6 new ways threat actors will attack in 2021

When COVID-19 hit and then started forcing massive enterprise changes in March, it caused a significant change in the enterprise threat landscape. That is even more troubling given that it all happened within a few days, which required the cutting of security corners for everything, especially the creation of remote sites.

COVID also accelerated movement to cloud—a lot faster than had been expected in January 2020. Those new remote sites, part of a gigantic flip in dataflows and personnel that turned an average 90% internal to 90% external, also opened the floodgates for orders of magnitudes more IoT devices. Even worse, these were especially insecure consumer-grade IoT devices, which typically sneaked into sensitive systems by piggybacking on VPN transmissions.

With such a different enterprise threat landscape, CISOs might be expected to deploy different cybersecurity strategies and use different cybersecurity tools. If what is being protected is so very different, wouldn’t that necessitate equally different defense mechanisms?

No such dramatic change has happened with most enterprise cybersecurity defenses because the bad guys have not yet meaningfully changed their attack methodologies. They have increased the volume and intensity but not the specific attack methods. It’s almost universally held that this is a short-term situation and the bad guys will change their methods very soon, almost definitely by early 2021.

What will those new attack methodologies look like? We reached out to a variety of cybersecurity experts to find out.

New attacks on remote devices

Jim Boehm, expert partner at consulting firm McKinsey & Co., anticipates new attacks focusing on remote office devices that are now handling far more sensitive data than they did before COVID. For example, at a client site on which his team recently worked, they discovered VPN protocols based more on work continuity than on security protections. This enterprise had set up VPN in such a way that if the connection is interrupted, it would maintain some “basic functionality” such as reconnecting to WebEx. “It would still send internal emails if the email client had been connected to the VPN [prior to the disconnect]”, he says. “WebEx sessions would automatically reestablish and transfer data. [That created an exploit] where cyberthieves could establish persistence on a device before the VPN is initiated.”

When VPNs accounted for 10% or less of all data transmissions, an enterprise might consider this an acceptable risk. Now that VPNs are accounting for more than 90% of all data transmissions, CISOs need to reevaluate.

Boehm adds that in a few years, VPNs may no longer be needed, but a lot has to happen before that is the case. “In an entirely zero-trust world, you can get rid of VPNs,” he says. “Today, nobody truly has zero trust except for Google.”

Exploiting poor cloud configurations

Cloud attacks are another top concern. Sophos Principal Research Scientist Chet Wisniekski thinks cloud configurations and human nature are on a collision course, and the bad guys are counting on that.

For example, Wisniewski referenced an enterprise that had cloud accounts from several of the largest enterprise cloud vendors. “The assumptions are completely different from vendor to vendor,” he says, referring to areas such as password complexity and default settings related to changes with new objects, new deployments of an instance and not retroactively applying it.

“In Google Cloud, many things have to be applied manually,” which is not how the defaults work for Microsoft Azure and Amazon Web Services (AWS), Wisniewski says. “The more knowledge of a given environment is likely to give you more efficiency, but the more you’ve mastered one, the more likely you are to make mistakes in the other.”

There are also sometimes inconsistencies within the same platform, such as new deployments having a new default setting while the legacy ones stay with the old default settings, Wisniewski says. This all makes security configurations difficult to keep straight when an enterprise has multiple cloud accounts—setting aside the many shadow IT cloud accounts that neither the CISO nor the CIO know about—along with a combination of new and old cloud deployments.

Wisniewski’s point is that this confusion plays into the strength of the bad guys, looking to sneak into an account any way they can. He quoted a hypothetical attacker saying, “Amazon by default does this and here’s a misunderstood policy that we can abuse.”

Exploiting complexity in remote office setups

Far too many remote site/home office setups for enterprises are far too complex, which leads to inconsistencies that attackers can exploit. This is especially true with the slapped-together remote sites that the pandemic forced.

“The diversity in home networking configurations is astounding. Look and you’ll find some of the most bizarre setups,” says John Henning, principal information security engineer at SAS. “Attempting to support users’ home networks opens a Pandora’s box that cannot be shut. It will consume resources with little return. The best return on investment for time? Educate users and provide guiding principles and best practices.”

Perhaps counter-intuitively, Henning finds that “your most technically competent people will be your most problematic. Technically skilled employees love to tinker with their home networks. [They will] open port 22 so they can SSH into their own personal server. [Or they will] open port 3389 so they can RDP into the work laptop from an VRBO. Your least technical employees are far less prone to tinker. Although default settings are sometimes not ideal, in today’s market, most default settings offer acceptable security settings.” Attackers might zero in on an enterprise’s more technical people, hoping to find more holes to leverage.

Another fear? Hennings expects attackers to crawl public OSINT sites. “Attackers will crawl public OSINT sites for vulnerable employee devices, like Shodan. Don’t be surprised if you look up a compromised device on Shodan and find company information or entry vectors,” he says.

Tunneling into corporate systems via VPN

With 2021 starting out with so much data flowing through VPNs, WatchGuard Technologies CTO Corey Nachreiner expects the bad guys to aggressively try to identify VPN systems as a direct way to tunnel into sensitive corporate systems. He says identifying such users is relatively easy.

“Most Trojans or bot clients allow the attacker to manually run or script CLI [command prompt] commands. This alone offers many ways to detect the existence of VPN software. For instance, the ipconfig command lists network interfaces including virtual interfaces used for VPNs. As an example, if your malware automated a script to parse the results of ipconfig, looking for adapter names like TAP-Windows Adapter v9, or TAP-NORDVPN Windows Adapter v9,” Nachreiner says. “Many other possible names [could be used] as different VPN clients use different names for these, but smart attackers could simply compile a list from the most popular VPN clients they want to target. In any case, you could script and automate malware to launch ipconfig on every new victim, and then return a flag if it detects the common name of a VPN interface in the results.”

From there, the attackers “could specifically start using worm functionality and lateral movement techniques that have existed in some malware for a long time to specifically target that VPN-accessible network,” Nachreiner says.

Deploying AI- and machine learning-based malware

One well-discussed possibility that may finally materialize in 2021 is attackers turning AI and machine learning against enterprises by, in effect, using bad AI to infect an enterprise’s good AI, says ForgeRock Senior Vice President Ben Goodman. “In 2021, we will see an increased number of data poisoning attacks occurring as more organizations are deploying AI platforms across their systems. In previous years, malicious hackers had already discovered that they can attack AI and machine learning software by feeding the AI illegitimate data to cause it to produce negative or inaccurate results. This will become a more prominent issue in 2021 and the following years,” he says.

“Bad actors can feed the AI software an image with another image inside that does the opposite of what the AI is supposed to do, so that it will poison the AI algorithm,” Goodman adds. “For example, when AI is used for detecting fraud, fraudsters can submit bad data that makes the software unable to detect the fraudulent activity.” Because many security platforms use AI and machine learning data to detect cyberattacks by identifying anomalies in existing data, he says attackers could potentially throw off their detection methods. “In 2021, it may be necessary to use separate AI to do integrity and security checks on data collected by the initial AI software.”

Breaking encryption with quantum computing

An unlikely, but possible, concern is that the bad guys will use superior horsepower—especially coming from well-funded state actors (Russia, North Korea, China, Iran, etc.). Steve Zalewski, deputy CISO for global apparel firm Levi Strauss & Co., is worried about quantum computing and its ability to undermine if not fully negate encryption defenses. “That’s a game changer,” he says.

As a practical matter for enterprise CISOs, Zalewski says, “quantum computing is a solution looking for a problem right now.” He compares it to early-generation Cray supercomputers. “What (Cray) was really good for were simulations, weather patterns. Crays were not good for general purpose computing.” For the bad guys looking to sidestep encryption, it might eventually prove effective.