By Dark Cyber On Jan 1, 2022
Looking into the future isn’t easy, but at this time of the year CISOs want to have at least an inkling of what’s coming. We’ve assembled a synopsis of the thinking of more than 40 cybersecurity-related companies to help provide a picture of what to expect, and it’s often not pretty. So brace yourself – it could be a rocky year.
—The success rate of cyberattacks on businesses will decrease, said Tom Okman, co-founder Nord Security, but still remain above the pre-pandemic levels. “After two years of exponential growth in cyberattacks, predicting the opposite may seem counter-intuitive. But security issues appeared on the radar for a lot of companies, possibly enough to compel many to invest in cybersecurity. The foretasted retreat of the pandemic will lead a part of the workforce to return to the office or adapt a hybrid form of work instead of full work from home. This will reduce potential access points for hackers. Meanwhile, those who opt for permanent remote work will have had the time to address the security issues overlooked in the rushed transition from offices.”
—The cybersecurity skills gap combined with the Great Resignation will see cybersecurity companies do two things, said Tim Eades, chief executive officer of vArmour: Make a significant investment in employee wellness and growth beyond the benefits package in order to retain and re-engage the workers they already have. “Those who don’t do this will lose employees and be at a hiring disadvantage. They’ll also have to make significant investments in automation so infosec professionals can focus on the problems that require human ingenuity.”
—“The advent and increasing frequency of attacks that use a ransomware-as-a-service (RaaS) offering indicate that such attacks will not slack off during the coming year,” said Ziv Mador, vice-president of security research at Trustwave SpiderLabs. “RaaS is extremely profitable, with the REvil RaaS gang generating about US$100 million per year in 2018 and 2019. We should anticipate the efficiency of RaaS gangs to increase unless law enforcement and geopolitical forces unite to slow their progress – a coordinated effort we have begun to see promising results from in the last months of 2021.”
—Quantum computing will be top of mind, according to John McClurg, senior vice-president and chief information security officer at BlackBerry. “2022’s threat landscape will be led by how quickly quantum computing will evolve. While most believe this technology is still years away from being fully applied, the cybersecurity community must start applying resources and our greatest minds to come up with a solution to defend against quantum computing inevitably falling into the wrong hands. Quantum computing will undoubtedly spur rapid technological advancements across multiple industries. However, the cybersecurity implications on organizations and their sensitive data will be vast and uncharted if left overlooked.”
—“There will be a successful large-scale attack delivered through open-source software,” said Matt Sanders, director of security at LogRhythm. “Malicious actors have repeatedly demonstrated their technological aptitude at infiltrating and compromising organizations. Those same skills will be increasingly applied to the open-source software ecosystem (which welcomes all contributors), where attackers can intentionally introduce vulnerable code to widely used open-source software components. This would allow cybercriminals to exploit vulnerabilities on a massive scale, targeting companies that have built products using open-source technology without reviewing the code before copying and pasting it into their platforms. Such attacks can be extremely difficult to detect. It is likely that several instances of such attacks are already present in widely used open-source software today, which may be found in the year to come.” [Editor’s note: This prediction was made before the discovery of the Log4Shell vulnerability.]
—Mobile malware attacks will increase, said Maya Horowitz, vice-president of research at Check Point Software. In 2021, she noted 46% of organizations had at least one employee download a malicious mobile application. The move to remote work for almost entire populations across the world during the COVID-19 pandemic saw the mobile attack surface expand dramatically, she said, resulting in 97% of organizations facing mobile threats from several attack vectors. As mobile wallets and mobile payment platforms are used more frequently, cybercriminals will evolve and adapt their techniques to exploit the growing reliance on mobile devices;
—Organizations will increasingly adopt low-code security automation, said Cody Cornell, co-founder and chief strategy officer of Swimlane. Automation will grow beyond the security operations center (SOC) to serve as a system of record for the entire security organization, he said. “As companies struggle to adequately staff security teams — and fallout from ‘The Great Resignation’ adds additional stress across the organization — automation will help employees overcome process and data fatigue. Companies will seek to use low-code automation to harness the collective knowledge of their entire security organization and form a centralized system of record for operational data.”
—In 2021 attackers noticed that major data breaches or ransomware attacks could influence a company’s stock and brand reputation, and public announcements could disrupt customers, partners and business markets, said Neil Jones, cybersecurity evangelist at Egnyte. “So in 2022, expect attackers to begin leveraging attacks to not only collect ransom, but to make additional profits trading on the information by announcing ransomware attacks publicly. Ransomware attacks may even be timed to coincide with quarterly earnings announcements or other events.”
—As we continue to see the proliferation of privacy laws both at the [U.S.] state level, and potentially the federal level, globally, organizations need to ensure that they have a lawful basis for collecting data, said John Noltensmeyer, chief technology officer at TokenEx. “That has been part of European data protection law for decades. In the United States, we have treated personal data as a free-for-all: if you can collect it, then you can do anything you want with it. That is obviously changing, so if organizations are not considering that, and not using something like the GDPR or CCP [California Consumer Privacy Act] as a guide – even if an organization feels those laws don’t apply to them – they should absolutely begin considering the effect of similar legislation on their organization. It is likely that there will be some type of comparable regulation that does apply to their business within 2022.”
–“With each new year, it’s important for executives and board members to view their cybersecurity measures with fresh eyes,” said Danny Lopez, CEO of Glasswall. “Hackers will never rest when it comes to finding new angles to break into organizations’ critical systems. Once one problem is patched, they will just continue to poke and find new openings that will enable them to steal data or move laterally across the network. One way, this is expected to escalate over the next year is through the insurgence of bad actors and insider threats. Not only do companies need to be aware of exterior threats, but aware of internal vulnerabilities by implementing a zero-trust approach.”
—Infosec will dominate our lives in the tech space for the foreseeable future, said Steve Cochran, CTO, ConnectWise. “Companies may think they’re protected. However, many of them are using slingshots to protect themselves while the bad guys have tanks, bombs, and machine guns. We have a long way to go as a technology-driven society in terms of cybersecurity. Getting ourselves to the point where we aren’t at risk of a serious attack will be our focus for the next two to three years. On the less serious side, tools that allow us to better engage in the new hybrid working model will become more prevalent. Solutions will be developed that will allow us to work in a more meaningful way during this new era. Tools that let us set up conferences, arrange food deliveries, and show who is in and out of the office will take center-stage now that the majority of companies have introduced hybrid working models.”
—The impact of the ‘great resignation’ will be significant, predicts Brian Wrozek, CISO of Optiv. “Many companies and cybersecurity teams will struggle to execute on new projects as they spend more time onboarding and training new resources. At best, they will tread water and maintain their current cybersecurity maturity. I suspect many will see a decrease in their cybersecurity resiliency as new projects get put into production without proper security and existing procedures get ignored, since there just isn’t enough time in the day to complete all the items on the to-do list. Since existing resources are overtaxed just maintaining the status quo, successful attacks will rise.”
On the positive side, he added, the high number of unfulfilled cybersecurity jobs have brought more people into the talent pipeline. Universities and educational companies will see an influx of students who wish to become cybersecurity professionals, he said. There also are more and more alternatives to standard degrees to grow your cybersecurity skills. “While it will take time for these fresh recruits to have an impact, it bodes well for the future of the profession.”
—Having IT teams report into security departments is a model that will definitely start gaining traction in the industry, said George Gerchow, CSO of Sumo Logic. By 2030, half of the industry will be operating this way, he said. With the tech sector leading the way, this will affect companies everywhere, from FinTech to healthcare. With all organizations trying to become software companies it’s time for them to behave like one, he said. “My hope is that by 2040 security departments don’t even exist anymore. What this means is that organizations will have security programmed into their entire systems so that everyone follows the best security practices and behaves in a secure fashion.”
—As-a-service options are the alternative for bootstrapped teams, and with the cybersecurity industry leaning into ‘as-a-service’ offerings this trend will continue through ’22, said James Mignacca, CEO and founder of Cavelo. “But teams need to exercise caution in onboarding too many as-a-service tools. While all tools serve an important purpose, there is no intersection point between them so it’s challenging to get a clear picture on the overall health of the business’s data security. That lack of cohesion makes it tough to action as-a-service outputs, which defeats the purpose. Too much of a good thing with zero correlation will drive risk up.”
—Social media platforms will become the fastest-growing attack surface, said Ben Smith, field CTO at NetWitness. Most stories about cyberattacks leading to kinetic (or physical) outcomes tend to focus on things like car hacking, medical device compromises, and other stunt-hacking proofs-of-concept, he said. “But it is today’s social media platforms which represent the biggest, cheapest, and fastest method for an adversary to effect change in the physical world – not by destroying equipment as part of a cyberattack, but in mobilizing humans towards the adversary’s goals. Disinformation, and its skillful development and deployment, will produce real-world physical effects.”
The cybersecurity skills gap will only widen, he added. Despite the large number of educational programs and certifications designed to demonstrate proficiency as a cybersecurity professional, the number of certified candidates will be outstripped by the quantity of new jobs which must be filled, he said. Smart organizations will relax their “perfect candidate” standards and widen the net to find good people, he said.
—API attacks will get more advanced, said Jyoti Bansal, CEO and co-founder of Traceable. Attackers will go after flaws in the business logic implementation application programming interfaces (APIs), which are entirely different from customer to customer. No two business logic implementations are the same, she pointed out, making it difficult for any one API security solution to provide protection. These implementation flaws will lead to business logic flaw exploits and ultimately API abuse and fraud. Bansal also predicted cybercriminals will increasingly target orphan APIs that are not under central API management. “In order to stay ahead of these threats, security teams must be proactive and evaluate their partners’ API security practices,” she said.
—“My biggest concern is that hackers have speedier access to newer technologies and organizations won’t be able to keep up with them,” said Anurag Gurtu, CPO at StrikeReady. As a result there is a need to augment cybersecurity workforce using Digital Cybersecurity Analysts. These analysts will learn in real-time from the experiences and knowledge of other cyber experts all over the world, she said, then use this information to guide junior analysts with their decision-making processes when it comes time for resolving threats or proactively protecting their organization.
—“In 2022, more countries will pursue cybersecurity legislation for incident reporting, baseline security requirements and supply chain-related threats,” said Ron Brash, VP of technical research and integrations at aDolus. “While many welcome the stick approach (since the carrot wasn’t working), it’s the beginning of a resiliency marathon in many industries and even local municipal infrastructures. Multiple sectors will continue to struggle with providing sane solutions and a flexible (and affordable) workforce to tackle the remediation catch-up.”
–-In 2022, the email threat and SOC overload will continue to be unbearable as more pernicious credential harvesting and ransomware attacks take center stage, said Jeremy Fuchs, cybersecurity research analyst at Avanan. Most organizations will cope by adding advanced artificial intelligence and machine learning that learns and improves over time, he said. By training advanced AI on a robust data set, over 50 per cent more threats can be stopped and the SOC can return to other, vital IT tasks. “The world of advanced threats can be scary. Having those threats reach your inbox can be even scarier. That’s why it’s more important than ever to deploy the right AI for your organization,” he said.
—Business email compromise (BEC) will spike as funding from the U.S. infrastructure bill is distributed and construction companies are contracted, said Mike Hamilton, founder and CISO at Critical Insight. Meanwhile, security requirements will cause many businesses to self-insure, leading some to be driven out of business after an extortion event, he said. He also sees a backlash from threat actors created by the increased scrutiny, apprehension, and prosecution of cybercriminals. This will result in a frontal assault on the government using ransomware, he said, but without extortion demands – as disruption only.
–-Boards and C-suites will be more involved and responsible for cyber risk, said Padraic O’Reilly, co-founder and chief product officer at CyberSaint. Large companies have been performing risk assessments on spreadsheets for years, he pointed out. The C-level has become aware that this is no longer tenable, and is risky in and of itself. In the wake of the ransomware spike, cyber is top of mind for C-Suites and boards, he said. In 2022, he predicted, risk management will become nearly continuous for the most forward-looking organizations, as they seek to understand their exposures and rapidly mitigate the most serious risks to their businesses.
—The insider threat will dominate 2022 as employees take not only their plants with them as they leave their jobs, said Adam Gavish, co-founder and CEO at DoControl. With the continued “remote work” environment, employees are accessing data and information from anywhere around the world as quickly and easily as if they were in the office, he said. “With this massive adoption comes increased risk and exposure for companies who are unaware of the volume of SaaS apps that are being accessed by employees, and the inability to offload those employees once they leave the company or are moved into different areas of the business.”
–-Mobile apps will continue to increase in significance and importance in 2022 and beyond, said Ryan Lloyd, chief product officer of Guardsquare, The pandemic has demonstrated the power of mobile, persuading even the most reluctant or risk-averse to use mobile apps for ordering food, playing games, shopping, communicating and more, he said. The sophistication of these and other use cases will move the security of mobile applications higher up on the agenda of organizations in response to public disclosures and challenges that will come to light. He also predicted mobile app security will become increasingly important because of the consequences being more impactful than ever.
—One way to address the cybersecurity skills shortage is to automate where you can, said Todd Salmon, executive advisor for threat and attack simulation at GuidePoint Security. “The global shortage of security professionals has hit every corner of the industry hard, and pen-testing, in particular, has been impacted due to the levels of technical expertise and knowledge required. Increased adoption of continuous penetration testing will free up skilled resources to focus on addressing more severe vulnerabilities and issues. Additionally, continual security testing will reduce the time required to scope a traditional penetration test because penetration testers will have access to a trove of data and reports from throughout the year.”
—“The continued abuse of legitimate cloud collaboration resources (Canva, Google Docs, Microsoft OneDrive) will make it harder to detect cyber attacks,” said Bukar Alibe, cybersecurity analyst at INKY. “These resources are used to launder malware and malicious links in phishing emails because these have safe website reputations and don’t appear in threat intelligence feeds. We detected 46,518 of these attacks in 2021 and expect that number to increase by double digits in 2022.”
—Critical infrastructure defenses will mature significantly, thanks in part to progress when it comes to public and private co-operative efforts aimed at tightening defences, said Andrea Carcano, co-founder, and CPO at Nozomi Networks. “Government guidelines, mandates, and legislation will help establish and enforce a standard baseline for critical infrastructure cybersecurity, and standards and best practices (like ISA and NIST) will get more spotlight. While the needle will move significantly, it won’t be far enough fast enough. Public/private sector efforts will begin to shift the landscape in 2022, but it still will take a couple of years to see significant improvements in terms of meaningful defenses.”
—More hospitals will shut down next year as a result of ransomware attacks, predicted Danny Jenkins, CEO of ThreatLocker. “Many hospitals are still using software and systems that were developed years ago. Medical devices such as MRI machines are running on unpatched operating systems including Windows XP. Unfortunately, the manufacturers of these devices are in no rush to update them. Legacy machines used in hospitals are vulnerable and make a great hiding place for cybercriminals waiting for an opportunity to carry out an attack. Hospitals must add zero trust least privilege controls that protect both legacy and modern systems.”
—“In 2022, we expect a significant rise in criminal copycats delivering malware via software updates,” said Stuart Taylor, senior director of Forcepoint X-Labs. “The Sunburst [exploit against SolarWinds] shocked the industry. Using highly sophisticated malware hidden inside legitimate software updates, the attackers not only exfiltrated targeted data but also spread the malware across a huge spread of victims. When malware is successful, copycat attacks will follow. What happens when malicious updates hit the mass market? How do we protect ourselves?”
—Identity and access controls will become the new foundation of security, said Joe McMann, global cybersecurity portfolio lead at technology consulting firm Capgemini. As enterprises change and remote work becomes the norm, the committed use of two-factor authentication, biometrics, and password-less access by employees will be prioritized by security teams, he said.
—Organizations should place securing their software supply chain at the top of their agenda in 2022, said Marten Mickos, CEO of HackerOne. “Some of the largest cyberattacks of 2021 targeted software supply chains and I anticipate this trend to continue. Cybercriminals recognize there is still much work to be done for most organizations when it comes to securing their software supply chain — especially for organizations that haven’t been proactive about their cybersecurity from the beginning. This is because software supply chains are inherently complex and this complexity will only increase over time. Organizations should prioritize keeping software vendors accountable, and ensuring they have a clear plan for when something goes wrong. A first step for any organization that feels it’s falling behind is to get a software bill of materials and establish clear guidelines for how vendors manage their security, including vulnerability disclosure and remediation.”
—“The security industry is still facing the same problems it has for the past 20-plus years and without addressing these issues, hackers will continue their successful efforts to steal data and digitally harm society,” said John Scimone, SVP and chief security officer at Dell Technologies. “Rather than predicting the future, we need to first address three long-standing problems — the workforce gap, vulnerability management and the need to build more secure technology. Talent may be the biggest issue facing our industry with a workforce gap of 2.72 million unfilled jobs. We need to focus on investing in training programs and developing employees’ transferable skills in order to develop the talent necessary to keep organizations secure. In parallel to efforts to make our industry less dependent on labor such as through automation.
“It remains far too easy for adversaries to gain access to organizations’ networks and cause harm, and often this starts through the exploitation of a known vulnerability. Technology departments must become far more proficient at quickly identifying and fixing vulnerabilities before they can be exploited. In turn, tech providers must become far more proficient at developing technology that’s intrinsically more secure and resilient. When security is embedded into all technology, organizations are better positioned to identify, protect, detect and respond to threats. In 2022, our time will be best spent solving these long-standing problems that hurt us every day, rather than pontificating about problems that don’t yet exist.”
—The human element in cyberattacks, such as falling victim to social engineering or insider threats, will be amplified as workers migrate to hybrid work environments, said Lucia Milică, global resident CISO at Proofpoint. We will start seeing specific APIs (application programming interfaces) attacked in order to compromise the supply chain, as threat actors innovate and leverage new tools to exploit vulnerabilities. This will lead to larger scale data breaches, he said.
—The first Phygital Catastrophe is coming, said Saket Modi, CEO of Safe Security. “A central mission-critical application will go down and create a ripple impact across businesses and for consumers around the world. For example, a hack on a major central system like an internet gateway, public cloud provider or a healthcare system like Epic will impact millions of people and we will see the physical ramifications in our everyday lives. Healthcare could be upended, businesses unable to provide digital services, flights canceled, food and supplies not delivered and more.” He also sees the cybersecurity and data science fields uniting to help organizations better understand and proactively protect against increasing threats.
—Ransomware attacks will continue to increase and someone finally pays the full price for meeting demands, said Kevin Hanes, CEO of Cybrary. “Even though ransomware attacks over the past couple years have been bad, they were only the tip of the iceberg. Given the extensive financial motivations for ransomware gangs and their utilization of insider threats, even current legislation and the Biden Administration’s cybersecurity executive order aren’t going to prevent companies from trying to discreetly meet their demands. That being said, as organizations weigh the risks of guaranteed pain now versus potential repercussions later, someone is going to be made an example of by the federal government in short order. Not knowing the law won’t be an excuse and, although jail time is unlikely, there will be organizations that are indicted in order to make them think twice about paying these criminals in the future.”
—“In 2022 we’ll see an escalation of the ransomware attack model with extortionware,” said Chris Berry, CTO and general manager of security solutions at PDI Software. “With more businesses maintaining secure backups to avoid paying a ransom to unlock encrypted data, cybercriminals are now threatening to publicly expose sensitive data. It’s so important to make sure you’re preventing threats by securing your perimeter. But you also need the capabilities to detect potential threats and respond in real-time if you suspect you’ve been breached.”
—Tokenized identity will become a prominent method to mitigate API data leakage and compromised tokens, said Nathanael Coffing, CSO and co-founder of Cloudentity. “Tokenization has become a key method for businesses to bolster the security of credit card and e-commerce transactions. Moving this same per transaction security capability to personal identifiable information (PII) can drastically reduce an organization’s attack surface. Today, most organizations continue the perimeter-based security for their distributed applications passing enriched over-privileged JSON Web Tokens to any service that requests them. However, with the rise of third-party developers and B2B2C business models, cyber attackers only have to find the weakest link to start compromising millions of PII records. A notable example of this occurred last year when cybercriminals registered a malicious app with an OAuth 2.0 provider, which generated tokens for authorization. If the user accepted and used the token, the attacker could gain access to their mail, forwarding rules, files, contacts, notes, profile and other sensitive data and resources. In 2022, we will start to see tokenization and very short expiration times for tokens to prevent these types of attacks.”
—Enterprise IoT will be the next ransomware target, said Kevin Bocek, VP of security strategy and threat intel at Venafi. The devastating consequences, both direct and indirect, of ransomware attacks against critical OT infrastructure wreaked havoc on water treatment systems, took down food and agriculture plants, and even spurred panic buying of gasoline in the case of Colonial pipeline, he said. With these successes behind them, attackers will shift targets from takedowns of OT infrastructure to enterprise IoT devices, he predicted. These campaigns will attempt to take over everything from security cameras to diabetes monitors to point of sale devices, often by stealing machine identities. And because IoT depends on machine identity, individual things don’t need to be targeted, he said, just the service providing software updates and command-and-control.
—“More major ransomware attacks or high-profile corporate data breaches will start with an attacker engaging with an employee over text or chat,” said Josh Yavor, CISO of Tessian. Malicious actors can reach employees on social media platforms, messaging apps like WhatsApp, or through SMS as a gateway to corporate accounts and data, he said. But, he added, unlike corporate email and chat accounts, these personal platforms aren’t protected by an internal security team or security tooling.
–-Misconfigured Active Directory will continue to be a main target of threat actors, said Derek Melber, chief technology and security strategist at Tenable. AD is the one common denominator across the largest security attacks like SolarWinds, Microsoft Exchange and more, he argued. Entry points will continue to vary and more will inevitably be added, but regardless of how attack tactics change in the coming year, AD will remain the main target because it’s simply too lucrative for adversaries to pass up, he said. Organizations must patch and secure every configuration that is known to be exploited.
–“Adversaries will seek to topple the Jenga tower of code that is American software,” said Josh Lospinoso, CEO and co-founder of Shift5. The hasty cloud migration the pandemic prompted has increased the layers of software stacked on existing software, he said, creating what he called a Jenga tower of code that can easily be toppled if one piece is tweaked. “We saw this with the SolarWinds and Kaseya attacks, and most recently Zoho, and we’ll continue to see even more such attacks in the new year as attackers move up the software supply chain.”
—Quantum technology will be ready for prime time, said Eyal Moshe, CEO and cofounder of HUB Security. The world’s biggest tech titans (e.g. Google, Microsoft, Amazon) have been investing trillions of dollars in quantum computing research for years, he pointed out. In 2022, he predicted, these investments will reach a point where quantum will be ready for mainstream enterprise proof-of-concept and adoption.
—Brand impersonation techniques will continue to rise in sophistication, predicts Damien Alexandre, engineer expert at Vade. “It’s critical in 2022 for brands to protect themselves and individuals to keep a watchful eye,” he said. “This year, brand impersonation utilizing procedurally-generated graphics was on the rise. This occurs when HTML and CSS are used to display the Microsoft or Chase logo, for example, in a phishing attack to make the threat seem much more realistic to an individual and bypass image analysis technology. In an inbox, it would appear to have come from the brand in question. As we look ahead to 2022, it is likely this technique remains popular.”
—“In 2022, with ransomware continuing to grow as a threat, data protection will become the most indispensable component of every organization’s digital transformation strategy,” said JG Heithcock, general manager of Retrospect. Utilizing WORM (write once read many) storage in the cloud with Immutable Backups will provide the best protection against ransomware attacks, he said. “With a locked backup, malware cannot delete your critical data, enabling the administrator to recover if the worst does happen. By combining the 3-2-1 backup with immutable backups in the cloud, administrators can ensure their organization’s data is protected against the latest threat landscape.”
Research-based benchmarks to assess risk across critical threat model