In summer 2017, on the heels of the WannaCry campaign, we made a series of predictions about the future of web attacks. These predictions were primarily oriented toward emerging capabilities of the most sophisticated attackers. The fact that, in the intervening years, most web attacks remain unsophisticated and imitative has only masked the growth in sophistication and capability among elite attackers—until now.
As details trickle in about the recent state-sponsored UNC2452/SUNBURST attack campaign against public- and private-sector targets in the United States using the SolarWinds Orion product, it is clear that sophisticated state-sponsored attackers have combined tradecraft, ingenuity, and patience to accomplish something historic. One of the things that stands out to us is the use of a novel, domestically hosted command-and-control domain to help avoid detection—just as we predicted when the U.S. government’s exploitation techniques were first stolen.1
Meanwhile, in April 2020, as the effects of the COVID-19 pandemic started to pinch on a mass scale, we made some predictions about what the pandemic would mean for cybersecurity, and how the rest of the year would unfold for IT and security staff. One of those predictions was a proliferation of new tech startups, as newly unemployed workers took the opportunity to pursue ideas now that they were freed from the golden handcuffs of a steady job. Indeed, the 2020 startup boom we predicted has materialized.2
And so, instead of retiring from the prediction game undefeated, we’re unwisely following these predictions with more. Here are our prognostications for cybersecurity in 2021, based on the trends in attack, defense, and business models that F5 Labs has measured and documented—with the unfortunate caveat that the entire SolarWinds scenario has thrown everything into disarray.
Prediction 1: The confluence of legitimate mail and phishing will ruin email
Phishing is a growing problem. The 2019 Application Protection Report found that at least 15% of the confirmed breaches in the United States in 2019 were directly attributable to phishing. The 2020 Phishing and Fraud Report found a 15% annual increase in phishing attacks in 2020 as well as an increase in phishing domains using HTTPS and sophisticated URLs.
If current trends continue, phishing is going to compromise users’ trust in email to the point that it will essentially render email useless. However, the trend that stands to make phishing so damaging isn’t an attacker tactic at all, but a business trend. It is harder to distinguish phishing emails from real ones, not because phishes look like real emails, but because real emails increasingly look like phishes.
The growth in outsourced customer services like content delivery networks and satisfaction surveys means that many of the emails we get from trusted organizations don’t come from trusted domains. Paired with the widespread sales of user data for marketing purposes, the result is that we are inundated with nonmalicious but opaque emails that, at scale, make email nearly worthless. Take, for example, a survey request I received in October 2020. The organization ultimately responsible for the mail, a well-known security vendor, is not represented in the link at all. The email offers a $10 Amazon gift card in exchange for following this mess: https://b2b-surveys.mautic[.]net/r/a8aeed6a9ce6984171b49417b?ct=YTo1OntzOjY6InNvdXJjZSI7YToyOntpOjA7czoxNDoiY2FtcGFpZ24uZXZlbnQiO2k6MTtpOjI2NjA7fXM6NToiZW1haW4iO2k6MTg4O3M6NDoic3RhdCI7czoyMjoiNWY5OThkODg5ZWI5OTE0MTczNjczMSI7czo0OiJsZWFkIjtzOjY6IjkyNTg1MSI7czo3OiJjaGFubmVsIjthOjE6e3M6NToiZW1haWwiO2k6MTg4O412&. No clear-headed person would click on that link in exchange for $10.
As attackers learn to use Transport Layer Security and fix typos and grammar before they launch phishing campaigns, the security field has begun to train users to examine domains and certificates to vet an email. At the same time, business models have resulted in a proliferation of mail that is practically indistinguishable from a phish. We are not far now from a future in which it will be impossible for a user to read unsolicited email and follow security awareness training at the same time. If businesses want to continue to use email for marketing and sales, they need to change their marketing and sales practices. At present we are literally training our users to act like phish bait, and that—not any new attacker ideas—is what will make phishing dangerous in 2021. Sander Vinberg
We are training our users to act like phish bait
Prediction 2: Pandemic changes will increase the efficiency and prevalence of currently known attacks
The global COVID-19 pandemic is changing how many of us do things, in ways that are still coming to light. Retail sectors that previously paid little attention to online ordering and delivery are having to rapidly spin up new e-tail operations, and a number of new companies are emerging to fill in the gaps. To enable critical business activities, companies are having to deploy remote access solutions to undersecured home networks and allow greater leniency when it comes to access control.
Both these trends offer expanded opportunities for threat actors, providing them with targets with a lot of information and money, and that, in a rush to market or deployment, may be less than well-secured.
Due to these trends, we expect to see a major uptick in breaches and stolen credentials as well as fraud targeting things like gift cards. Additionally, we anticipate more malware landing on home systems and the development of large IoT botnets, as attackers use these new opportunities to find ways to exploit undersecured home networks. Malcolm Heath
Prediction 3: Increased use of alternative social media and chat apps will provide new opportunities for malware campaigns
The last few years have seen a number of new developments in terms of social media applications. Several large chat platforms, ranging from Signal to Slack to Discord, have exploded in popularity. A plethora of screensharing tools, such as Zoom and Microsoft Teams, has become critical for both business and pleasure. Bespoke software for telemedicine enabled care to continue during the COVID-19 pandemic. As the social media industry strengthened its position on what it allows on its platforms, we saw a sudden increase in alternative social media platforms like Parler. We expect these tools to be the conduit for at least one major malware or phishing campaign. Weaponized viral content distributed via undermoderated platforms targeting less savvy users is a potent combination, and we’d be surprised if malware actors don’t seize this opportunity. Malcolm Heath
Prediction 4: The failure of vulnerability management will make software providers realize they need to rewrite old code—but most won’t do it
If we are frank, vulnerability management on the web is a failure. Even when they are not exploiting zero-day vulnerabilities, attackers rapidly weaponize critical vulnerabilities by publishing proof-of-concept code as quickly as two hours after a vulnerability is released. Meanwhile, on the defensive side, it takes an average of 100 days for organizations to patch a critical vulnerability. And vulnerabilities targeted in attack campaigns (typically critical remote code execution vulnerabilities) exist for an average of 2.1 years before being patched. When FireEye’s attack tools were compromised as part of the UNC2452 campaign, it cast yet another spotlight on critical vulnerabilities with known exploits. The enormous gap in time between attacker targeting and defensive remediation gives attackers enormous advantages. The industry needs fundamental change. Simply saying “just do a better job patching,” when that has always been the desire, is frankly crazy.
If we value a stable Internet, we need to do something drastic about vulnerable software
Why does vulnerability management fail? There are a couple of reasons:
- Enterprise IT teams can’t keep up with all the vulnerabilities because secure coding hasn’t been, and still isn’t, a priority across all organizations that write software. In a recent F5 security event where 300 participants responded to live polling, 21% of respondents said they have implemented a DevSecOps program, 43% said “somewhat,” and 37% had not begun to implement DevSecOps.
- The complexities of vulnerability mitigation, spanning from a “simple” hotfix to a full upgrade that requires scheduled downtime, prevent defenders from remediating vulnerabilities before attackers target them.
Unmitigated vulnerabilities cause breaches, the spread of malware like ransomware, and allow for the growth of bots that are now debilitating the Internet with attack traffic. The Internet’s arteries are clogged with malicious attack traffic—depending on the sensitivity of the target, 50% to 90% of all application traffic consists of malicious attacks. If we value a stable Internet, we need to do something drastic about vulnerable software.
In the face of this chaos and these challenges, we predict that broad consensus will build across the SecOps and DevOps communities (who also struggle with talent turnover and managing code they didn’t create and don’t understand) that the right path forward is to rewrite software of a certain age. The only exceptions will be old code that is still managed by people who wrote it, securely. However, despite this consensus, focusing on revenue over everything else means that investing in rewriting won’t happen at scale. Brands that do could reap trust and integrity rewards similar to Microsoft’s Trustworthy Computing initiative in 2002.1 What will happen is SecOps and DevOps coming closer together on common goals because, after all, security is the biggest threat to availability. Sara Boddy
Prediction 5: Companies will face more challenges with certificate management
With pressure from big players like Apple and others to reduce the lifetime of certificates, organizations will be challenged to build infrastructure to manage them. With the average number of certificates increasing in the enterprise space, tools like Let’s Encrypt’s certbot, Lemur, and Venafi will roll out in greater numbers.
We also predict that key protection—the other side of certificate management—will continue to be a blind spot for many organizations. Locking down access to keys is usually done with access control lists (ACLs), but with increased east-west attacks, these ACLs are less effective. Securing with OpenSSL passphrases or hardware security modules in larger organizations will be a trend as well. Cloud tools like Microsoft’s Azure Key Vault or Amazon Web Services’ creatively named Key Management Service will continue. Microsoft even added support for Key Vault in Visual Studio Code, a strong indication of how much usage has increased. On-premises hosting will endure in larger organizations, but cloud solutions are opening an avenue for smaller organizations to adopt a more secure footprint. Peter Scheffler
Prediction 6: Attackers will start hijacking smart homes
We predict that taking smart homes hostage will emerge as a threat. Imagine coming home and being unable to get into your house because an attacker has hijacked your smart automation system. Sure, you could use a physical key, if you still carried one. But that’s somewhere in a kitchen drawer because you live in the modern age and keys are a quaint remnant of days gone by. Individual systems—such as digital car locks—are already being exploited. It’s folly to think that home automation vulnerabilities won’t eventually hit the headlines. We know that ransomware pays, and this is just another opportunity to make quick cash by taking control of something important to end users. Lori MacVittie
Prediction 7: Unauthorized data manipulation will become more common
Data has become increasingly important for every facet of modern business. It separates facts from opinions and powers decision making. Unfortunately, this also means that attackers can manipulate data to trigger our biases and cloud judgement, whether the data is about elections, trending topics, or ratings on an ecommerce platform. Manipulation like this can lead to detrimental decisions, both in business and in daily life.
As with most forms of cyberattack, scale, and therefore automation, is key to data manipulation. We have seen bots being used to scrape, snipe goods, conduct DDoS, exfiltrate data and even to skew metrics in digital assets. These techniques will compound issues arising from data manipulation in 2021. Similar to other bot-based attacks like sneakerbots, automated data manipulation will continue to blur the definition of what constitutes an attack. Shahnawaz Backer
Prediction 8: New cybersecurity regulations will be implemented
We're definitely going to see some new regulations in the cybersecurity/privacy space. Considering all the shenanigans of 2020 and the continued mutterings around tech breakups, it seems that changes are coming. We could see an expansion of the California Consumer Privacy Act of 2018, either within California or laterally to other states or the federal level. Could we see a law like the EU’s General Data Protection Regulation in America? Maybe.
We could also finally see a federal breach notification act or expansion of breach notification that moves beyond leaking individual information to include corporate secrets (after all, the SUNBURST attack didn't involve personal data and therefore isn't subject to breach notification). Most political discourse moves through social media platforms, yet much of it is bot traffic pushing fake news. We can expect lawmakers to look at adjustments to Section 230 of the Communications Decency Act, which makes the person who writes the fake news responsible and not the social media platform that amplifies it. We could see stricter rules around ensuring that creators of user-generated content are clearly identifiable as human, and that harmful content (whatever it’s deemed to be) is curtailed. We could also see this crossing over into privacy regulation, since political messages have also been sent via microtargeted ads based on psychological profiles, which are hidden to everyone not directly involved. It's going to be an interesting year. Raymond Pompon