Cybercriminals will come and go. Technology’s list of what’s-hot and what’s-not will change. But as we embark on 2022, there are three core principles for security that I want to share with you. I leveraged these in my work at the White House and they endure today in my consulting practice. These three principles will stand youin good stead no matter what threats you face.
With those principles in mind, here are my national security takes for 2022 and my predictions regarding cybercrime trends, including what businesses needed to know to defeat cyberthreat actors in 2022 and 2023. My goal is to engage and empower you to design plans now to combat what is coming next. I’ll begin with some general information about global issues.
The Log4j vulnerability that hit the news cycle in December 2021 is the most current example of rampant supply chain issues. I expect during 2022 that cyber operatives from Russia and North Korea will take advantage of supply chain vulnerabilities like Log4j or last year's Kaseyaor SolarWinds. Their goal will be to leverage a trusted third-party product to allow them inside access and to quietly, in stealth mode, build a pervasive foothold.
Regarding whether Log4j is fixed as of writing this post, the answer is not simple. The solution relies on good old fashioned detective work to find the problematic systems and patch them. We know that big names such as Apple, Amazon, Tesla, and even Microsoft’sMinecraft and LinkedIn were impacted. NSA Director Rob Joyce has said that even the tool they use to reverse engineer cyberattacks, (GHIDRA), had to be patched. This issue cannot be fixed by a security team alone; it's the technology teams, such as product development and support, which are often outsourced.
Cybercrime is global and operatives live and work in almost every country that has internet access. Some of the biggest cyber threats for America’s national security come from individuals operating within Russia, China, North Korea, and Iran.
Russia: If/when Russian invades Ukraine, the US will have to respond along with NATO. It's very likely that Putin will decide to leverage cyber tools because they are less obvious. This could include misinformation operations, cyberattacks on banks and businesses within theUkraine, and attacks on critical infrastructure.
North Korea: In 2022 we will see North Korean hacking groups continue to target staff that work in economics, finance, R&D, as well as diplomats and prominent executives. Their tool of choice has been "credential harvesting": sending emails to convince the target to click on links, looking for and stealing from password dumps, and using tools to generate passwords based on past passwords. One group that's skilled at this is the TA406 group which has targeted individuals far and wide including in theUnited States, Russia, China, and South Korea. Besides committing economic espionage, they look for ways to steal cryptocurrency.
China: This year operatives will continue probes and theft of USR&D. Last year the FBI and NSA said they had "high confidence" that hackers contracted by China's Ministry of State Security attacked Microsoft email servers. This attack netted email treasures from both private and public sector organizations including schools, hospitals, cities, and pharmacies. I expect this to continue unless the US hammers out an agreement. According to a new Washington Post study, China, which typically focuses on internet surveillance of its citizens, has started to track citizens outside their borders. Their investigation found China had government contracts and projects that included “orders for software designed to collect data on foreign targets from sources such as Twitter, Facebook, and other Western social media.”
Iran: Political espionage to advance Iran’s interests will continue as well as attacks for financial gain. In November of last year, a federal grand jury indicted two Iranian hackers. Their crime was reminiscent of Russian tactics: They were indicted for election interference. They stole information from a state’s election website and built a disinformation campaign targetingAmericans. Iran is also working with ransomware tools.
Will this be the year of the InternationalAccord on Cybercrime? No, probably not. There’ll be a lot of talk, but most likely nothing will be passed.
There is a draft that started in December2019. Just before the pandemic hit, the U.N. General Assembly adopted are solution to draft a global comprehensive cybercrime treaty. Prior toOmicron, discussions were planned for January of 2022.
The U.N., the U.S., the EU, and many States parties to the Budapest Convention feel this is not the right direction and want to enhance the Budapest Convention treaty on cybercrime.
Big Concern: Whether it's the extension of the Budapest convention or something new, agreement on the treatment of cybercrime is too vague and not enough work has been done around human rights. We can't even agree globally yet on what constitutes cybercrime. We don't have a framework across all borders regarding how law enforcement needs to work in a cross-border crime and investigation. It’s not even clear what "due process" is in an international cybercrime.
At the end of each year, I predict what I believe will happen in the next two years, and then offer design ideas to combat/mitigate the predicted threat. I always share these creative design fixes publicly to allow businesses and government organizations to prepare in advance.
There are three key threats facing your organization in 2022: Extended Reality, access to cash, and AI driving misinformation.
Extended Reality, or XR, is an immersive platform that includes, but isn’t limited to, technology and human experiences such as MR (mixed reality), VR (virtual reality), and AR (augmented reality). By2022, I believe XR, which some refer to as the Metaverse, will be the primary way to conduct global gatherings without travel – and it will be hacked!
This technology is impressive and will be widely used to do all the things we usually do in person, but more safely. XR will allow each of us to greet each other, hug a loved one, and experience an enhanced reality We will be able to educate and engage children in a more emotionally supportive way from a distance and you can provide remote human interaction for your respective enterprises.
XR makes possible theInternet of Behaviors (IoB), the digital breadcrumbs of our daily lives. That’s because XR thrives on collecting every detail about you to ensure it can deliver a superior experience. As a result, XR surpasses how AI mines your digital tracks because it records your emotional reactions as you interact with the technology.
During the race to collect and analyze work interactions to improve processes and manage risk, everything from smart speakers to video chats for virtual meetings to messaging platforms will now be collected and mined for information.
However, keep in mind that, with the advent of the Internet of Behaviors, data and the platforms will be a target of choice for criminals. Cybercriminals will most certainly take advantage of these advances, and a central XR platform will be hacked. When this happens, the consequences for future identity theft and social engineering will be beyond comprehension and beyond cybersecurity's ability to provide a counterattack.
If you’re collecting data for the Internet of Behaviors:
∙ Consider storing the data out of the band and away from your business
∙ Have a playbook.
Here’s a scenario which I’ll give you the highlights of so you can see why access to cash matters. The Mini-Black Swan Banking Event involves cyber operatives breaching a bank. They then:
Design Consideration / Action:
∙ Discuss approaches with your banks for funds if there is an outage or run on the
∙ Consider a backup bank.
In 2022, Artificial intelligence programs trained by cyber operatives will look for trending topics, social media sentiments, and news headlines. The AI programs, without human intervention, will write social media posts, news articles, blog posts, and more, all carefully curated to appear human-generated. AI will use algorithms to monitor effectiveness and engagement to launch disinformation campaigns designed to promote or attack a trending topic or hashtag, all without human involvement.The AI will attack companies, industries, social issues, organizations, and individuals, and the attack will be hard to defend against or to even pinpoint where it originated.
What can you do?
As Ransomware evolves Extortionware and Destructionware have now become common.
In this scenario ransomware will successfully hit a cloud services provider which houses business systems. They will lock up both the back up and the operations, making it very hard not to pay the ransom.
Practice a playbook to deal with ransomware including extortion and destruction elements. Define in the playbook any circumstances where you might pay versus when you wouldn’t pay. Talk to your legal team and insurance agent to make sure you understand what a path of not paying looks like: ask very specifically if your insurance company will fund the disruption in service if you avoid paying the criminal ransom.
Design Consideration / Action:
In the wake of Solar Winds in which the attackers tampered with logs, and to defend against ransomware syndicates that lock up backups, I recommend that, resiliency, reliability, redundancy, you implement two design considerations:
∙Have more than one cloud provider.
∙ Store an extra copy of backups and your access logs offline/out of band.
To continue to better prepare for the future, I have additional predictions of how cybercriminals may decide to invest their time and energy in 2023.
The race to send private citizens to space, allowing more connectivity with Low Earth Orbit (LEO) satellites, added to the nearly ubiquitous use of satellites makes space an attractive target. Space will be hacked beginning with the disruption of new connectivity provided byLow Earth orbit (LEO) satellites. As governments and businesses rush to connect the disconnected via a string of LEO satellites, these will become a prime target for cybercriminals. Our critical transportation infrastructure will be at risk as everything from trucks, autonomous delivery vehicles, planes, shipping vessels, and more are dependent upon GPS, continuous navigation, and communications with just in time updates.
Have a backup plan if your systems leverage LEOs: can you use land lines or ground internet if these are temporarily offline?
As AI-supported software development takes hold and code generators become more popular, this combination will provide the next great frontier for third party supply chain attacks. By leveraging machine learning to augment developers’ processes, the code should, in theory, be more secure and reliable. However, it only takes one successful social engineering campaign to allow a cyber operative to taint the machine learning or inject a change into the algorithm to generate dormant security flaws they can take advantage of at a later time.
∙ Create a trust but verify the development process with peer reviews to ensure that
code builds are valid.
∙ Regularly red team code bases to look for hidden security flaws.
Cybercriminals will harness computing power and AI to find a vulnerability in blockchain hashing. This will allow them to mimic the blockchain in order to conduct stealth movement and pilfering of cryptocurrency, NFTs, and other items stored on the blockchain and replace them with decoys. It will appear as if the theft never happened.
∙ Have old school storage of certificates, print outs of logs, and backed up
information that you can store in a safety deposit box or out of band in the event
of a theft.
On behalf of our team at Fortalice Solutions, we wish you a prosperous and secure 2022.
During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives’ or board members’ personal cybersecurity hygiene to gain access to their business accounts. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.