Last year was an eventful and impactful year in cybersecurity, where we observed substantial developments from those perpetrating criminal activity as well as those working to defend against their attacks. From structural evolutions in how the criminals do business to government and industry response to the realities of the cybersecurity landscape to newfound awareness for the risks companies carry forward within their organizations daily, the pace of change in cybersecurity accelerated in 2021 with consequences and opportunities presented to those on both sides of the conflict.
To fully prepare your organization for potential threats, it’s important to learn what we can about how criminals operate, tactics used that have been successful, and apply these lessons to our own organizations. Here, we look at what we can learn and how we can be proactive.
Evolutions in the cybercrime landscape
For one thing, 2021 increased the professionalization of the criminal organizations that operate within the space, as well as innovations in the business models they employ. Replacing script kiddies of the past, modern cybercriminal organizations are highly organized, resourceful, and motivated to maximize their bottom line while often operating with the tacit or explicit approval of their parent nation-state.
As a result of the professionalization of actors within the ecosystem, we’ve observed at least three trends from the criminal organizations themselves:
- Continued efforts to remonetize a successful cybersecurity intrusion. This is where criminals leverage sensitive data exfiltrated during the attack to extort the company for additional payments after the initial ransom is paid. This continued exploitation is detrimental to victim organizations, but the ability of criminal organizations to innovate and adapt their business models to maximize revenues is more broadly concerning.
- The development of dark web marketplaces where criminal organizations and entities exchange goods and services in support of their business activities. There’s an axiom in business to “do what you’re great at and outsource the rest,” and these cybercriminals are implementing this guidance to alarming effect. Within these marketplaces, criminals buy and sell exploit toolkits (with tiered pricing models based on the recency of vulnerability acted upon), stolen data from successful intrusions, etc. The most recent development in this space is the advent of “Access as a Service” where individuals and organizations (specializing in network penetration) obtain and sell access credentials to criminal groups specializing in ransomware and data exfiltration.
- An increased willingness to explicitly target critical infrastructure, or at least risk the disruption of critical infrastructure operations because of their attacks. As cybercriminal organizations and the sector mature, actors within the space are becoming emboldened to target companies and sectors previously deemed “too risky” (more on that later).
The bottom line: Opportunity attracts both talent and innovation, and unfortunately, opportunity abounds within the cybercrime landscape. As such, we expect the professionalization of cybercriminal organizations to continue, making it even more important that companies prepare themselves for the inevitability that their networks will one day be targeted and penetrated by these actors.
Attacks in critical infrastructure
The U.S. Patriot Act of 2001 defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Sectors included as critical infrastructure include energy, nuclear reactors, transportation and wastewater systems, and food and agriculture, among others. It’s obvious why these sectors bear such importance to the collective safety and prosperity of the nation.
That is why it was notable and concerning to see an escalation of attacks on critical infrastructure in 2021:
The Colonial Pipeline ransomware event demonstrated both the scale and impact of an attack on critical infrastructure, as well as the complexities and pitfalls companies face while navigating their response. The attack caused widespread fuel shortages along the Eastern seaboard of the country, with massive downstream effects throughout the U.S. economy and day-to-day lives of its citizens.
While these impacts are notable in and of themselves, equally important is the true cause of these shortages in relation to the actual cyberattack perpetrated on Colonial: It wasn’t the systems that move and deliver petroleum through the pipeline that were targeted by the criminals, it was the IT systems the enable payment from its customers.
Without the ability to bill for its product, Colonial elected to shut stop production during the ransomware event. This is important for two reasons: First, it shows the consequences and extent of disruptions possible, unintended or not, from attacks on critical infrastructure. Second, it reveals the importance of business continuity (BC) planning to be ready for these scenarios if (and when) they occur.
While Colonial survived their ransomware attack, they are now subject to class action lawsuits for the decisions they made themselves during the response, prolonging and amplifying the damages Colonial suffered from the attack.
As with the Colonial Pipeline attack, the JBS ransomware event was notable for the scale and impact of the attack, but it is also notable for being the highest-profile and impacting attack on a U.S. agricultural company to date. JBS stands as the No. 1 producer of beef, the No. 1 producer of poultry, and the No. 2 producer of pork globally, and the ransomware attack on their company halted operations across North America and Australia. The downstream effects of these closures not only had vast impacts on the availability and price of meat products within the U.S. but had JBS not been able to recover within a few days, the effects of this single attack would have been felt globally.
These examples highlight how widespread and disruptive attacks on critical infrastructure can be for the nation, as well as the criminal’s willingness to accept the consequences to society that result from their work.
Trends in the regulatory + insurance environment
Advances in government and industry to combat and inhibit criminal activities in the space were also a large focus in 2021. However, time will tell the effectiveness of these measures and the extent to which businesses suffer collateral damage as a result. Here are some methods:
- To cut off the criminal’s revenue streams, governments around the world are considering measures to criminalize the payment of ransoms to cybercriminal organizations. In the U.S., the “Ransomware and Financial Stability Act” has been introduced to the U.S. House of Representatives. If this bill becomes law, amongst other provisions, it would be illegal for U.S. financial companies to pay cyber ransoms more than $100,000 without government approval in an attempt to deter criminals from attacking them in the first place. While ransom payment is a detestable outcome for any company, what may be more so is the absence of the ability to pay a ransom if that is the only viable option for the company to resume business operations. While not yet law (unclear if it will ever become so) and applicable to the financial industry, for now, it speaks to the limited tools available for governments to address the issue through legislation, and the potential consequences for industry from their action.
To be clear, it is imperative that organizations invest in cybersecurity practices and disaster recovery capabilities so as NOT to be in the position where ransomware payment is the only option for recovery.
- While the legislative branch considers legislation to address the threat, the executive branch took action in 2021 to impose regulation on the industry in an attempt to curb cybercriminal activities. A presidential Executive Order mandated actions to harden the cybersecurity posture of the Federal Government but left industry largely alone. A 2021 Department of Homeland Security (DHS) Directive, however, directly imposed regulation on industry. After the Colonial Pipeline ransomware event, DHS imposed via Security Directive that all U.S. pipeline owners stand up a 24-hour cyber response coordinator, perform a cyber risk assessment and plan of action to address gaps, and disclose all ransomware events to the government. While this action was tailored to one sector and relatively limited in scope, it is indicative of a trend-line towards greater cybersecurity standards and regulatory requirements moving forward that will impact business operations as governments struggle to address the issue.
- Industries are also adapting to the realities of the threat environment. As actuaries and underwriters come to terms with the cost and scale of the problem, some large-scale insurers have stopped offering cyber insurance altogether. For those that continue to offer coverage plans, the costs of their policies have increased dramatically, along with the requirements to be granted coverage to begin with.
Importance of corporate data governance
The following trends bring cybersecurity preparation to the forefront of the discussion:
- Cybercriminal organization professionalization
- Government regulations with the potential to constrain business responses to attack
- The difficulty in obtaining adequate cyber insurance
Among these preparations is the implementation of data governance practices to mitigate risk on the network for the criminals to exploit.
But this is no easy task. Without deliberate controls to manage data over time, data accumulates throughout the life of a company. So much so that it becomes impractical to understand what data resides on the network, let alone determine if the data is required for ongoing business operations. Such data can include Personally Identifiable Information (PII), trade secrets, or other sensitive data that carries inherent financial liability or second-order risk to the company if disclosed outside the company.
To contextualize the exposure associated with such data, the IBM 2021 Cost of a Data Breach Report details the average cost of a breach for a single record of PII as $180. Scaling this figure up to tens of thousands of records (such as those files exported from the timekeeping and/or HR systems of mid-market companies), a company’s legal liability from breach of a single file can reach into the millions of dollars. Criminals are well aware of the value of this data, as well as the difficulties associated with proper data governance. They consequently make it their business to identify and exfiltrate sensitive data in the weeks and months leading up to their initial ransomware attack to re-victimize the organization later on.
This is why it is crucial that organizations invest in the tools and policies to implement data governance programs within their networks to identify and remediation risks on the network. Perhaps the only thing worse than being forced to pay an extortion fee to prevent the release of sensitive data is doing so for data that should not have been present on the network to begin with.
Vendor risk management
The final cybersecurity trend to consider from 2021 pertains to supply chain risk management. If nothing else, 2021 brought the fragilities of the supply chain across all industries into stark contrast. While many of the disruptions experienced resulted from non-cyber-related events, they revealed how vulnerable systems are to disturbances and the difficulty in rapidly adapting in the face of supply chain distortions.
Congruent with this theme, it is no longer sufficient to harden one’s own cybersecurity posture against attack. Crippling of a company’s upstream suppliers will preclude business operations just as impact-fully as a cyberattack against the company itself. If for no other reason than self-interest, it is incumbent upon companies to establish and extend cybersecurity standards within their industries.
But such a thing is more easily said than done; standards and best practices for vendor risk management are nascent. While existing solutions capably detail vulnerabilities in the external networks of vendor partners, internal details remain opaque, as well as meaningful roadmaps to action upon vulnerabilities identified given the investments required to do so.
Looking toward new threats
Considering the trends and themes discussed here, the cybersecurity outlook may look bleak, but it is certainly not hopeless.
With a clear understanding of the current and future state of the threat landscape, the regulatory environment, and the potential risks resident on their networks, organizations are poised to position themselves to survive and thrive moving forward. The most important of these insights is that it is not a matter of if cyberattacks will succeed in the penetration of one’s network, but rather when it will happen and what preparations have been made to sustain business operations.
Towards this end, investments in business continuity planning, disaster recovery, data governance programs, and vendor risk management will be key for businesses to not only survive cyberattacks but thrive despite them in 2022 and beyond.