Secureworks experts’ predictions
Emerging Cybersecurity Trends in 2022
Across the Threat Landscape
Get started
download State of Threat Report
Find out what Secureworks threat intelligence experts predict will change and what will remain the same as we bring 2022 into focus…
The past year has seen a mixture of change and stasis in the threat landscape. TTPs evolved but ransomware and business email compromise remained major threats. The coming year will see continued evolution and new developments.
1
ransomware and business email
compromise remained major threats.
download State of Threat Report
Threat Actors Choose Speed Over Stealth
As it becomes more challenging to move through compromised environments without detection, adversaries will increasingly choose speed over stealth. Because of this, the time domain will become more important for defenders.
Business Email Compromise Will Remain a Serious Threat
Ransomware will continue to get all the headlines, while in the
background BEC attacks will lead to large single-loss events that
are both easier and faster to conduct.
Common Security Gaps Remain Threat Actor Magnets
Keeping good cyber hygiene will be more important than ever. Cybercriminals will continue to leverage common security issues to compromise their targets wherever they can, in preference to using complex zero-day vulnerabilities. Prime examples of such issues include lack of MFA, compromised credentials, and services such as RDP exposed to the internet.
On-Premises Attacks Will Not Disappear as Hybrid Cloud is Embraced
The security of cloud-based resources will become progressively more important for organizations, although many network intrusions will continue to have an on-premises component to them.
Cloud Misconfigurations Will Add Risk
There will be an increase in cloud-based attacks due to the
assumed security of these platforms. Organizations will deploy
new applications and infrastructure to the cloud where possible and spend less time understanding the particulars of their environment. However, while cloud-based technologies, such as containers, make deployment easier, they also introduce additional risk. Expect more attacks due to misconfigurations (exposed data, not knowing what is internet facing, etc.), vulnerabilities, and a lack of adequate controls on these platforms.
Ransomware will evolve from encryption to exfiltration and exposure. As organizations prioritize risk mitigation, threat actors will advance their modus operandi and find the latest, most effective way to disrupt business by making the decision of ‘to pay or not to pay’ much more relevant again. Actors will start to target data integrity – modifying information in such a way that the time, effort, funds, and resources needed to assess, remediate, and recover will far outweigh the cost of extortion. Payment in these circumstances could significantly improve the survivability of an organization, and, therefore, becomes the perfect leverage for the adversary.
Data Integrity Gets a Long-Awaited Seat at the Table
Ransomware threat actors have realized that not all publicity is good publicity. Some will avoid targeting critical infrastructure operators and other organizations in politically sensitive verticals for fear of retribution from law enforcement and intelligence agencies. This will create challenges for these groups around tighter control of their affiliates. In contrast, other less established criminals may deliberately focus on these sensitive targets as a way of growing their own brand and filling a perceived gap in the ransomware market.
Ransomware Operators Will Change Tactics to Avoid Law Enforcement Consequences
Law enforcement will adopt increasingly aggressive techniques in their ongoing efforts to disrupt the ransomware ecosystem, or the ecosystems (e.g., cryptocurrency) it relies on. This will begin to impact cybercriminals’ ability to operate freely, although it will not deter the more capable (and more damaging) ransomware groups.
Crackdown on Ransomware Becomes More Aggressive
More and more threat actors will use DDoS attacks to augment ransomware attacks. DDoS attacks alone do not provide threat actors with a good return on investment, given organizations’ normal ability to withstand these attacks or minimize their impact. As an additional extortion technique against victims already struggling with ransomware, their impact is magnified.
DDoS Attacks Used to Augment Ransomware Attacks
There will be a rise in the number of intrusions where threat actors exfiltrate data without utilizing ransomware to encrypt hosts, believing that holding the confidentiality of data hostage against the pressure of regulatory fines will negate the need for ransomware. Objectively, it is faster and simpler for adversaries to execute and does not require them to give a cut to the ransomware operators. How widespread this becomes will depend on whether initial experiences prove as lucrative as traditional ransomware-based intrusions.
Number of ‘Ransomware-less’ Attacks Will Grow
Overt Blame Will Bolster Covert Deterrence
The U.S. and other Western states will become increasingly assertive in attributing hostile state cyber activity, coupled with more covert deterrence operations.
Espionage Remains
a Key Driver
Hostile state activity will continue to focus primarily on espionage
rather than on disruption and destruction. Several states, notably China, Russia, and Iran, will continue to conduct operations aimed at harvesting bulk data to support subsequent cyber operations and traditional espionage activities.
Risk Calculation for Cyber
Insurance Will Change
The cyber insurance market will reach a watershed moment where coverage for certain types of activity (e.g., ransomware coverage) becomes prohibitively expensive. Cyber insurers will become more stringent about the conditions under which a policy will pay out. None of this will fundamentally change the threat that organizations face, although the challenges around recouping a loss may change the risk calculation, increasing the value of effective preparation and incident response plans.
Cyber Insurance
Cyber Crime
Cyber Crime
Cyber Crime
Cloud
Cloud
Ransomware
Ransomware
Ransomware
Ransomware
Ransomware
State Activity
State Activity
Cyber Insurance
2
3
4
5
6
7
8
9
10
11
12
13
14
Keeping good cyber hygiene will be more important than ever. Cybercriminals will continue to leverage common security issues to compromise their targets wherever they can, in preference to using complex zero-day vulnerabilities. Prime examples of such issues include lack of MFA, compromised credentials, and services such as RDP exposed to the internet.
Cloud
Ransomware
State Activity
Cyber Crime
DOWNLOAD 2021 State of the threat REPORT
Secureworks’ Counter Threat Unit analyzed a combination of more than 1,400 incident response engagements, trillions of event logs from customer telemetry, and monitored over 300 threat groups to bring you the “2021 State of the Threat” report.
15
download State of Threat Report
Secureworks’ Counter Threat Unit analyzed a combination of 1,400+ incident response engagements, trillions of event logs from customer telemetry, and monitored 300+ threat groups to bring you the “2021 State of the Threat” report.
15
DOWNLOAD 2021 State of the threat REPORT
download full report
Secureworks’ Counter Threat Unit analyzed a combination of 1,400+ incident response engagements, trillions of event logs from customer telemetry, and monitored 300+ threat groups to bring you the “2021 State of the Threat” report.
15
DOWNLOAD 2021 State of the threat REPORT
download full report
The past year has seen mixture of change and stasis in the threat landscape. TTPs evolved but ransomware and business email compromise remained major threats. The coming year will see continued evolution and new developments.
Find out what Secureworks threat intelligence experts predict will change and what will remain the same as we bring 2022 into focus…
Threat Actors Choose Speed Over Stealth
As it becomes more challenging to move through compromised environments without detection, adversaries will increasingly choose speed over stealth. Because of this, the time domain will become more and more important for defenders.
Business Email Compromise Will Remain a Serious Threat
Ransomware will continue to get all the headlines, while in the background BEC attacks will continue to lead to large single-loss events that are both easier and faster to conduct.
Common Security Gaps Remain Threat Actor Magnets
Keeping good cyber hygiene will be more important than ever. Cybercriminals will continue to leverage common security issues to compromise their targets wherever they can, in preference to using complex zero-day vulnerabilities. Prime examples of such issues include lack of MFA, compromised credentials, and services such as RDP exposed to the internet.
On-Premises Attacks Will Not Disappear as Hybrid Cloud is Embraced
The security of cloud-based resources will become increasingly important for organizations, although many network intrusions will continue to have a on-premises component to them.
Cloud Misconfigurations Will Add Risk
We’ll see an increase in cloud-based attacks due to the 'assumed security' of these platforms. Organizations will deploy new applications and infrastructure to the cloud where possible and spend less time understanding the particulars of their environment. However, while cloud-based technologies, such as containers, make deployment easier, they also introduce additional risk. I think we'll see more attacks due to misconfigurations (exposed data, "We didn't know that was internet facing," etc.), vulnerabilities, and a lack of adequate controls on these platforms.
We’ve seen ransomware evolve from encryption to exfiltration and exposure. As organizations prioritize risk mitigation, threat actors will advance their modus operandi and find the latest, most effective way to disrupt business by making the decision of ‘to pay or not to pay’ much more relevant again. Actors will start to target data integrity – modifying information in such a way that the time, effort, funds, and resource needed to assess, remediate, and recover will far outweigh the cost of extortion. Payment in these circumstances could significantly improve the survivability of an organization, and, therefore, becomes the perfect leverage for the adversary.
Data Integrity Gets a Long-Awaited Seat at the Table
Ransomware threat actors have realized that not all publicity is good publicity. Some will avoid targeting critical infrastructure operators and other organizations in politically sensitive verticals for fear of retribution from law enforcement and intelligence agencies. That will create challenges for these groups around tighter control of their affiliates. In contrast, other less established criminals may deliberately focus on those sensitive targets as a way of growing their own brand and filling a perceived gap in the ransomware market.
Ransomware Operators Will Change Tactics to Avoid Law Enforcement Consequences
Law enforcement will adopt increasingly aggressive techniques in their ongoing efforts to disrupt the ransomware ecosystem, or the ecosystems (e.g., cryptocurrency) it relies on. This will begin to impact cybercriminals’ ability to operate freely, although it will not deter the more capable (and more damaging) ransomware groups.
Crackdown on Ransomware Becomes More Aggressive
Threat actors will increasingly use DDoS attacks to augment ransomware attacks. DDoS attacks alone do not provide threat actors with a good return on investment, given organizations’ normal ability to withstand these attacks or minimize their impact. As an additional extortion technique against victims already struggling with ransomware, their impact is magnified.
DDoS Attacks Used to Augment Ransomware Attacks
There will be a rise in the number of intrusions where threat actors exfiltrate data without utilising ransomware to encrypt hosts, believing that holding the confidentiality of data hostage against the pressure of regulatory fines will negate the need for ransomware. Objectively it's faster and simpler for adversaries to execute and doesn't require them to give a cut to the ransomware operators. How widespread this becomes will depend on whether initial experiences prove as lucrative as traditional ransomware-based intrusions.
Number of ‘Ransomware-less’ Attacks Will Grow
Overt Blame Will Bolster Covert Deterrence
The U.S. and other Western states will become increasingly assertive in attributing hostile state cyber activity, coupled with more covert deterrence operations.
Espionage Remains Key Driver
Hostile state activity will continue to focus primarily on espionage rather than on disruption/destruction. Several states, notably China, Russia, and Iran, will continue to conduct operations aimed at harvesting bulk data to support subsequent cyber operations and traditional espionage activities.
Risk Calculation for Cyber Insurance Will Change
The cyber insurance market will reach a watershed moment where cover for certain types of activity (e.g., ransomware cover) becomes prohibitively expensive. Cyber insurers will become increasingly stringent about the conditions under which a policy will pay out. “None of this will fundamentally change the threat that organizations face, although the challenges around recouping a loss may change the risk calculation, increasing the value of effective preparation and incident response plans.”
Cyber Insurance
State Activity
Ransomware
Cloud
Cyber Crime
Cyber Crime
Cyber Crime
Cyber Crime
Cloud
Cloud
Ransomware
Ransomware
Ransomware
Ransomware
Ransomware
State Activity
State Activity
Cyber Insurance
2021 State of THE THREAT REPORT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
