Predictions are a risky business. If you play it too conservatively, you tell everyone what they already know and just get an eye roll for your trouble. If you go out on a limb and get it wrong, people stop listening to you.
That’s why, as we unwisely return to the task of predicting the future, F5 Labs is taking a diversified approach that will spread the risk (and attendant glory, if any) around a bit. This year’s group of volunteer prognosticators is a distinguished bunch, encompassing solution architects, analysts, engineers, fraud specialists, former law enforcement and intelligence officers, and the odd erstwhile CISO or two. Our predictions are the stuff we worry about when we’re not worrying about more obvious things. Depending on the way your 2021 went, the following might seem like positive news, or it might not.
Prediction 1: State-Sponsored Actors Will Adopt Cybercrime Toolsets
Often large corporations, government agencies, and even small businesses underestimate the risk that cybercriminals and commodity malware pose. This is primarily due to the “known-known” nature of a lot of these malware strains. The result is that we rely heavily on antivirus software when it comes to fraud and commodity malware.
Well-resourced, determined threats, also known as advanced persistent threats (APTs), have capitalized on the legwork of cybercriminal gangs and use their trusted accomplices to their advantage. Previously, we’ve seen state-sponsored espionage groups conduct operations breaching personal information and stealing credentials along with other personally identifiable information (PII).1 Going forward, we expect to see more APTs, specifically state-sponsored actors, modifying known commodity malware strains and using techniques cybercriminals have become famous for, such as setting up command-and-control (C&C) over Telegram messenger. APTs can watch the cybercriminal landscape and underground markets to assess how well different techniques and technology work, and then capitalize on the ones that work the best or modify them for stealthier, more complex operations.
My prediction: state-sponsored actors will continue to ramp up working with and/or sponsoring cybercriminal operations. The place to look for the newest APT accomplices will be the cutting edge of criminal operations. — Remi Cohen, F5 Networks Senior Threat Intelligence Engineer
Prediction 2: Fintechs Will Front for Collecting Credentials
Financial technology (fintech) companies add value between financial institutions and consumers. For example, Mint is a financial aggregator that gives consumers a bird’s-eye view of their finances across multiple financial institutions. Plaid helps companies, such as lenders, obtain financial information about their loan applicant customers. There are many more examples, but the catch-all term for such a company is a fintech. In order for someone to use the services of a fintech, they need to enable connections between the fintech organization and all of their other financial accounts, which means that first they need to give the fintech the usernames and passwords for all relevant accounts. Some fintechs are well established and reputable, whereas others come and go.
My prediction? In 2022, we will learn that one or more fintechs were nothing more than a front for a criminal organization established only to collect usernames and passwords. — Dan Woods, VP of Shape Intelligence Center
Prediction 3: The Cloud Will Eat Traditional IT
We often hear about a shortage of “cloud computing skills,” which implies two groups of people: those who are skilled in the cloud and those who are not. For IT folks not skilled in the cloud, this represents an opportunity for better earning potential.
That means every IT professional is either considering or engaging in additional cloud training. You can see where this leads. I predict we’re near a tipping point where we won’t need to call out “cloud computing skills” as a separate thing—the cloud will just become a part of default IT skills.
With multi-cloud becoming the new normal, we’ll see an expectation that IT pros are multi-cloud skilled, just as we currently require at least a passing familiarity with both Linux and Windows platforms. The reality is that there is a gradient of experience and capability related to both cloud computing general concepts and specific cloud computing platforms. IT already uses skills associated with cloud-prevalent technology, such as Kubernetes, virtualization, automation/orchestration, and software-defined networking. Over time, we will see a shift in IT management paradigms in which on-premises ways of working will look more like cloud paradigms. Why not manage your local hardware the same way as the cloud? Most multi-cloud and hybrid tools lean that way, so why use two paradigms to manage your tech?
IT will no longer be cloud and non-cloud — it’ll all just be cloudlike IT, even when it’s local. —Raymond Pompon, F5 Labs
Prediction 4: Ransomware Will Target the Rich
It’s no secret that ransomware has wreaked havoc over the last year or two. As part of the 2021 Application Protection Report, F5 Labs opined that it was more useful to think of ransomware as a monetization strategy rather than as a form of denial-of-service—an alternative to enriching stolen data for later use in digital fraud.
Looking at ransomware this way clarifies which organizations make viable targets: all of them. Specifically, every organization that isn’t an even juicier target via some other vector (such as Magecart) is a possible target for ransomware because the attacker doesn’t have to figure out what to do with the stolen data. They just sell it back to the victim. A key element of ransomware, therefore, is carefully choosing a price so that the attacker maximizes their profit without provoking resistance from their victims or retribution from law enforcement or governments.
Given these patterns, I think it is only a matter of time before somebody starts targeting the extremely wealthy on their own personal networks. These targets clearly have the means to pay the ransom, and their information systems are often as complex as those of small enterprises. We already know that many ultra-high-net-worth individuals (UHNWIs, as they are called) have things to hide about their finances, so it also follows that at least some of them might be hesitant about bringing in law enforcement in the event of an attack.2 For all of these reasons, I think 2022 will be the year that this vector will target rich individuals in addition to organizations. — Sander Vinberg, F5 Labs
Prediction 5: Cybercrime and Cyberwarfare Will Overlap Beyond Distinction for Defenders
First, let me say that the term cyberwarfare is used loosely. Official definitions from places like the United Nations involve legal terms like jus ad bellum. Lloyd’s of London has a better de facto definition as part of its cyber-insurance coverage. Its “War, Cyber War and Cyber Operation Exclusion No. 1” clause provides an explicit exception to coverage for losses “directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation.”3 Note that the phrase “cyber operation” refers to cyberattacks carried out by either a state-sponsored organization or, significantly, by “those acting on its behalf.”
Why do insurance carriers care about cyberwar? Because it’s happening more and more. In 2021, over a hundred incidents fell into this category.4 Why is that? Because cyberattacks are the easiest and most untraceable way to deny, disrupt, degrade, or destroy an organization.5 Why risk flying a bomber into enemy territory when ransomware will brick an organization’s infrastructure? The more we embrace “digital transformation,” the more vulnerable we become.
When we talk about technology (not just IT) and warfare, you often hear the term dual use. It means a technology can be used for both good (peaceful) or evil (warfare) means. A good example is the debate around penetration testing tools, used by attacker and defender alike.6 Here’s another way to think about dual use—all cyberattack tools that can be used for cybercrime can also be used for cyberwarfare, from DDoS to ransomware to cryptominers.7 Don’t even get me started on cyber-influence campaigns on social media. We’ve already seen plenty of state-sponsored attacks, like WannaCry, that come with a side of fraud. If your company gets hit by state-sponsored ransomware, was it an act of war or an act of crime? Or both?
With 85 percent of U.S. critical infrastructure in the hands of civilians, what is a military target and what’s not?8 Cyberwar or not, it doesn’t matter. The distinction only seems to matter to cyber-insurers and tut-tutting politicians. What can we all do in the face of state-sponsored attacks, war or otherwise? As Éowyn said in J. R. R. Tolkien’s Lord of the Rings, “Those without swords can still die upon them.”
I apologize if this isn’t much of a prediction. It’s already happening and it’s going to get worse. Perhaps I should just predict when we will all wake up to it. — Raymond Pompon, F5 Labs
Prediction 6: Organizations Will Have More Key Problems
A year ago, I predicted that key problems would be a key problem, and I’m sad to say that I was right. A cryptocurrency exchange recently experienced a theft of $200 million worth of various cryptocurrency tokens after the exchange’s private key was compromised9. At the same time, several new options for more secure key storage became available in 2021 through the provisioning of hardware security modules (HSMs) in the cloud. These tools can be expensive, and they require a lot of infrastructure to ensure they work properly and make keys accessible around the clock. However, experience has shown that not using them is much more expensive. For this reason, I am sad to predict that in 2022 we will see even greater numbers in key loss and sensitive information theft.
You can, of course, secure private keys by encrypting the key file and using a passphrase, but as the number of keys you manage increases, this can quickly get out of hand—you can easily end up with a duplicate password scenario. For enterprises and large organizations, cloud HSM services should look like the only way to go, but I think that it even makes sense for individual power users. I wish I could say my prediction was farsighted, but I don’t think that’s the case—it’s just a question of whose keys get compromised this year. Get yourself a secure key storage tool and make sure you’re not one of compromised. — Peter Scheffler, F5 Senior Solution Architect
Prediction 7: Cybercriminals Will Act More Like Businesses
The attacker community has always had specialists to which other threat actors could turn. However, signs are increasing that specialization and division of labor are intensifying in the attacker community. By mid-2019, the GandCrab ransomware network had demonstrated that the affiliate model was a lucrative way to approach ransomware attacks10, and several dark web monitoring services have documented the subsequent explosion of ransomware-as-a-service (RaaS) offerings.11
Simultaneously, we have observed signs of specialization and division of labor in the fraud community as well. Patrick McKenzie recently wrote about specialization in fraud as a way for attackers to distribute and manage risk.12 Anecdotal observations in the wild have confirmed attackers establishing footholds in environments, then selling that access to the highest bidder, who will take the next step in the attack chain.
The actors who offer these services are beginning to resemble a corporation that employs people with diversified roles and outsources specific activities.13 Over the next year we predict this trend will continue, with more cybercrime corporation “employees” specializing in different parts of the attack chain and malware distribution.
Furthermore, observations indicate that, irrespective of specific attack techniques, we are seeing a shift away from specialization within subsets of subgroups in the attacker community (e.g., among “the Russians” or the FIN6 threat group) and toward a generalized market of specialists who will work with nearly anyone. In other words, we are seeing the beginnings of a truly open market for labor and services on the attacker side.
This has two potential effects: it will make attack vectors more resilient, in the sense that an upstream attacker has their choice of multiple “vendors” for the next phase of an attack and can swap them in and out as necessary; it will also decouple specific stages of an attack, which will help “best-of-breed” approaches proliferate more widely and quickly and make detection and remediation more difficult. In effect, just as it did with textiles in the late 18th century, specialization will make each “sector” of the attacker economy more productive, and we all know how that ended up.14
It is axiomatic in our industry that cybercriminals are here to make money, and cybercrime, like most crime, is a business. What we are observing now is not just individual actors or threat groups making decisions like a business, but the entire attacker landscape coalescing into a mature, capitalist industry composed of businesses that link up with one another as needed. The invisible hand may turn out to be the most dangerous characteristic of the threat landscape. — Sander Vinberg and Remi Cohen
Prediction 8: Supply Chain Compromises Will Continue to Dog Us
If I had to pick a phrase that exemplified 2021, it might just be supply chain. If your home is like mine, your family is tired of hearing it. Stores with empty shelves. Shipping containers sitting empty in one place, and not enough of them in another place. Chip shortages playing havoc with consumer pricing.
Of course, the supply chain you and I are most likely to think about isn’t the consumer supply chain, but the third-party libraries we use in our various applications. Unless you were living under a rock in December 2021, you received a timely reminder about the risks of third-party libraries after Apache Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45056, CVE-2021-45105, CVE2021-44832) set the Internet, to use the technical term, on fire.
Back in the early days of the Internet, when I was an application developer, we coded from what I guess we would call “first principles,” because there weren’t a lot of libraries available, and we didn’t know about those that were. Today, in contrast, the library ecosystem makes it easier than ever before to grab code from different places and stitch them together to build more complex and capable systems. This is a good thing! It brings to mind that old adage about standing on the shoulders of giants to reach new heights. However, by now it should be clear that it also brings challenges.
Blazing a new trail in software is hard. Even if we’re building something new, we like to follow in others’ footsteps. We like to think that others are smarter, more diligent, and know more about their customers than we do. When we use someone else’s code library, we like to believe that they’ve taken the time to use good coding practices and hardened their application.
This is the source of supply chain problems in application security: assumptions and impatience. Vetting code is laborious, and the decentralized way we build applications now makes it even more so. If we remember that those “other developers” are just like us—in a hurry and right at the edge of our abilities—we can see the magnitude of the task.
I can guarantee another big third-party vulnerability like Log4Shell or Apache Struts from a few years ago. I just can’t tell you exactly where and when. The only way you can protect yourself is to ensure that you are validating the code, inspecting your application stack, and inventorying your libraries. Do you know the application stack that your microservices, which you’re paying somebody to use, are using? If you don’t, chances are that 2022 will be another year of supply chain woe. — Peter Scheffler