Published on December 16, 2020
It's time for next year's predictions again! We usually look back at the previous year’s predictions to see if they were correct, but I guess it would be very unfair to do it for our 2020 predictions. During the last year COVID-19 turned the world upside down, and the cybersecurity landscape followed suit. But, as the outcome of the pandemic becomes clearer, we can risk some predictions for 2021. Here is what we believe we'll see next year:
Ransomware cases will become more complex and hit big enterprises.
In 2020 we've seen cases where ransomware caused major disruption to organizations' services, such as Garmin. We have also seen cases where the attack moved from a purely malware-driven attack to an advanced threat scenario, including human factors such as insider cooperation, such as Tesla.
Expanding on the current double-extortion ransomware approach, we predict that there will be an increase in the use of new attack vectors to deploy ransomware payloads, including more RIC and shadow IT vectors, in an attempt to “up the ante” and increase the chances of ransom payments. This is a continuation of the trend we’ve been observing for some time where malicious threat actors deploying ransomware payloads move up the supply chain in order to amplify their impact (using additional attack vectors, including cloud), ranging from targeting managed security providers (MSPs) and cloud providers, to data center and national healthcare services providers.
MFA bypass, phishing, and social engineering attacks will become more believable, automated, and targeted.
In an attempt to adapt to ever-evolving anti-phishing defenses, attackers will continue to move beyond trivial phishing schemes to more multi-stage attacks involving increased automation and intelligent telemetry-based phishing. In some cases, this will involve multiple rounds of active probing to identify the types of anti-phishing mechanisms and baits that have been deployed in order to effectively bypass existing defenses.
Remote workforce attacks will become even more prevalent.
Organizations were forced to transition quickly to remote work in response to the COVID-19 pandemic. This rushed move greatly expanded organization’s threat surface. Attackers will continue to exploit this as a new vector for their campaigns.
XDR will skyrocket as it proves enterprise need.
XDR will keep growing in adoption and buzz as organizations look for a way to cover an expanding threat landscape while keeping complexity and operational overhead under control. Many will realize that the complexity reduction and operational gains will not fully materialize, because additional solutions will need to be added in order to compensate for the lack of flexibility and threat coverage.
MDR services will keep evolving beyond EDR based offerings.
As organizations adopt more cloud services and expand their endpoint profile to include IoT and mobile devices, the need to leverage security services that work even when an agent cannot be deployed will push MDR providers to evolve their offerings to integrate other technologies. The number of MDR providers adopting SIEM, UEBA, and SOAR solutions into their backend will grow as part of this evolution.
SaaS solutions will rise in adoption.
More organizations will move their security tools to the cloud. Organization-wide cloud first initiatives are putting pressure on security groups to also move their tools to the cloud. As these initiatives move forward, data gravity will force solutions that require the collection of massive data volumes from infrastructure and applications to move closer to the data sources.
Cloud and traditional hybrid threats will expand.
As organizations expand their footprint into the cloud, more threat scenarios will persist where the compromise of cloud assets leads to the compromise of on-premises resources, and vice-versa. Organizations will see their cloud resources hijacked through users having their workstations on the corporate network compromised, and cloud credentials stolen. Others will see cloud-based applications compromised and used as bridgeheads to reach on-premises sensitive systems such as corporate databases.
More attack techniques targeting “grey areas” and common enterprise blind spots such as SSL termination/TLSv1.3 monitoring.
Attackers will increasingly blend in with legitimate enterprise activity, including both applications and user activity, and use network activity associated with privacy-protected protocols and technologies, such as TLS v1.3, to evade both network-based and endpoint-based defenses more effectively. The recently revealed details about the FireEye breach have provided more evidence of this trend, with the attackers leveraging IT management software not only for initial access but also for later stages of the attack chain, such as command and control.