With 2019 nearly in the books, this post reflects on a few of the biggest cybersecurity developments of the past year, and on how these trends are likely to shape the industry in the coming year.
What happened in 2019? Way back in the first half of 2018, a noticeable drop in ransomware campaigns led to premature speculations that that age of file-encrypting malware was ending. In reality, cybercriminals had begun leveraging ransomware in increasingly targeted, and highly successful campaigns. This trend continued throughout 2019, which saw ransomware actors secure six and seven-figure ransom payouts from major targets including local governments, large corporations, and entities in the education and healthcare sectors. In recent months, the line between ransomware attack and data breach has started to blur, with those behind campaigns like REvil aka Sodinokibi turning the screws on their victims by threatening to publish their sensitive data if the ransom demands are not met.
What does this mean for 2020? The ongoing ransomware rampage is bound to escalate further in 2020, with more and more threat actors launching targeted campaigns against major public and private organizations, as well as strategic targets like managed services providers (MSPs) including cloud services providers (CSPs), and vendors of large corporations. New ransomware strains will enter the scene; ransomware-as-a-service offerings (most notably REvil) will mature further; and attack methods will get increasingly sophisticated, with the adoption of living-off-the-land (fileless) techniques, and attack-chains to deliver ransomware via threats like TrickBot and Emotet. Cybercriminals will continue to raise the stakes by publishing the data of organizations that refuse to pay up, while ransom amounts will increase further.
Social engineering 2.0
What happened in 2019? Social engineering attacks continued to trick companies into handing over sensitive data (phishing) and carrying out fraudulent wire transfers (business email compromise) at the benefit of cyber crooks. Moreover, as we outlined in a previous blog post, attackers began launching highly targeted versions of these attacks, including evasive spear phishing as the latest incarnation of (spear) phishing, and a new variation on BEC dubbed vendor email compromise (VEC). Also, let’s not forget the introduction of deepfakes in these campaigns, such as when a UK subsidiary was scammed out of $243,000 by threat actors who contacted the CEO over the phone using an AI generated voice that mimicked the CEO of the parent company.
What does this mean for 2020? Similar to the rise of targeted ransomware, the early successes of evasive spear phishing and VEC will lead cybercrime organizations to further shift toward highly targeted and potentially more profitable campaigns. Additionally, threat actors will increasingly take advantage of deepfakes, i.e. highly realistic AI-generated audio or video content, to make their social engineering efforts seem more legitimate. These campaigns will move beyond email and include other communication technologies such as SMS, messaging apps, social media and phone calls.
The skills gap and automation
What happened in 2019? The global shortage of cybersecurity professionals exceeded 4 million, according to a recent (ISC)² report. For North America, the skills gap reached 561,000, which means that the US cybersecurity workforce would need to increase by a staggering 62% in order to meet current demands. The research highlights penetration testing as one of the roles that have become especially understaffed. Meanwhile, cybercrime further established itself as a booming underground industry modeled after the private sector.
What does this mean for 2020? The combination of a mounting security skills gap and an explosion in cybercrime has been exacerbating security risks across entire industries. Both of these trends are likely to speed up in 2020, which could result in a surge in data breaches, ransomware attacks and other major security incidents. In their efforts to turn the rising tide of cybercrime, organizations are likely to begin embracing traineeships, apprenticeship programs and other initiatives aimed at recruiting motivated people with diverse backgrounds into cybersecurity roles. In addition, companies are bound to invest in automated security solutions that require less human interaction to carry out crucial tasks. Until now, discussions about automation in cybersecurity mostly focused on the defensive side. However, emerging solutions for vulnerability scanning and penetration testing, such as our very own vPenTest automated penetration testing platform, show that automation could become a game-changer for offensive security in 2020.
About Vonahi Security
Vonahi Security is building the future of offensive cybersecurity consulting services through automation. We provide the world's first and only automated penetration test that replicates full attack simulations with zero configuration. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io