Scenario #4 When cybercriminals and shady governments collaborate to wreak extortion havoc

John Fokker, Head of Cyber Investigations, McAfee Advanced Threat Research: In McAfee’s 2019 threat predictions report, we predicted cybercriminals would partner more closely to boost threats; over the course of the year, we observed exactly that. Ransomware groups used pre-infected machines from other malware campaigns, or used remote desktop protocol (RDP) as an initial launch point for their campaign. 

These types of attacks required collaboration between groups. This partnership drove efficient, targeted attacks which increased profitability and caused more economic damage. In fact, Europol’s Internet Organized Crime Threat Assessment (IOCTA) named ransomware the top threat that companies, consumers and the public sector faced in 2019.

Based on what McAfee Advanced Threat Research (ATR) is seeing in the underground, we expect criminals to exploit their extortion victims even more moving forward. The rise of targeted ransomware created a growing demand for compromised corporate networks. This demand is met by criminals who specialize in penetrating corporate networks and sell complete network access in one-go.

For 2020, we predict the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks. In the first stage cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage criminals will target the recovering ransomware victims again with an extortion attack, but this time they will threaten to disclose the sensitive data stolen before the ransomware attack.

During our research on Sodinobiki, we observed two-stage attacks, with cryptocurrency miners installed before an actual ransomware attack took place. For 2020, we predict that cybercriminals will increasingly exfiltrate sensitive corporate information prior to a targeted ransomware attack to sell the stolen data online or to extort the victim and increase monetization.

Jeff Hurmuses, Area Vice President and Managing Director, Asia Pacific, Malwarebytes:

Ransomware attacks on businesses and governments will continue at a more rapid pace, thanks to newly-found vulnerabilities. In 2019, we have seen more malware developed to target businesses instead of consumers. Compared to last year, we saw a 235% increase in threats aimed at organizations from enterprises to small businesses, with ransomware as a major contributor. 

Bottom line: more vulnerabilities means more development of malicious tools designed to attack networks more effectively. Therefore, we are likely to see more non-affiliated cybercriminals utilizing tricks developed by state-sponsored malware groups (Advanced Persistent  Threats) as we did with EternalBlue.

Scenario #5 APIs exposed as weakest link leading to cloud-native threats

APIs are an essential tool in today’s app ecosystem including cloud environments, IoT, microservices, mobile, and Web-based customer-client communications. Dependence on APIs will further accelerate with a growing ecosystem of cloud applications built as reusable components for back-office automation (such as with Robotic Process Automation) and growth in the ecosystem of applications that leverage APIs of cloud services such as Office 365 and Salesforce.

Sekhar Sarukkai, Co-Founder, Skyhigh Networks: A recent study showed that more than three in four organizations treat API security differently from web app security, indicating API security readiness lags behind other aspects of application security. The study also showed that more than two-thirds of organizations expose APIs to the public to enable partners and external developers to tap into their software platforms and app ecosystems.

Threat actors are following the growing number of organizations using API-enabled apps because APIs continue to be an easy – and vulnerable – means to access a treasure trove of sensitive data. Despite the fallout of large-scale breaches and ongoing threats, APIs often still reside outside of the application security infrastructure and are ignored by security processes and teams. Vulnerabilities will continue to include broken authorization and authentication functions, excessive data exposure, and a failure to focus on rate limiting and resource limiting attacks. Insecure consumption-based APIs without strict rate limits are among the most vulnerable.

Headlines reporting API-based breaches will continue into 2020, affecting high-profile apps in social media, peer-to-peer, messaging, financial processes, and others, adding to the hundreds of millions of transactions and user profiles that have been scraped in the past two years. The increasing need and hurried pace of organizations adopting APIs for their applications in 2020 will expose API security as the weakest link leading to cloud-native threats, putting user privacy and data at risk until security strategies mature.

Organizations seeking improvement in their API security strategy should pursue a more complete understanding of their Cloud Service APIs through comprehensive discovery across SaaS, PaaS and IaaS environments, implement policy-based authorization, and explore User and Entity Behavior Analytics (UEBA) technology to detect anomalous access patterns.

Scenario #6 Rise of DevSecOps and the move away from the 5-tuple network security approach

Sekhar Sarukkai, Co-Founder, Skyhigh Networks: DevOps teams can continuously roll out micro-services and interacting, reusable components as applications. As a result, the number of organizations prioritizing the adoption of container technologies will continue to increase in 2020. Gartner predicts that “by 2022, more than 75% of global organizations will be running containerized applications in production— a significant increase from fewer than 30% today.” 

Container technologies will help organizations modernize legacy applications and create new cloud-native applications that are scalable and agile. Containerized applications are built by assembling reusable components on software defined Infrastructure-as-Code (IaC) which is deployed into Cloud environments. Continuous Integration / Continuous Deployment (CI/CD) tools automate the build and deploy process of these applications and IaC, creating a challenge for pre-emptive and continuous detection of application vulnerabilities and IaC configuration errors. To adjust to the rise in containerized applications operating in a CI/CD model, security teams will need to conduct their risk assessment at the time of code build, before deployment. This effectively shifts security “left” in the deployment lifecycle and integrates security into the DevOps process, a model frequently referred to as DevSecOps.

Additionally, threats to containerized applications are introduced not only by IaC misconfigurations or application vulnerabilities, but also by abused network privileges that allow lateral movement in an attack. To address these run-time threats, organizations are increasingly turning to cloud-native security tools developed specifically for container environments. 

Cloud Access Security Brokers (CASB) are used to conduct configuration and vulnerability scanning, while Cloud Workload Protection Platforms (CWPP) work as traffic enforcers for network micro-segmentation based on the identity of the application, regardless of its IP. This approach to application identity-based enforcement will push organizations away from the five-tuple approach to network security which is increasingly irrelevant in the context of ephemeral container deployments.

When CASB and CWPP solutions integrate with CI/CD tools, security teams can meet the speed of DevOps, shifting security “left” and creating a DevSecOps practice within their organization. Governance, compliance, and overall security of cloud environments will improve as organizations accelerate their transition to DevSecOps with these cloud-native security tools.

Eli Erlikhman, Managing Principal Consultant at Synopsys Software Integrity Group: A starting point is to invest in a threat model providing a detailed understanding of the maturity of their security practices used during software development. The findings of the threat model can then inform defensive and training strategies for employees, along with prioritization efforts.

Patrick Hubbard, Head Geek, SolarWinds: As businesses evolve, tech pros are tiring of the proliferation of “best of breed” tools from different vendors and are instead looking toward integrated solutions to give them the ability to manage environments inside their firewall as well as hybrid and public-cloud environments. Visibility needs to be centralized to support modern, multi-cloud, and multi-premises architectures, with an integrated view showing dependencies and relationships between applications and the infrastructure on which they depend. Only then can tech pros not only understand performance metrics across the business but speak a common IT language as they bridge previously siloed functions.