Every year, cybersecurity threats evolve alongside the technologies and systems they target. Sophistication often comes in the form of greater organization and more-targeted pursuits. Well-funded hacking groups are also able to wreak more havoc thanks to their expanded resources.
The financial impact of cybersecurity threats is expected to swell to an estimated $10.5 trillion annually by 2025, equalling 15% year-over-year in annual growth.
An annual survey of CISOs in 2022 uncovered that their top concerns include:
- Ransomware attacks (67% of respondents)
- Insider threats (32%)
- Nation-state attacks (31%)
- Malware attacks (21%)
Within these categories, we have devised our own top 10 list reflecting the biggest cybersecurity risks and threats we see our own clients facing in the remainder of 2022 and beyond.
10 Biggest Cybersecurity Threats in 2022
- Security tool mismanagement
- Lack of customization
- Social engineering
- Remote work weaknesses
- Cloud vulnerabilities
- Third-party exposure
- Targeting supply chain partners
- Inadequate cyber hygiene
Awareness of these threats can inform cybersecurity strategies and cybersecurity management at all organizational levels to prevent incidents, preserve business, and protect sensitive data.
Ransomware represents the most significant cyber threat to organizations, according to CEO of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron. It has the capacity to freeze business activities in their tracks while hurting public reputation — as well as internal morale.
“Ransomware is a whole company incident,” observes SecurityWeek. “Every department is impacted, and every department wants a say in its resolution. Panic is a frequent and unhelpful component – especially if the workforce has not been prepared on how to respond.”
Threat actors who install ransomware want to take all options off the table for cybersecurity leaders except for the clear ones they present: pay up, or lose everything. Many leaders struggle to think outside this box, inducing decision paralysis. Making matters more vexing, other business leaders tend to want to chime in, as operations sit frozen until a solution is found.
Growth of ransomware incidents has been fueled in part thanks to the blockchain. Cryptocurrency transactions enable threat actors to handily launder their money and obscure where funds end up. Because of the ease of not getting caught, attackers have begun to go after juicier targets with more to lose.
Organizations must be prepared to not just prevent these attacks but to also respond logically in the moment of crisis when they do happen.
Latest Ransomware Trends
Some of the latest ransomware trends include:
- Accessing networks via phishing — The top three methods of intrusion include phishing emails, Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities
- Using cybercriminal services-for-hire — The criminal business model of ransomware is well established, with threat actors taking a cut from their efforts. They even now offer victims point-of-sale-type services to expedite payment
- Sharing victim information — Ransomware groups are sharing victim information, which increases the threat to targeted organizations and entire industries as a whole
- Targeting organizations of all sizes — Initially, ransomware threat actors targeted “big-game” organizations in a limited number of high-profile incidents. Now, the same groups are targeting organizations of all sizes, including businesses, charities, legal professionals, and even public services. Education, local government, and health entities have all been targeted, in addition to traditional businesses.
- Varying extortion approaches — Ransomware threat actors use a “triple extortion method”:
1) Threaten to publicly release stolen information
2) Disrupt the victim’s internet access
3) Automatically notify the victim organization’s partners, shareholders, or suppliers about the incident
Common Ransomware Tactics
Some of the most common ransomware methods seek out vulnerabilities in the following ways:
- Targeting the cloud — They exploit known vulnerabilities in cloud applications, virtual machine (VM) software, and VM orchestration software
- Targeting managed service providers (MSPs) — MSPs have widespread and trusted access to client organizations. Through this method, one compromise can impact multiple victims.
- Attacking industrial processes — a number of ransomware groups have developed code designed to stop critical infrastructure or industrial processes
- Attacking the software supply chain — Ransomware threat actors are targeting software supply chain entities to compromise and extort customers along with their data
- Targeting organizations on holidays and weekends — Ransomware threat actors take advantage of weaknesses in offices’ networks when closed on holidays and weekends
2. Security Tool Mismanagement
Surprisingly, many major cybersecurity incidents stem not from a lack of protections but from a lack of knowledge as to how to best wield those defenses. A lack of proper management can lead to the following challenges.
Software only works if it’s installed correctly. Few tools offer a comprehensive ability to “set it, and forget it” when it comes to providing the expected security. These tools must be properly configured, properly integrated into all needed technologies, and properly updated in light of emerging security needs.
Most systems are likely to contain at least one error in how the software is installed and set up. According to Rapid 7, 80% of external penetration tests encountered an exploitable misconfiguration in the security software it came up against.
Too Many Cybersecurity Tools to Keep Track of
Many organizations grapple with tool bloat. Most businesses will also adopt a new tool to fix a specific challenge or meet a specific use case.
According to a survey by Sumo Logic and 451 Research, the average IT and security teams use between 10 and 30 security monitoring solutions for applications, network infrastructures, and cloud environments.
Poor Data Management
It’s easier to lose and expose information when massive amounts of unnecessary data are stored, often within the repository meant to consolidate and protect it.
Consumer data doubles every four years, but more than half of the new data is never used or analyzed. Surplus data leads to vulnerable data and cyber attacks
Inadequate post-attack procedures
Security patches must be as strong as the other cybersecurity protections in place. Holes must be patched immediately following an attack.
80% of cybersecurity victims who paid a ransom were attacked again soon after.
Lack of Proper Directory Customization
Microsoft’s Active Directory (AD) is a top threat that should be on every CISO’s radar, says security expert Derek Melber. “Active Directory is used by almost every major enterprise (90% of the “Fortune 1000) to authenticate employees’ entry into company networks and manage access and privileges internally.”
Directories often lie at the heart of the enterprise’s identity and access management (IAM) infrastructure. Massive repositories like AD typically include thousands of users, each with thousands of discrete permissions and access configurations. In many cases, these individuals have misconfigured permissions, and credentials no longer in use often go undeleted. This situation creates a massive potential for threat actors to exploit.
Continuous monitoring and analysis are needed to stay on top of changes to environments, group policies, and threats.
3. Nation-State Threats
Nation-states have begun to lead the way in funding corporate espionage and vulnerability discovery. Many times, major ransomware attacks and data breaches that earn global media coverage tend to be connected to groups funded by nation-states. Examples include the Colonial Pipeline disruption, SolarWinds breaches, and the Microsoft Exchange “Hafnium” incident.
According to a March 2022 report by the Center for Strategic & International Studies (CSIS), 86% of organizations they surveyed have been attacked by an organization they believe to have been working on behalf of a nation-state.
The report notes how nation-state actors are often afforded outsized resources and insider connections thanks to their direct affiliation with state goals.
One prominent cyber consultancy group observes how nation-state actors “can work without fear of legal retribution – they will be highly unlikely to be arrested in their home country for what they’re doing.” They also point out that “the Nation State Actor often has close links to the military, intelligence or state control apparatus of their country, and a high degree of technical expertise.”
4. Social Engineering
One of the most dangerous hacking techniques, social engineering, relies on human error to provide a means of infiltration instead of exploiting technical vulnerabilities. Oftentimes, people employed at or with connections to targeted organizations get manipulated into giving up confidential information, such as their login credentials.
An estimated 85% of data breaches involve human interaction. Typically, it is easier for a threat actor to exploit a person’s natural inclination to trust than it is for them to find new ways to hack software.
Spear-phishing & Whaling
These two types of social engineering attacks can have the biggest impact because of their ability to infiltrate systems through seemingly legitimate credentials.
- Spear-phishing emails are hard to recognize because they appear to come from legitimate sources; emails are personalized to individuals or groups of people with something in common, like working in the same department
- Whaling uses deceptive email messages to target high-level decisions makers within an organization, like CEOs, CFOs, etc.. These individuals have access to valuable information and extensive permissions. Attackers will send these targets emails on “critically important” matters while appearing as a legitimate authority. The emails are always personally addressed to individuals and may use titles, positions, and phone numbers obtained from company websites or social media.
5. Remote Work Weaknesses
Millions of people began unexpectedly working from home at the start of the COVID-19 pandemic, and that trend has created a foothold for all-remote and hybrid office workplaces. Over half (53%) of people surveyed by Gallup in March 2022 stated that they were working in a hybrid arrangement, and just 23% stated that they work on-site exclusively.
While work-from-home arrangements afforded many conveniences, they also broke down the perimeter-based security barriers many enterprises had in place in the office environment. Official work devices were being used outside of the expected environments, often with direct communications between other devices at-home. Bring your own device (BYOD) usage also skyrocketed, as employees had to quickly source a means to keep all communications and work flowing in the midst of an unexpected quarantine.
60% of companies stated that they expanded their BYOD policies at the start of the pandemic in 2020, according to a 2021 report by Palo Alto Networks. Many of those opened-up policies remain in place unaltered. The same report reveals that 44% of respondents admit their organizations did not invest in additional security to accommodate expanded remote work.
Further, remote work led to an explosion in new software and as-a-service platform adoption, each of which has the potential to introduce malware and other security compromises.
Remote workers require new sets of training knowledge and new protocols in order to help them protect their credentials and avoid common mistakes that can lead to a breach. Additionally, organizations must have measures in place to visualize and monitor the entirety of their attack surface, including unowned assets on the cloud or with connected APIs.
6. Cloud Vulnerabilities
Cybersecurity threat actors continue to take advantage of cloud security gaps. Many attacks target the vulnerabilities in the cloud infrastructure itself, which allows the attacker to exploit many targets with a single vulnerability.
According to IBM, cloud vulnerabilities have increased 150% in the last five years.
Cloud vulnerability examples include:
- Lack of multi-factor authentication — Privileged users must be as protected as possible. Without multi-factor authentication, malicious actors can easily compromise privileged accounts.
- Open Amazon S3 buckets — Amazon S3 bucket misconfigurations allow cybercriminals to store, access, retrieve, and backup as much data as they want, anytime, anywhere
- Inadequate data deletion — When data isn’t actively managed, there isn’t complete visibility into where it is stored in the cloud. This makes it difficult to verify if data has been securely deleted.
- Insecure APIs — Application user interfaces (APIs) are used to streamline cloud computing. However, they are a source of cloud vulnerabilities when left open and insecure.
- Multitenancy — Cyber threat actors take advantage of multi-tenancy cloud environments to gain access to an organization’s assets or data through another user’s resources
7. Third-Party Exposure
Cybercriminals often get around security systems by hacking less-protected networks belonging to third parties. Recent incident examples have involved hijacked sessions from hosting using Facebook, Google, Github, Amazon Web Services (AWS), and other resources.
Cyberattackers can secretly relay — and possibly alter — communications between two parties who believe they are communicating directly with each other. Techniques like active eavesdropping allow the attacker to make independent connections with the victims, relaying messages between them to make them believe they are talking with each other over a private connection. Then, sensitive information like access credentials or private data storage locations could be revealed.
Also called malicious cryptomining, this technique involves seizing machines or installing VMs on them to fulfill the threat actors’ financial goals. In other words, money is the motivation to steal the processing power of anything and everything that lies unsecured.
Malicious cryptominers often come through malware implanted via web browser downloads and rogue mobile apps. Many victims of cryptomining do not notice, as the software is designed to stay hidden from the users. Consequences include computing resources slowing down other processes, increases in electric bills, and shorter life-span of devices.
9. Targeting Supply Chain Partners
Supply chain attacks occur when someone infiltrates your system through an outside partner or provider with access to your data and systems. One main issue is that many enterprise vendors are still using outdated systems that lack the highest security defenses currently available.
While the software supply chain faced the most risk initially, the physical logistics supply chain is not spared from cyberattacks. Reliance on logistics software to manage inventories and deliver goods via ecommerce has increased.
Per SecurityWeek: “Shipping and logistics are vulnerable as a sector because they are targeted both by nation-state groups as well as cybercriminals.”
10. Inadequate Cyber Hygiene
Cyber hygiene refers to habits and practices that directly impact security. Common examples include instructing employees to avoid using unprotected WiFi networks of any sort on company devices or while using devices that have any permissions to access company-connected platforms. Employees should ideally be using virtual private networks (VPNs) and multi-factor authentication at every opportunity.
A majority of organizations rely on human memory to manage passwords. More than half of organizations do not require the use of two-factor authentication.
Making matters more concerning, less than half of Americans say they change their password after a data breach. Stolen credentials mean that passwords that are used multiple times across platforms make it easy for cybercriminals to breach accounts and access personal/financial information.
Secure and Manage Your Attack Surface
The biggest threats will continue to evolve. They will also respond directly to any efforts to thwart them.
Ever-present risks make preventative measures all-the-more important. Attack Surface Management is absolutely critical to maintaining adequate cybersecurity. Organizations need 360° awareness of the airspace in their networks to remain vigilant and detect all the potentially hidden threats not currently on your radar. This preparedness empowers organizations to be aware of multiple types of threats coming from all angles.
Establish a smart, strategic framework using the techniques in our recent ebook: https://lucidum.io/ebooks/what-you-can-do-today-to-make-an-impact-on-cybersecurity-asset-management/