The year 2021 was record-breaking for data breaches, as nation-states and cyber-criminals brazenly targeted software supply chains, critical infrastructure, and the public and healthcare sectors with devastating consequences.
A ransomware attack at the Maryland Department of Health crippled its systems in December and forced many of its services offline, the state agency confirmed in January – a stark indicator that adversaries will continue to unleash attacks on public sector and healthcare facilities in 2022.
Overall, CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks in 2021, with 2,686 attacks as of Dec. 31, 2021, compared to 1,474 in 2020. These figures, coupled with other data leaks, highlight how valuable victim data is to adversaries, according to CrowdStrike’s 2022 Global Threat Report.
The Biden administration continues to chart a course for government agencies to strengthen cybersecurity with directives such as the “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” and Executive Order 14028 on “Improving the Nation’s Cybersecurity.” Meanwhile, the Office of Management and Budget (OMB) released a federal strategy to move the federal government toward a “zero trust” approach to cybersecurity. The strategy represents a key step forward in delivering on the administration’s cybersecurity EO.
As agency security teams implement these cybersecurity directives, what trends can they expect to tackle in 2022?
Adversaries certainly will continue to refine their tradecraft, becoming even more sophisticated and brazen in their cyber campaigns. They will ratchet up ransomware attacks with new twists while seeking ways to exploit vulnerabilities in the software supply chain.
Here is a deeper look at four trends agencies should stay on top of in 2022:
- Ransomware double extortion gives rise to “extortion economy”: This past year, the double extortion ransomware model gained momentum. Here, threat actors demand one ransom for the return of the data and an additional ransom on top to prevent the data from being leaked or sold. However, in 2022, expect to see the extortion/exfiltration side of ransomware achieve even higher levels of sophistication, with a shift away from encryption to a sole focus on extortion. An entire underground economy is being built around the business of data exfiltration and extortion. Data-shaming websites are pervasive, providing a hub for ransomware groups to post and auction stolen data that’s being held ransom. These ransomware groups are revamping their entire infrastructure of tactics, techniques and procedures (TTPs) to more effectively exfiltrate and sell stolen data. If the threat actors can’t get their ransomware to execute past the encryption stage, they’ll pivot and find other ways to gain access to the data to sell for a profit. Ransomware actors will continue to innovate and evolve to find new ways to monetize their victims.
- Contain your containers: In recent years, there has been an explosion in containers and container-based solutions. The federal government is adopting cutting-edge technologies and embracing large changes to existing information technology (IT) infrastructure. To that end, containers have become a growing topic of discussion. “Some agencies already have budding containerization practices, while other agencies are building container capabilities and skills or are just beginning the process,” according to the General Services Administration. Naturally, with the exponential rise in containers, there is an uptick in container-targeted threats. Security for this innovative technology hasn’t quite caught on yet, as organizations deploy them without proper security measures. With that, the rapid speed of deployment that containers offer will become a double-edged sword. The lack of vulnerability checks and misconfiguration checks, along with disparate teams involved in container deployments all contribute to a lack of security across the board. Therefore, containers will become a potential attack vector for agencies that don’t recognize security as a key component of container utilization and deployment.
- Adversaries step up attacks on software supply chains: As recent high-profile attacks have shown this past year, supply chains have become the “low-hanging fruit” for the adversary community. According to the 2021 CrowdStrike Global Security Attitudes Survey, more than three out of every four respondents (77%) have suffered a supply chain attack to date, and 84% of respondents are fearful of the software supply chain becoming one of the biggest cybersecurity threats in the next three years. Software supply chain attacks are not necessarily new. The recent rise in these types of attacks has opened the floodgates. Software supply chains are vulnerable, and adversaries are actively researching ways to take advantage of this. In 2022, agencies won’t see the end of these attacks, and the implications for each one is significant for not only the victims but the victims’ customers and partners up and down the chain.
- Zero-day vulnerabilities cause “patch panic”: The year 2021 has been an especially challenging year for trust in legacy vendors. This past year, vulnerability after vulnerability have been exposed, resulting in devastating attacks with no signs of stopping in 2022. For example, 63% of 2021 CrowdStrike Global Security Attitude Survey respondents admitted their organization is losing trust in Microsoft due to increasing attacks on trusted supply chain vendors. Zero-day vulnerabilities will continue to drive legacy vendor security teams into “patch panic” mode as they frantically try to react and respond to these threats. This will inevitably drive a larger wedge between legacy vendors and their customers, as the latter will look elsewhere for solutions that position them to proactively defend against the latest threats.
It is clear from attacks in 2021, the adversary is not going to rest. To stay ahead of adversaries, agencies need a modern approach that provides deep visibility and proactive security, as well as extended detection and response across the entire IT infrastructure from the network to endpoints to cloud workloads, and more.
James Yeager is Vice President of Public Sector and Healthcare at CrowdStrike.