Top 10 Cybercrime and Cybersecurity Trends for 2021
December 2020 by ImmuniWeb
1. Sophisticated Ransomware Attacks to Surge
Ransomware-as-a-Service (RaaS) will become readily available to anyone capable of buying Bitcoin or other digital currencies. Contrasted to countless money-losing startups, today’s cybercrime scene is characterized by maturity, effective division of labor and high profitability: some groups develop sophisticated malware, others prepare large-scale attacks, or provide multilinguistic phone support for victims in order to facilitate payment of ransom in Bitcoin.
Newly recruited cyber offenders get generous payments for delivering or spreading malware, being paid per infected device or with a percentage of the extorted ransom. The global economic downturn, caused by the spiraling pandemic, will steadily push impoverished young professionals and talented IT students into cybercrime. The dark side guarantees a solid and stable income, while offering virtually absolute impunity for the reasons described below. Furthermore, most of the ransomware attacks in 2021 will not just encrypt the data but steal it and then delete backups thereby imposing even more compelling incentives to pay. Worse, payment of a ransom will not necessarily prevent your data from eventually being sold on the Dark Web.
2. Compliance-Driven Cybersecurity Spending to Dominate
Following data privacy trends set by the European GDPR, both California’s Consumer Privacy Act (CCPA) and New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect in 2020. Akin to its European sibling, the US state laws impose thorough cybersecurity requirements on the affected organizations, including holistic IT asset inventory, continuous monitoring, and regular security testing. More US states, including Maine and Nevada, also have either already passed a state data privacy law or have it scheduled for 2021.
Mushrooming regulations usually come with formidable monetary sanctions and even criminal penalties for major or persistent non-conformities. We expect more organizations to start rapidly investing into their cybersecurity and data protection to avoid regulatory sanctions paired with costly class-action and individual lawsuits from customers whose data is stolen. Lavish spending for cybersecurity needs, mainly to escape unpredictable but gigantic legal losses, will probably hallmark 2021 budgeting.
3. Larger External Attack Surface to Make Cyber Attacks Easier and Faster
Working from home (WFH) brought an unprecedented number of exposed IT and cloud assets, ranging from exposed RDP and VPN servers to IoT devices and admin consoles of security appliances such as secure email gateways of web application firewalls. Countless organizations rushed to chaotically digitalize their business-critical processes without undertaking any cybersecurity and data protection precautions. While migrating to public-cloud providers and availing themselves to a wide spectrum of benefits coming with new technologies, including Docker and Kubernetes, most of the organizations did not invest into requisite security training for their IT personnel.
During 2020, billions of confidential records were stolen due to misconfigured cloud storage, exposed Elasticsearch or MongoDB databases and other variations of human error. Moreover, while working from home, loyal and creative WFH employees bring up a bundle of undocumented IT processes to continue operating while working from remote. They unwittingly propagate Shadow IT and disperse confidential corporate data in unknown number of remote storages and unprotected systems. In 2021, attackers will certainly commence their APT campaigns by searching for such low-handing fruits prior to leveraging expensive 0days and conducting laborious spear-phishing attacks.
4. Outdated and Open-Source Software to Undermine Cyber Resilience
A myriad of undocumented Open-Source Software (OSS) is a ticking timebomb ready to abruptly explode in many large and small companies. During the pandemic, the majority of severely hit enterprises favored low-price software development offers over all other criteria. Unsurprisingly, they got the corresponding code quality and security of their software, among other things, with undocumented OSS components and frameworks injected to save programming time. While busy with the WFH phenomena, cybersecurity teams have insufficient time to test the newly developed software that ends up being deployed to production amid the havoc.
Modern cybercriminals continuously crawl the Internet for outdated web software: they easily fingerprint disguised OSS components and a proprietary closed-source web software from Microsoft or Oracle. Once a vulnerability is publicly disclosed, cyber gangs rapidly start exploiting it in external web systems that run the vulnerable piece of software. Some even automatically patch the vulnerability just after backdooring the system to prevent “competitors” from breaking in. Thus, if you do not patch your external web applications in 2021 – the attackers will do this for you.
5. Variations of Password Reuse Attacks Targeting Third Parties to Snowball
While 2020 marked the grim record of stolen data and credentials, most of the compromised logins and passwords can be easily purchased or found on the Dark Web and other hacking resources. Contemporary cybercriminals are shrewd and pragmatic: they prefer riskless and inexpensive operations before undertaking sophisticated hacking campaigns with the concomitant risks of being detected and prosecuted.
Usually, intrusion invisibly debuts on the Dark Web with a purchase of all available compromised credentials belonging to the victims’ employees or trusted third parties like IT support vendors. Then, the attackers try getting into third-party hosted and managed systems, including a myriad of SaaS and PaaS systems. Centralized identity and access management (IAM) and multifactor authentication (MFA), that many organizations vigorously implement these days, are futile when hackers target system beyond your control. This year, we witnessed an impressive number of highly successful password reuse attacks targeting third parties, and we expect that the number will become even higher in 2021.
6. Bug Bounties to Continue Morphing into Penetration Testing
Pioneers of commercial bug bounty platforms continue to re-invent themselves by offering next generation penetration testing, red teaming and other subscription-based or one-off services while usually paying their bug hunters on a success rate. The global crowd security testing and vulnerability disclosure market is also disrupted by innumerable startups, community-driven and free projects such as Open Bug Bounty with over 1,000 bug bounty programs as of today.
In the past, many organizations expected bug bounties to fully replace penetration testing companies, hoping to get more efficiency and effectiveness. But apparently the process goes exactly the other way as predicted five years ago. We have to recognize that bug bounties have benefited the global penetration testing market: an impressive number of pentesting standards and quality labels were introduced to prove value for money that a pentest can bring if conducted properly by professionals. In 2021, more commercial bug bounty platforms will likely start selling traditional penetration testing under color of creative crowd security testing.
7. Working From Home to Hinder and Slowdown DevSecOps Implementation
DevSecOps has gained important traction in the last few years. The combined efforts of software developers, IT folks and cybersecurity teams indisputably bring agility, cost-efficiency and tellingly reduce the number of data breaches and security incidents. The chaos and severe disruption of the COVID-19 pandemic negated most of the efforts: now people work in isolation from home and have a larger number of tasks, reducing cooperation and communications with other teams. Internal security training likewise stagnates. Video conferencing and Slack alleviate some of the negative consequences but can certainly not fully substitute human contact and vivid collaboration in the office. Eventually, unless a vaccine ends the number of remote workers, we will likely have less inter-team cooperation and resultingly more data breaches in 2021.
8. Cybercriminals to Widely Leverage Machine Learning and AI for Smarter Attacks
For several years already, cybercriminals have been leveraging Machine Learning for automation and optimization of various tasks and processes, spanning from victim profiling to faster detection of outdated systems. The adversarial usage of AI is, however, largely exaggerated today: we are still extremely far from Strong AI in 2020, and with the existing ML/AI systems - no substantially new hacking techniques come into the game. Practical usage of ML/AI will merely accelerate, intensify and diversify exploitation vectors, and improve efficiency of exploits’ payloads, ultimately impacting more victims in a shorter period of time. The growing availability of Machine Learning frameworks and special hardware capacities available for hourly or monthly rent, will bolster further proliferation of malicious AI usage by cyber gangs. Attackers will undoubtedly become even more efficient, swifter and better organized in 2021 thanks to adversarial ML/AI.
9. Cybercrime Clearance Rate to Decrease Globally Diluting the Authority of State
While the FBI and other law enforcement agencies report a frustrating record of incoming computer crime complaints, cyber investigation and attack attribution become more and more complicated and costly. Cybercriminals aptly leverage modern technical capacities to stay anonymous, oftentimes passing through breached systems in hostile overseas jurisdictions that are unlikely to cooperate with Western nations.
This year, while conducting Dark Web monitoring, we even spotted several announcements selling backdoored machines of law enforcement agencies to be used as proxies in sophisticated attacks. Nation-state threat actors have likely been exploiting such perfidious techniques for a while already. While payments in digital currencies make money laundering an unusually easy task and render most of the payments technically untraceable and unattributable. In light of the disproportionally small funding of law enforcement agencies and their cyber divisions specifically, we will likely observe a gradual decrease of cybercrime clearance rate in 2021.
10. Law Firms to Gain Even More Importance in Data Breaches Investigations Given the ascending significance of legal implications and harsh regulatory penalties stemming from data breaches, more organizations will hire external law firms to accurately assess and mitigate multi-jurisdictional ramifications of hacker attacks. A relatively new trend lays in attorney-client privilege: it prohibits forensic reports and interrelated data from being discovered and adduced in court if the forensic process was managed by a law firm for the purpose of legal advice provision. Resultingly, victims and other litigants have fewer chances to prove that the breached company was negligent or failed to implement a reasonable standard of data protection that actually caused the breach. The trend is largely unsettled for the moment and depends on the jurisdiction and specific circumstances of the case, but it evidently has a strong potential to become a decisive reason in 2021 to hire law firms to manage data breach investigation.
ImmuniWeb CEO & Chief Architect, Ilia Kolochenko, says: “Organizations around the globe start taking skyrocketing cybercrime seriously and spend more money to protect their data, reputation and customers. Spending more, however, does not necessarily mean spending wisely: we need to have right people, well-though processes and a systematic approach to build a robust and resilient cybersecurity strategy.
Efficient and effective cybersecurity program starts with holistic visibility of your digital assets and continuous monitoring of the constantly evolving cyber threat landscape. At ImmuniWeb, we work hard to enable such risk-based and threat-aware approach to application security for our customers and partners. Many exciting announcements are coming in 2021, please stay tuned.”