Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
A Hacker's Predictions for 2021
By David "moose"
Wolpoff, CTO and co-founder, Randori
While
we cannot predict a precise sequence of events that will unfold in 2021, the
ways in which attackers evolved in 2020 -- from the use of novel attack techniques to the targeting of new attack vectors -- provides a glimpse into
where they will go next. The quick pivot to remote work forced organizations to
adopt distributed and dynamic solutions, and alongside all of that, malicious
adversaries evolved in technique. As a red-teamer (now CTO of Randori) who's spent decades breaking into
Fortune 500 companies, I know the chess moves both attackers and defenders will
make.
As
businesses continue to adapt to remote operations, security teams need to have
a nuanced understanding of their attack surface. Knowing everything isn't
helpful, but being able to separate the signals from the noise, and identify
priorities after understanding the attacker's perspective is more critical than
ever. In that spirit, I've put together this list of predictions on how
malicious adversaries will evolve in their targeting of businesses, and how the
longtail of events from 2020 stand to impact our national security:
1. Deep fakes
and voice fakes come to the enterprise. In 2021, threat actors will
move on from basic ransomware attacks and will weaponize stolen
information about an executive or business to create fraudulent content
for extortion. From deepfakes to voice fakes, this new type of attack will
be believable to victims, and therefore, effective. For example, imagine
an attacker on a video system, silently recording a board meeting, then
manipulating that private information to contain false and damning
information that if leaked, would create business chaos, to compel a
business to pay up.
2. Ransomware
evolves to enterprise extortion. Threat actors are evolving from
high-volume/low-value attacks, to high-value/low-volume attacks targeting
businesses. Half of ransomware attacks already involve
data exfiltration, and in 2021, cybercriminals will incorporate extortion
by weaponizing the content they've stolen to compel their victim to
action. Ransomware attacks will shift from "I've stolen all your data, now
pay me;" to, "I'm going to extort your CEO with information I've found in
the data I've stolen from you, and if you don't pay, we'll devalue your
stock on Wall Street."
3. Cloud
infrastructure ransom attacks. Threat actors are beginning to sift through
exfiltrated data from ransomware attacks for high value content, and their
pot of gold? Cloud infrastructure credentials that could allow them to
hold a company infrastructure for ransom. It takes
adversarial creativity, but the reward is high and the killchain is
simple enough. Maybe they find keys in the data directly, or maybe the
attacker can gain access to an app like Slack and find keys shared there.
Maybe they go so far as to send spoofed messages to convince unwitting
victims to share cloud login credentials (heads up, IT). With a little
information and a bit of persistence, an attacker can turn their
ransomware access into high-privilege AWS tokens, log into the cloud
infrastructure and hold it for ransom. The threat of turning off the
business with the click of a button is a highly effective extortion
technique. Many CISOs don't know when and where highly privileged
passwords have been recorded (in an old Slack message from 2 years ago?)
-- this is a big risk for companies mid-cloud migration.
4. A skills
gap crisis in the US government. Chris Krebs' unceremonious post-election
ousting may be the proverbial sour cherry on top of the Trump
administration's treatment of cybersecurity talent in the White House.
Under the administration, turnover at the senior
leadership level of the National Security Council was record-breaking and
we will witness the first downstream effects on our national global
cybersecurity ability in 2021. We're already seeing this skills gap
exacerbating the effects of the SolarWinds breach. You frequently
hear when companies are attacked that it happened because they didn't have
cyber-leadership. You need experts in-house to respond to such
high-profile incidents. US national cyber policy and our global
cybersecurity posture will take a hit, and tactically but crucially,
government hiring of cyber talent will stall. These will have lasting
impact on our cyber leadership that will take 10-20 years to correct.
5. Antitrust
/ anti-tech reckoning in 2021. Democratic institutions rely on common
information and facts, which have been challenged in light of
disinformation and misinformation proliferating across social platforms.
With antitrust sentiment slowly taking over Washington, it's becoming more
apparent that technology and social platforms are unregulated domains that
have been damaging to truth, and the functioning of demonractic processes.
In 2021, I expect antitrust hearings to come about as a matter of national
security, and the force of the government extended against social
platforms and tech monopolies in the next year or so. Indeed, this process
has already begun, as the FTC recently filed
an injunction against tech behemoth Facebook.
Obviously,
these predictions do not represent a clairvoyant glimpse at a concrete future,
nor will they necessarily come to pass as soon as the coming year. But each of
them is the logical next step to a narrative we can observe playing out in real
time, and that in fact those of us in the security space have been eyeing for a
while.
While
it may seem as though the last several years have been nothing but a steady decline
into geopolitical and existential chaos -- and the villains have only tightened
their grip on the throne -- remember that we are living in a digital wild west.
The US has no restrictions on how data can be collected and stored, how
surveillance can be conducted or how users must be protected. And just like in
the real wild west, I assure you: new legislation, a brand new railroad and the
cure for scurvy are on their way.
##
About the Author
David
Wolpoff (moose) is co-founder and CTO of Randori. Moose's background is in digital forensics, vulnerability
research, reverse engineering and embedded electronic design. Before Randori,
Moose ran "Hacker on Retainer" where he conducted determined
adversary attacks for clients (which turned into Randori once he decided
to automate what his team was doing). Prior to that, he held executive
positions at Kyrus Tech, a gov defense contractor, and ManTech where he oversaw
teams conducting vulnerability research, forensics and offensive security
efforts on-behalf of government and commercial clients. Moose has a breadth of
experience ranging from helping small start-ups develop novel products to
establishing a forensics laboratory at a large defense firm.