Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can about how the minds of hackers work, what strategies they prefer and what methods they are currently using? SecOps folks, that’s who.
Cybersecurity company Randori, which specializes in attack-surface management and does automated red teaming for enterprises, has a CTO and co-founder, David “moose” Wolpoff, who himself was a career hacker and former DoD contractor. So it follows that here is a company that has a specific inside perspective on how cybersecurity actually works.
Wolpoff has provided eWEEK with some sobering predictions (we like to call them “predixions” here on this channel, in order to make them more searchable) around what’s next in the world of malware.
Security Predixion No. 1: Deepfakes and voice fakes come to the enterprise.
In 2021, threat actors will move on from basic ransomware attacks and will weaponize stolen information about an executive or business to create fraudulent content for extortion. From deepfakes to voice fakes, this new type of attack will be believable to victims, and therefore, effective. For example, imagine an attacker on a video system, silently recording a board meeting, then manipulating that private information to contain false and damning information that if leaked, would create business chaos, to compel a business to pay up.
Security Predixion No. 2: Ransomware evolves to enterprise extortion.
Threat actors are evolving from high-volume/low-value attacks, to high-value/low-volume attacks targeting businesses. Half of ransomware attacks already involve data exfiltration, and in 2021, cybercriminals will incorporate extortion by weaponizing the content they’ve stolen to compel their victim to action. Ransomware attacks will shift from “I’ve stolen all your data, now pay me” to “I’m going to extort your CEO with information I’ve found in the data I’ve stolen from you, and if you don’t pay, we’ll devalue your stock on Wall Street.”
Security Predixion No. 3: Expect more cloud infrastructure ransom attacks.
Threat actors are beginning to sift through exfiltrated data from ransomware attacks for high-value content and looking for their pot of gold. Cloud infrastructure credentials that could allow them to hold a company infrastructure for ransom. It takes adversarial creativity, but the reward is high and the killchain is simple enough. Maybe they find keys in the data directly, or maybe the attacker can gain access to an app like Slack and find keys shared there. Perhaps they go so far as to send spoofed messages to convince unwitting victims to share cloud login credentials (heads up, IT).
With a little information and a bit of persistence, an attacker can turn his/her ransomware access into high-privilege AWS tokens, log into the cloud infrastructure and hold it for ransom. The threat of turning off the business with the click of a button is a highly effective extortion technique. Many CISOs don’t know when and where highly privileged passwords have been recorded (in an old Slack message from two years ago?); this is a big risk for companies in mid-cloud migration.
Security Predixion No. 4: A leadership crisis in IT talent will hit the U.S. government.
Chris Krebs’ unceremonious post-election ousting may be the proverbial sour cherry on top of the Trump administration’s treatment of cybersecurity talent in the White House. Under the administration, turnover at the senior leadership level of the National Security Council was record-breaking, and we will witness the first downstream effects on our national global cybersecurity ability in 2021. U.S. national cyber policy and our global cybersecurity posture will take a hit, and tactically but crucially, government hiring of cyber talent will stall. These will have lasting impact on our cyber leadership that will take 10 to 20 years to correct.
Security Predixion No. 5: Expect an antitrust/anti-tech reckoning in 2021.
Democratic institutions rely on common information and facts, which have been challenged in light of disinformation and misinformation proliferating across social platforms. With antitrust sentiment slowly taking over Washington, it’s becoming more apparent that technology and social platforms are unregulated domains that have been damaging to truth, and the functioning of democratic processes. In 2021, expect antitrust hearings to come about as a matter of national security, and the force of the government extended against social platforms and tech monopolies in the next year or so.
eWEEK is running a series of prediction articles throughout the month of December.
