2022 Cybersecurity Predictions to Watch Out For
As eventful as 2020 was – with the world of work turned upside down, thanks to COVID-19 – 2021 was equal to its predecessor. It was a year that bounced from hope to cautious optimism, then back to disquiet. While some of our cybersecurity predictions for 2021 were accurate, like the importance of securing the remote workforce and the ever-increasing sophistication of ransomware, the year came to a close as organizations are forced to address the significant challenges of dealing with the Log4j vulnerability. As we enter 2022, we've asked a few of the experts on the CIS team to share their 2022 cybersecurity predictions. Some, you'll notice, are similar to last year's, as we work hard to stay steps ahead of threats and bad actors. But there are also a few new predictions we'll be sure to keep an eye on as we step into 2022.
Josh Moulin, Senior Vice President, Operations & Security Services
Growing concerns over the mental health and wellness of cybersecurity professionals. Members of the MS-ISAC have been increasingly discussing concerns about the wellness of their staff. As if the COVID-19 pandemic has not been stressful enough for all of us, the immediate need to shift to remote work and keep employees and organizations safe from cyber-attacks is more important than ever. With an estimated 577,000 unfilled cybersecurity roles1 in the United States and the seemingly constant barrage of sophisticated cyber-attacks such as SolarWinds, Kaseya, Log4j, and others, cybersecurity professionals are burning out. Employers should be offering employee assistance programs (EAP), encouraging workers to take time off, and making plans to provide coverage so their security staff will feel comfortable stepping away to recharge.
Continued convergence of OT/IoT and cyber-physical attacks. Many organizations lack adequate strategies or detection/response capabilities for Operational Technology (OT) and Internet of Things (IoT) infrastructure. This has left many critical infrastructure sectors vulnerable to attacks, having a direct impact on public safety. In 2021 we saw evidence of this in the Colonial Pipeline, JBS meatpacking plant, and Florida water treatment facility cyber-attacks. While ransomware will continue to dominate these attacks, more life-threatening offenses against our public safety, hospital, communications, utilities, transportation, and other critical infrastructure will increase. According to a recent report by Gartner, attacks on critical infrastructure have increased by 3,900% since 2013, and they predict that by 2024 a cyber-attack will be so damaging to critical infrastructure that a member of the G20 will reciprocate with a declared physical attack.
Curtis Dukes, Executive Vice President & General Manager, Security Best Practices
Software suppliers will be the next big target of ransomware attacks. Ransomware is a wholesale business that succeeds by offering a set of tools and exploits that can be developed once and run in as many places as possible. The most lethal and best-run criminal cartels are looking downstream from their most lucrative targets for software suppliers who distribute vital product updates. These exploits will not show up in large numbers and they will not roll out quickly since they require expertise, sophistication, and a long development time. But the return on investment is too large to resist. To counter the threat of ransomware, it’s critical to identify, secure, and be ready to recover your high-value digital assets in the likely event of an attack. This requires a sustained effort obtaining buy-in from the top level of your organization (like the board) to get IT and security stakeholders working together
Kathleen Moriarty, Chief Technology Officer
Increased automation and built-in security. Thanks to the President's executive order issued last May, we'll see increased support for software supply chain assurance. Many vendors will provide a software bill of materials (SBOM) for all of their software and libraries. The overall management and achieving allow lists for expected software additions will take a bit longer, as will simplifying the management of software once it's in place.
Simplified management for security. This will begin with improvements on asset inventory based on infrastructure assurance work almost every vendor has completed at this point using attestation from a root of trust. With remote attestation standards about to be published, we'll see key vendors automating reports on asset inventory that has been assured as trusted infrastructure in the boot process (e.g., assurance to NIST SP 800-193). The remote attestation of infrastructure, demonstrating that it boots as expected, simplifies Control 1 of the CIS Critical Security Controls, and provides an assurance of assets at the firmware and bios level. This pattern will be replicated for software inventory and posture assessment further into the future to make strides towards simplifying security and reducing resource management needs.
Angelo Marcotullio, Chief Information Officer
Ransomware will continue to grow in 2022. An organization’s best response to a ransomware infection is a comprehensive and regularly tested recovery program. Start with a review of all of your databases, file servers, and application servers – both physical and virtual. Organizations should have backups stored in an offline location that cannot be accessed by ransomware. Organizations should also test recovery multiple times per year.
Increased use of log file and configuration monitoring software. Configuration and log file monitoring for unusual or unexpected activity is a powerful way to identify possible malicious activity. There are many software tools that can be configured to send alerts when certain activity is detected. Some examples are repeated failed authentications, authentications that occur at unusual times such as late at night or on weekends, changes to system configurations related to permission escalation, and changes to system configurations that disable monitoring.
James Globe, Vice President of Operations
Increased adoption of endpoint monitoring, multi-factor authentication, and zero trust network access methods. Making this a priority in 2022 will help to protect IT infrastructure, personal identifiable information (PII), and the intellectual property (IP) of companies. This implies that mature organizations will spend the necessary budget to add these necessary prevention layers in order to avoid or lessen the impact of large-scale cyber-attacks and technology vulnerabilities like SolarWinds and Log4j.
Security vendors will start to include more security configuration options and provide improved out-of-box secure configurations. The impact will be tremendous for low technology and underserved organizations that do not have the technical staff to maintain their IT infrastructure and stay up to date on cybersecurity prevention techniques.
Legislation of ransomware delivery models using cryptocurrency is still a largely unregulated monetary system by world governments. In 2022, I think more nations will start to pass legislation that regulates cryptocurrency and ransomware payments, fines, and negotiations.
Adam Montville, Chief Product Officer
Continued supply chain issues. In 2022 I think we'll see continued supply chain issues, a ramp-up in software bill of materials (SBOM) efforts as a response to that (if the effort doesn’t implode), and we’ll see the continued evolution of ransomware into extortion campaigns (we have your information and will set it free unless you pay us).
Machine learning and artificial intelligence will play a role. We’ll probably also continue to see machine learning and artificial intelligence being used to aid cybersecurity automation. But these technologies will need to explain how they reach conclusions in order to be accepted over the long term. Finally, we’ll see a continued migration to managed services, and increased adoption of cloud environments to manage workloads and share more security responsibility.
Tony Sager, Chief Evangelist
Here’s what I am tracking in 2022 – the rapid shift of cybersecurity from a focus on technology and “emphatic assertion” (e.g., “We need better-engineered systems!”; “Company executives need to pay attention to cyber!”; “We have AI and machine-learning!”) to a more holistic view of cyber risk based on economics and social behavior. This will require changes in partnership and activity across government (at every level), industry (as a whole, not just the cyber industry), academia, and nonprofits (including CIS). We’re starting to see the buildup: incentives being set in statehouses around the country; specific operational partnerships between government and industry; rethinking of cyber insurance; and continued maturation of cyber risk quantification and the use of data to drive defensive strategy.
Randy Rose, Senior Director of Cyber Threat Intelligence
Threat actors are likely to increase focus on tactics and techniques designed to circumvent signature-based defenses. These techniques can include fileless malware and living off the land techniques, such as executing malicious actions by leveraging administrator tools and binary files already present on systems that provide user functionality. While some sophisticated actors have been employing these techniques for years, it's becoming increasingly easier for less sophisticated actors to do so as well. Additionally, as behavior-based detection and response capabilities become more widely used, attackers must evolve to better hide within the normal baseline of monitored systems.
Manipulation of web and mobile application programming interfaces (APIs) is becoming an increasingly attractive attack vector. This is likely due to advancements in on-device processor speed, increased memory, mobile device portability, the evolution of network quality and bandwidth (e.g., 5G, fiber), and the continuing increase of mobile devices as people's primary means of accessing the internet. A very high percentage of business websites have APIs backed by some form of database and accessed through some form of mobile computing. Common examples include mobile banking, airline ticketing apps, and the use of near-field communication (NFC) for contactless payments, mobile sharing – even hotel keycards and proximity keys for vehicles.
Continued leveraging of vulnerabilities in software provided by supply chain vendors such as SolarWinds, Microsoft, and Apache has proven to be extremely effective for threat actors over the past year. Given the massive attack surface provided through the successful compromise of a single supply chain vendor, threat actors are likely to continue pursuing vulnerability research against these large vendors. It's beneficial to cybercriminals because the potential victims are many, and a carefully crafted bit of code can allow them to drop ransomware and other malware on a target system. At the same time, the chaos created in these events presents the opportunity for more sophisticated actors to “hide in the noise,” potentially leveraging a known vulnerability early on and patching it after gaining a foothold. The MS-ISAC observed (and continues to observe) mass scanning and exploit attempts after every disclosure of a major vulnerability (SolarWinds, SonicWall, MS Exchange, Pulse Secure VPN, Kaseya VSA, Log4j, etc.) over the last year.
Continued ransomware attacks. Despite the Federal Government's efforts to disrupt ransomware operations globally, the MS-ISAC predicts ransomware will continue to be a problem for state, local, tribal, and territorial (SLTT) entities throughout 2022. Specifically, we anticipate that K-12, higher education, and critical infrastructure, such as water systems, energy systems, communications, and transportation, are likely to be high-value targets for ransomware operators. The K-12 and higher education sectors have publicly available budgets that are easily obtainable and have been targeted by criminals. K-12, higher education, and especially critical infrastructure have high uptime requirements, which puts increased pressure on these organizations to recovery from ransomware attacks quickly. Cybercriminals know they can hit business systems and still impact the industrial environment, as we saw with Colonial Pipeline, and are betting on victims to pay the ransom quickly and without much negotiation
Stephen Jensen, Senior Director of Operations
Social engineering. As employees continue to work remotely, there will be an increase in social engineering attacks. These attacks are more concerning when the equipment used by the employee is not managed by their organizations. Security controls continue to improve on enterprise networks but these controls often do not filter down to employees’ home networks. Security education needs to transform to include how to better recognize phishing attempts and scams, as well as how to secure home networks used in the work-from-home environment.