SecureWorks 2021 State of the Threat: A Year in Review

As a data professional, I am acutely aware that I am dealing with the crown jewels of the organization. Data is extremely valuable as an asset to company strategy and the essential ingredient for operations. That value, unfortunately, extends to nefarious players within and outside the organization. It behooves the data professional to be aware of the threats and to be an active partner in its security.

The threat level to businesses globally remains high, especially as many organizations are rapidly pursuing IT transformation to support operations in a pandemic environment. These threats have evolved. When something highly credentialed comes along that characterizes the current threat, we should take note and craft strategy accordingly. The Secureworks 2021 State of the Threat: A Year in Review is such a report. In addition, their Emerging Cybersecurity Trends in 2022 gives us a look at what we can expect to happen in the threat landscape. Secureworks has unparalleled exposure to the threat landscape.

Secureworks’ unique view of the threat landscape comes from a combination of the incident response engagements it carries out, the telemetry it monitors from the Taegis XDR platform, and the technical and tactical research carried out by the Counter Threat Unit into threat actor activity. Together, that all adds up to a unique level of visibility into threat actor intent, capability, and activity.

According to Secureworks, Ransomware is the number one threat for most organizations, followed by zero-day (flaws with no patches, commonly in just-released software) exploits.

A huge trend in Ransomware is the ransomware-as-a-service (RaaS) model. It has become popular because the use of affiliates drives scale and enables ransomware operators to attack more victims with little effort. Why build ransomware when you can rent it? Offers of access brokering on underground forums is widespread. Interestingly, while Ransomware is the number one threat, they predict that in 2022 the crackdown on Ransomware from law enforcement will be more aggressive in an attempt to disrupt the ransomware ecosystem.

A derivative attack is Name-and-Shame where victims are under pressure to pay to recover their data (availability), but also to prevent it being published online (confidentiality). Name-and-shame has become the predominant operating method for most ransomware groups.

In most cases zero-days are exploited and discovered and exploited in highly targeted attacks, meaning that fewer organizations are impacted. However, once exploit code becomes publicly available, it will rapidly be rolled into commonly available offensive security tools, and many opportunistic threat actors will start leveraging it.

Despite the level of attention it attracts, state-sponsored activity remains targeted and narrowly focused, according to the priorities of the country it originates from. Researchers continue to see significant levels of activity from groups affiliated with China, Iran, Russia and North Korea.

Their State of the Threat report includes a breakdown of the goals and activities of these countries. For example, Chinese threat groups remain extremely active, with a continued focus on intellectual property theft, access operations against core telecommunications and internet infrastructure operators, and traditional espionage against political and military targets whereas Iran’s activity involves espionage and surveillance operations against individuals perceived as valuable information sources or potential threats to the Iranian regime, such as journalists, academics, human rights defenders, and employees of government, intergovernmental organizations (IGO), and non- governmental organizations (NGO).

Law enforcement intervention against these threats has led to tactical successes but is yet to cause significant strategic impact. Secureworks predicts that in 2022 “espionage will remain a key driver as the US and other Western states become increasingly assertive n attributing hostile state cyber activity.”

Ultimately prevention is in the hands of the corporation.

Attacks occur where access can be most easily obtained and maintained. The management of identity, secret keys and cross-domain trust is becoming an increasingly fundamental requirement for securing systems and data. The Principle of Least Privilege, multi-factor authentication (MFA) and obsessive patching are non-negotiables. These essential controls should be coupled with thorough monitoring and detection of endpoints and network assets.

There are certainly many additional opportunities to increase security by collecting and reviewing other essential telemetry such as identity, application and cloud logs, and data from email appliances, etc., which are often overlooked. Finally, no security program is complete without regular adversary testing.

For your data-related projects, don’t wait until production to ensure your project is secure. Seek out the Security Team, or comprise a security policy that considers the threats, early and often. This is the top “must do” for any project today.

As you build your 2022 cybersecurity strategy, take a look at what they are seeing in the threat landscape currently as well as what is expected for the Emerging Cybersecurity Trends in 2022.

McKnight Consulting Group