For many, the turn of the new year is a time of positive affirmations. With an eye toward the future, many of us feel the drive to focus on setting and fulfilling our goals – near and far – with renewed vigor to help us be the very best version of ourselves by starting the year off strong.
As with most things, there is an inherent yin & yang quality present, and while looking forward to the year before us, it’s only natural to turn the other eye toward the past. Specifically, the year just left behind and reflect on various ups and downs, good moments, great moments, and those that were less than we’d hoped for or expected.
It is within this contemplative mode that we’re able to fully cerebrate on each moment, milestone, and event that occurred. This aids us in fully understanding the pros and cons, devoid of any emotional pull in either direction, to logically assess each instance for what it was. Ultimately arriving at the lessons learned – and hopefully – helping us to grow into the versions of ourselves that are all the better for having survived the ordeal.
This iterative process is a tentpole in many IT and Security frameworks, used to manage projects and the device and software development lifecycles respectively. And in this blog, we put on our thinking caps as we take a closer look at the top ten security threats of 2022 while reflecting on what IT and Security professionals can learn from each of these threats as they move forward in protecting the devices, users, and data in their organizations from existing threats as well as security issues looming along the horizon in 2023.
Without further ado, let’s dive in, the water’s nice and hot…
1. The Art of Deception
Social engineering tactics, like phishing, continue to be the top threat type preferred by bad actors to separate unknowing users from their credentials and ultimately, precious data. Sadly, the disproportional nature between extensive security solutions and how easily attackers can obtain sensitive data by merely asking for it is staggering.
Put another way, even the most comprehensive security solutions and defense-in-depth strategies won’t mean much for the:
- integrity of user accounts
- confidentiality of data
- availability of organizational resources
If end-users are handing over their credentials willingly. While this low-hanging fruit attack generally spells “game over”, not all hope is lost.
The best protection against social engineering isn’t a security control, but an administrative one: training. Implementing mandatory user training against the dark arts and weaving it into your holistic security strategy has been proven, albeit to a certain capacity, to limit the impact of social engineering attacks. As evidenced in Verizon’s Data Breach Investigations Report for 2022, where “82% of breaches involved the human element” as opposed to the 85% noted in 2021. Though the 3% decrease may not seem like much, it should be noted that since training methods vary from one enterprise to the next, quantifying this data is difficult as no standard of measurement currently exists. But what is known is that a reduction in the human element contributing to overall data breaches is a step in the right direction.
2. “That’s a big Twinkie”
The infamous line from Ghostbusters used to describe the swell of paranormal activity that eventually led to the Stay Puft Marshmallow Man wreaking havoc is a solid analogy for the largest Distributed Denial of Service (DDoS) attack stopped by Google, despite hitting a peak of forty-six million requests per second. The largest ever layer 7 (Application layer of the OSI Model) attack recorded – and 76% larger than the previously reported attack record holder taking place just a few months prior.
Protecting against DDoS is a difficult task and one that most organizations themselves simply aren’t up to the task of mitigating effectively. Not without a little help from upstream ISPs and third-party service providers. And yet, therein lies the answer – with a 111% year-over-year growth rate, according to Cloudflare’s DDoS Threat Landscape Report – partnering with select solutions providers can effectively stop one of the deadliest forms of attack, or at least provide the bandwidth and infrastructure scaling necessary to weather the storm while keeping your critical services functional while you weather the storm. Furthermore, while some DDoS attacks are merely executed to make a service or solution unavailable, others are part of a larger attack chain, aiming to breach the infrastructure in a covert attempt to steal data from unresponsive systems.
3. Pay up now, later...or both!
Just a notch under phishing is ransomware. The malware that users love to hate!
Getting infected by malware is already a frustrating and time-consuming chore to clean up as it is, but ransomware – being the overachiever that it is – kicks this up a few notches by hitting affected users and organizations where it hurts most: their pocketbook.
And not just that, but the nearly unbreakable nature of the encryption used on critical data and sensitive systems means that it’s not just end-users that are impacted, but patients that are relying on these systems to administer life-saving treatments or police officers that utilize mobile devices to stop crime and put away criminals.
But it gets better! 2022 saw both a decline and an increase in ransomware-based threats. The former was a noted 23% drop in the volume of ransomware attacks; while the latter, unfortunately, saw a dramatic increase in payment demands – over 171% since 2020. Not helping matters is that bad attackers have been evolving their ransomware-based threats to include more sophisticated methods to get victims to pay up, combining threats with multiple payloads for massive damage and “double extortion”, such as:
- Leaking data to the public
- Denial of Service (DoS)
- Harassment via phone or email
- Lateral network movement
- As part of a larger attack chain
Bottom line: Even with malware protection installed and updated, new variants could possibly slip through. The best protection is a comprehensive defense-in-depth plan alongside countermeasures to secure your network and systems to minimize attack vectors while containing the fallout.
4. Reach out and hack someone
Since the global pandemic forced most companies to go remote, the ensuing scramble caught many unawares. In the years that followed, some of those organizations went back to in-person work environments while many others opted to keep remote or hybrid environments going. In 2022, keeping data secured outside of the network perimeter continued to be a challenge, and it looks to remain that way into 2023.
Some of the threats we’ve discussed so far, like social engineering, evolved malware threats and attacks, combined with lacking the best-of-breed solutions to secure the device types and OS’s being supported prevent organizations from gaining the visibility necessary to proactively identify novel threats while keeping endpoints compliant with necessary policies and regulatory governance.
The result? The modern threat landscape has evolved in new and unimaginable ways. Such that, legacy solutions like VPN, standalone antivirus or non-converged solutions simply cannot mitigate the risks from current threats as new technologies like Zero Trust Network Access (ZTNA), AI and machine learning (ML), or the integration of MDM and endpoint security solutions to:
- encrypt and segment network connections to company resources
- share threat intelligence between solutions over secure API access
- automate the detection and remediation of known and unknown threats
5. Who goes there?
Supply chains in IT and Security products took a beating in 2022. There’s simply no way to sugarcoat this – nor should we attempt to – given that severity is an indicator of such an attack. This is not a finger-pointing exercise but merely underscores the enormous gravity that third-party and supply-chain attacks pose to organizations overall.
As evidenced by some high-profile attacks in recent years, even if your organization is doing everything right to shore up security and limit unauthorized access, if a vendor or partner that you’re relying on for software, hardware or services becomes compromised, any organization that relies on those tools will be part of the downstream cascade, effectively putting them at risk of compromise.
The multi-million-dollar question is, how do you mitigate this advanced persistent threat (APT)? As with most security concerns, there is no silver bullet solution here, just good ‘ole due diligence as your organization engages with partners. Vetting their processes for transparency and hiring independent third-party auditors are great ways to obtain assurance that the vendors you’re trusting are performing due care when managing their own networks and infrastructure, at least until the U.S. government’s Enduring Security Framework (ESF) and Securing Open Source Software Act of 2022 legislation across the finish line.
6. “Regulators mount up”
Compliance. One small word that carries so much weight, particularly if your organization belongs to one of several highly regulated industries, or even if only indirectly associated with any form of local, federal, and/or international laws based on any number of variables. The fact remains that, businesses the world over may be subject to certain practices and processes directly governing how they do business. Should they fail at that, the consequences could be costly – from both civil liabilities and criminal prosecution.
A basic tenet for compliance or generally accepted best practice to follow is: “If you can’t prove that a device is compliant, then it isn’t.” This does necessarily mean that your organization is in direct violation and at risk of security threats or paying steep fines per se, but rather serves as a guide that regulated organizations rely on deep visibility and rich telemetry data in order to:
- ascertain health statuses of endpoints
- verify that they are aligned with security policies
- meet minimum auditing requirements
- ensure that protected data types are secured
- processes are hardened against common threats
- show proof that endpoints and data are compliant
7. Tales from the Crypt-omining
Since the dawn of Bitcoin, circa 2009, miners have created custom systems to mine cryptocurrencies in a concerted effort to get rich. Fast not too far forward to mid-2011 and the rise of cryptojackers – malware that latches itself to your devices and uses your system resources to mine. As one can see, it wasn’t long before threat actors got into the money-making business, creating botnets from victims’ devices to harness all that computing power into full-fledged mining operations.
While these may seem harmless when compared to other more nefarious cyber-attacks, the fact remains that this constitutes unauthorized access to private networks. Furthermore, taking away precious resources otherwise intended for other, more critical uses is considered stealing. Not to mention that oftentimes the malicious code used to execute these tasks isn’t readily available to the end-user, meaning that anything can be added to it to further weaponize it, like a ransomware payload or keylogging software.
While statistics vary on this topic somewhat, with some growth pegged at a 230% increase in 2022, while other figures are more conservative, what is known is that in late-2022, cryptojacking campaigns made the leap to targeting cloud-based environments, such as those running Docker and AWS, as well as Kubernetes infrastructures. Generally, these attacks work by escaping their container and moving laterally throughout the network, infecting other hosts. While the main target appears to be mining as many containers and instances as possible, researchers have noted that other follow-on attacks are possible given the scalability of these attacks. Like other mentions on this list, endpoint security and supply-chain/third-party vetting alongside actively monitoring cloud-hosted instance resources for variations from baselines play a critical role in mitigating this growing concern.
8. The Inside Man (or persons)
Not unlike how phishing attacks rely on end-users giving access credentials away, insider threats rely on trusted individuals within your organization to do their part and not knowingly share confidential data with unauthorized persons in or out of the company. And yet, here we are. Another year just concluded, and insider threats continue to make the top ten year-over-year.
The reasons for this vary as well – from financial to more personal matters, like revenge for a perceived wrong. Regardless of the why, the more critical question is how, as in “how do organizations protect themselves against these threats?” Spoiler alert: there isn’t any easy answer to this, but rather, it requires a combination of technical, administrative and policy-based controls to mitigate effectively.
For example, implementing least privilege, strong access controls and Data Loss Prevention (DLP) help to minimize the leaking of data. Add to this an Acceptable Use Policy (AUP) and user training to set expectations (and consequences for violating these rules) to establish an understanding between employees and employers. Lastly, instituting policies that stipulate certain processes, such as separation of duties and job rotation practices that limit the amount of access any one user has while rotating them out into another position with different responsibilities and permissions helps to stem the tide of insider threats. Furthermore, aligning these policies with technical controls brings it full circle, preventing users from overextending their reach while making it as risky a proposition as possible if somehow circumvented.
9. Your nation needs YOU!
2023 is expected to see a surge in nation-state-sponsored cybersecurity incidents. That said, 2022 might seem like a trailer for the coming attractions, with cyber campaigns from several countries making the headlines throughout much of the year, according to a Center for Strategic and International Studies report.
Among the attacks executed, a few such as several attacks of:
- trespassing on U.S. government networks and breaking into computers
- crippling the transportation and logistics industries in Ukraine and Poland
- digital espionage against multiple Asian and European countries
- ransomware targeting an Australian communications platform used by the Department of Defence
- deploying malware that enables access to cameras and microphones, targeting Pakistani politicians
The list goes on and on, a seemingly never-ending barrage of attacks directly from (or indirectly linked to) nations spanning the globe. And while it’s hard to pin down for certain what assets are at risk and from which organizations, the best course is a comprehensive, defense-in-depth network security plan that addresses all aspects of your security posture. Holistically extend protective measures across your infrastructures – whether they be on-premises, hosted on public and/or private clouds or web applications – and align them with security frameworks, like those from the National Institute of Standards and Technology (NIST) or Center for Internet Security (CIS) to provide a full device and software lifecycle management solution for hardening, reporting and remediating against the modern threat landscape.
10. Patch Adams
No, not the charismatic doctor that brought smiles to so many children (or the late comedic genius of Robin Williams that portrayed him on the silver screen) but rather two of the most dreaded and hallowed words that should be a tentpole of any defense-in-depth plan: patch management (dun-dun-duuun).
While not rooted in any particular incident or attack type, effective patch deployment is tied to many benefits, not the least of which is the mitigation of known threats and vulnerabilities. In fact, an estimated 10% of alerts in 2022 were related to Common Vulnerability and Exposures (CVE) related to known threats with Critical severity ratings. Many attacks exploit vulnerabilities in hardware and software that make regular patch cadences so critical to your organization’s security posture – and its overarching security strategy.
Simply put: cybersecurity often requires IT and Security professionals to respond to incidents after they’ve occurred or been initialized, but an effective patch management policy permits administrators to test, vet and deploy updates, proactively mitigating vulnerabilities before they can be exploited.
- The best defense against social engineering is a solid training program that is woven into your organization’s security plan, regularly updating end-users on the latest attack trends.
- DDoS attacks carried about by botnets are growing in size and severity. Protect yourself by partnering with solutions that have a proven track record of mitigating such attacks with minimal impact on service levels.
- Ransomware attacks are growing in both severity and cost. Combining endpoint protection, user training and a bulletproof disaster recovery plan (DRP) goes a long way toward mitigating and remediating this.
- Remote and hybrid work environments still pose challenges to securing organizational resources as bad actors continue to target the services and devices used for productivity. Defense-in-depth strategies extend comprehensive protection throughout your infrastructure.
- Attacks against supply chains and/or third parties continue to pose an ever-growing threat, affecting all downstream organizations. The best way to insulate your company? Vet your respective partners through independent auditors to verify their security practices are compliant.
- Complying with industry regulations continues to be a sore spot for many organizations. But it doesn’t have to be when armed with best-of-breed security tooling to collect, categorize and report on device health through rich telemetry data to automate actionable remediations to uphold compliance.
- Cryptojacking malware has only gained more attention from bad actors. Creating botnets and leveraging your precious resources to mine cryptocurrency undermines your organization’s security posture but could potentially introduce greater threats in the future if left unmonitored.
- Attacks sometimes come from within and unfortunately, they also do not come without warning. The best defense is to align security controls with organizational policies to set expectations, limit access permissions to only what’s necessary and explicitly deny access unless users can verify their credentials and devices.
- Cybersecurity warfare and espionage threats sponsored (or carried out by) nation-states see the power of an entire country or region back cyber attacks. While difficult to protect against, generally held best practices within a holistic defense-in-depth plan maximize security protections while minimizing the attack surface.
- Patching critical threats and vulnerabilities are table stakes to a comprehensive security stack. One that sees organizations deploying updates at a regular cadence to mitigate risk factors while hardening endpoints by securing configurations.
Start off the new year with the comprehensive, defense-in-depth strategy from Jamf based on Trusted Access solutions!
Extend protections across your entire infrastructure, securing all your Apple devices, users and critical data from legacy and novel threats alike.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.