritchie questioned whether authorities are going after the attackers en masse.
Michael F.D. Anaya argued that the FBI was trying to identify threat actors, but the task was very complicated since attackers are notoriously hard to identify
To this previous point, Anaya replied that the FBI was trying like other government departments, but the task was very complicated: he contended that attackers are notoriously hard to identify. According to Anaya, there is a lot of delineation in the government, and the FBI is “siloed,” which presents various problems. LaPorte added that this gets more complicated when factoring in things like insurance. The best practice should be to share intel and to make the process “ubiquitous.” Here Anaya added that organizations could not achieve this without being empowered to share intel strategically so law-enforcement agencies can identify threat actors.
Dallaway shifted the conversation to a question posed by the audience regarding commodity malware, asking why cybersecurity experts do not place enough emphasis on this. Anaya replied to this point by asking to look at the most significant threat: commodity malware. Furthermore, this is what government entities are setting their sights on.
The results of the second poll, namely, which of the following attack techniques do voters consider to be the most dangerous, were:
Supply Chain Zero Day exploit (50%)
Cloud misconfiguration (26%)
Business email compromise (19%)
EPP/EDR bypass (3%)
Ransomware and Supply Chain Attacks
Dallaway raised another critical topic in the global threat landscape in light of the second poll results. Directing the question at Richie, Dallaway asked why voters likely picked ransomware and supply chain attacks as the most concerning threats. Richie highlighted that we should look at the Kaseya supply chain attack this year, which caused widespread downtime for over 1,000 companies. The SolarWinds attack this year is another example, which targeted US federal agencies and over 100 companies. Not only do they have a huge impact on businesses, operationally and financially, but they are notoriously hard to detect and defend. LaPorte emphasized remote code execution — if attackers can execute this effectively, they have significant power in their attacks.
“Ransomware and supply chain attacks not only have a huge impact on businesses, operationally and financially, but they are notoriously hard to detect and defend”Miranda Richie
Dallaway raised a question from the audience focusing on AI-based attacks. Since attackers are using AI to execute supply chain attacks, the question asked, must companies use AI to protect themselves effectively? LaPorte responded by pointing out that companies using AI will decrease work and costs. Moreover, AI-led detection and response are significantly effective at protecting organizations.
Anaya remarked that machine learning could assist businesses greatly since AI can learn patterns of “normal” behavior in an organization and detect and investigate anomalies. In response to this point, LaPorte claimed that studies show an 80% reduction in costs when organizations use both AI and automation. Richie added that the industry is well aware of SOC fatigue; AI can help automate the repetitive tasks SOCs typically tackle.
The penultimate question raised concerned the threats associated with cloud misconfiguration. Anaya responded that the MFA (multi-factor authentication) base isn’t rotated enough, presenting innumerable threats. Additionally, rotation isn’t a policy that organizations enforce enough. A follow-up point concerned EPP and EDRs being bypassed and zero-day exploits. LaPorte highlighted that attackers can, in effect, do various things on IoT without detection. Additionally, modern tech is an ever more complicated and increasing issue.
The result of the third poll, asking voters what 2022 will be the year of, revealed the following:
Who on earth knows?! (25%)
Zero trust (16%)
Data breaches (4%)
2022 Is the Year Of?
The final question was posed as a quick-fire round, asking what each panelist believed 2022 would be the year of. Richie believed 2022 to be when the lines between physical and digital will be blurred. Real-life examples include hospitals and pipelines. This trend, she argued, will increase. Anaya agreed with Richie, adding that there are three things that organizations can do here to protect themselves: 1) organize a dedicated team, 2) empower that team and 3) see cybersecurity as a critical cost. Finally, LaPorte wrapped up the commentary, stating that organizations can also protect themselves with ‘operational readiness.’
The session is now on-demand and can be viewed here.