In the ever-evolving geopolitical landscape and cyberattacks increasing exponentially in recent years as organizations, businesses, and nation-states not only migrate their operations online but also shift to remote workplace environments, the importance of cybersecurity is coming to the forefront. As digital assets, data, and information become the new currency, protecting them and implementing appropriate and adequate security measures is paramount.
Each year, VerSprite’s dedicated team of cybersecurity experts monitors new threats, hacker activities, and geopolitical and cyber world developments to evaluate and analyze the risks and help organizations better prepare and protect their assets from digital threats. The team’s findings and recommendations are published in VerSprite’s annual critical threat report, Envisions.
Tony UcedaVelez, CEO and Founder of VerSprite Evolved Security Consulting and author of the threat modeling methodology PASTA, shares his insights into the key issues covered in the Critical Threat Report Envisions 2022.
What is the main focus of the critical threat report this year?
Many cyber threat reports focus on specific parts of information security, such as ransomware or privacy. At VerSprite, we felt there was one area not addressed – and that is the geopolitical risk. Geopolitics encompasses governments, government leaders, and political parties governing business and daily life for citizens, their protection, welfare, and societal views. All these elements affect individual and collective perceptions of political and social opinions and loyalty to the governments. They influence the operations of businesses and organizations.
So, the Envisions report focuses on world events from a geopolitical landscape and relates them to cybercrime. It covers everything from ransomware to insider threats, evolutionary technology, and emerging patterns in the internet. What opportunities do those provide for nation-states, individual hackers, hacker groups, and hacker syndicates to commit a crime? In Envisions 2022, our expert cybersecurity team analyzes those critical issues and provides solutions.
Envisions report identifies information as the key cyberattack target of 2022. What was the basis for the analysis?
Information is the new currency businesses, governments, and cyber criminals seek. It has become precious in the modern world. The more detailed the data is, the more opportunities it provides for the sources. For example, it allows businesses to attract and retain consumers, target advertising, and sell better. That’s a constructive reason. Data misuse poses a more significant concern.
We see information being used and manipulated to distort perceptions and beliefs that influence voting, political loyalties, and contributions. Data is harvested to benefit those in power and those who employ groups to change the narrative.
So, information use and abuse are going to be one of the significant trends affecting business and government.
What are the main threats to expect in 2022?
This is a very complex question. There are many parallel threats. Extortion will continue to thrive, misinformation and misinterpretation will escalate, and persistence in computing environments is another threat with many threat motives. Some threats will be the breadwinners of either hacker syndicates, individual hackers, or nation-states. These are information compromise, persistence, and account takeover.
As mentioned prior, information is the new currency. Hacker syndicates collect personal, financial, healthcare, and business information. There is a market for everybody. Imagine a flea market of information exchange, where hackers sell records for a fraction of the price. So, the more detailed the description is, the richer the data set and the more value it represents. Collected data goes beyond basic now. It is not only names, addresses, and phone numbers. The data being harvested gets more specific: anything from hobbies, blood types, and children’s information to types of cars people drive, their finances, and affiliations. The list goes on. There is a lot at stake in protecting data for organizations and businesses.
Persistence is another major cyber threat trend of 2022. Threat actors specialize in gaining unauthorized access, or persistence, to the infrastructure of a business or an organization. Once in the network, the threat actors can leverage power defense mechanisms, hide their operations, and wait to sell access to the clientele. Organizations may not be aware of the breaches in their systems until client actors start carrying out their functions.
Another way cybercriminals operate is by having a foothold in platforms that lease out logical space to businesses, such as GoDaddy. These platforms are a perfect playground for hiding illicit activity, sending spam or phishing emails, and running malware that is a part of a bonnet.
Persistence requires minimum effort, but it pays well. So, it has become a constant threat in everyone’s threat model.
Extortion remains a high-level threat. We will see extortion expand its focus onto new industries. Governments, healthcare organizations, utilities, and telecommunications will continue to be prime targets, and only the level of cyberattack sophistication will continue to rise. However, we expect critical infrastructure and organizations like law firms and data analytics to emerge as new targets for extortion threats. Cybercriminals will look at new industries, which operations they can suppress to get easy money. Organizations must assess their threat risks and ensure their networks are prepared.
Along with the changes in cyber threats, we are starting to see the evolution of the threat actor. For example, a nation-state or a government entity may have motives around the information compromise so that citizens can be tracked against political affiliations, possible terrorist collusions, ideologies counter to a political party that may influence social stability, etc. Furthermore, the interest in intellectual property theft by nation-states is a growing concern in the current geopolitical landscape.
How can organizations prepare for the cyber threats? What are the best security practices to adopt?
I firmly believe that organizations and businesses must adopt a non-technical and non-negotiable mindset to be better prepared for current and emerging cyber threats. In the 16 years of VerSprite’s existence, one issue remains constant – the disregard for basic security hygiene related to products, services, and corporate IT. Unfortunately, many executives and leaders still see security as simply a roadblock or a hurdle to get over to appease lawyers, customers, or auditors. However, it’s a wrong perspective, which can easily lead to losing an entire business.
One of the first steps should be changing such perspective and mentality. It begins with board members and C-suite managers understanding that the bare minimum cannot be an adequate defense from hacker syndicates and nation-states, which might be well-funded, or even individual loan wolf hackers. Cybercrime is a crime that pays, so cybersecurity and data protection must be taken seriously.
Improving your company’s baseline security should start with remediating the still prevalent flaws, such as weak passwords and poor password management, implicit trust in data and application architecture, accessible information due to poor design, or no encryption between API calls. Cybersecurity is necessary for successful business continuity and ensuring your company spends more time engineering better services and products and less time dealing with lawyers and auditors.
What is the main goal for VerSprite and Envisions 2022?
VerSprite’s team of cybersecurity experts monitors events and incidents throughout the year. Their comprehensive analysis is then compiled into our annual Envisions threat report.
The goal is always to inform businesses and organizations and provide them with the latest information on current cyber threats and the best strategies to structure their operations to minimize the threats.
Our company aims to educate both clients and peers in the industry. Since VerSprite’s inception 16 years ago, we have done adversarial exercises and security program management. Today, we have six different lines of business. VerSprite’s teams specialize in offensive security efforts, security research for hire on 0-day and N-day exploits, and conduct threat intel analysis. Our DevSecOps provides security automation for clients, and the governance risk and compliance team (GRC) focuses on building, managing, and optimizing security programs for our clients’ organizations.
Our combined experience allows us to conduct extensive critical cyber threat research annually. We hope this Envisions report helps inform current trends fueled by the evolving geopolitical risks and factors in some essential items that need to be addressed in any security program playbook.