CyberWire Daily - Cybersecurity predictions for 2022. [CyberWire-X]
Episode Date: January 2, 2022Industry experts discuss their cybersecurity predictions for 2022, what trends and attacks will be most prevalent in the year ahead, and how organizations should be preparing for the new year. In thi...s show, we cover what they think the industry might see in 2022 (and some we probably won't see). The CyberWire's Rick Howard speaks with Hash Table member Kevin Magee, Chief Security Officer at Microsoft Canada, and show sponsor Keeper Security's CTO & Co-Founder Craig Lurey joins The CyberWire's Dave Bittner on this CyberWire-X and shares his insights on the topic. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the Cyber Wire.
And today's episode is titled Cybersecurity Predictions for 2022.
Since we're at the end of 2021, it's time to gather some smart security professionals
and forecast what trends and
attacks will be most prevalent in the year ahead and how organizations should prepare for the new
year. A program note, each CyberWireX special features two segments. In the first part, we'll
hear from industry experts on the topic at hand. And in the second part, we'll hear from our show's
sponsor for their point of view. And since I brought it up,
here's a word from today's sponsor, Keeper Security.
Keeper is the top-rated cybersecurity platform for protecting organizations of all sizes from the most common password-related data breaches and cyber attacks.
Did you know that 81% of data breaches are caused by weak password security?
Keeper is more than a password manager. It's a scalable and customizable security platform
that includes industry-leading features such as automated user provisioning,
role-based enforcement policies, SSO SAML integration,
advanced reporting compliance, breach watch dark web monitoring, and more. Members of the CyberWire
community will receive a free three-year personal password manager when they take a business demo.
Visit keeper.io slash CyberWire to learn more. And we thank Keeper for sponsoring our show.
I'm joined by Kevin McGee. He's the CSO of Microsoft Canada and an old friend of mine,
Kevin. Welcome to CyberWireX. Hi, Rick. Thanks for having me.
We're recording this show right before the holiday break here in the U.S., and as is obligatory of all security podcasts, this is our prediction show for 2022. And, you know, I think it's the law that every InfoSec podcast does one of these,
so we're doing ours. So Kevin and I are going to make some guesses about what the community will
see next year, but I promise we will steer away from lame predictions
like, you know, ransomware will continue. Duh, of course that's going to happen. But we may get into
some ransomware nuance. Let's see where this goes. So Kevin, we're going to start by something you
and I were joking about in prep for this show, about how disappointed you and I were both going
to be for things that we both want to see happen in 2022, but know
that we won't see it for lots of reasons. So let's start with our favorite, adversary playbooks.
Why don't you tell me why you define adversary playbooks when you're out in the world to
your customers? I really thought adversary playbooks would be the way the industry would
be going much sooner. And I'm hoping this year is the year we make the breakthrough. I use
the analogy of we seem to be as an industry trying to catch arrows when we should be focusing on
figuring out how to take on the adversary, which is the archer. Let's talk about what I think it
means, which is, you know, it's the idea that there's about 250 or so known adversary groups,
and this is not attributing to any kind of people or nation state. It's just that
here's a collection of attack patterns that we've given unique names, and they work on the internet
on any given day running various campaigns. But because of the MITRE ATT&CK framework, we know how
most of these groups operate across the intrusion kill chain in terms of tactics and procedures.
So you and I have been saying for the last couple of years that we would love to be able to have prevention controls in place
across our security stack for all the known things that adversaries do,
which we are not doing very well.
And I have this dream with automation, with SOAR, with AI and whatnot,
that we'll be able to fingerprint the adversary.
And as they change their TTP,
we'll be able to modulate the shields in a Star Trek sort of fashion.
Oh, I love that.
I love that analogy.
Okay.
That's a new one for you.
I like it. Yeah.
So maybe this is the year that we make that leap.
I think a couple of things that are making us move forward, the MITRE DEFEND approach to building vocabulary and a framework for countermeasures
as opposed to just to analyze attacks and whatnot.
We're putting together some of the pieces.
MITRE DEFEND, spelled D-3-F-E-N-D because, you know, lead speak,
is an add-on to the MITRE ATTACK framework funded by the NSA
with the design goal to review adversary techniques and procedures
across the intrusion kill chain
and to devise specific countermeasures for each.
In other words, the ATT&CK framework is a collection of what the cyber adversaries are doing,
and MITRE DEFEND is what we as network defenders can do to stop it.
Taking the same approach that we did for analyzing attacks
and how we define and build a common vocabulary for countermeasures,
I think maybe it's that next piece of the puzzle that could give us that next step to define it.
My dream of self-modulating Star Trek shields around our resilient organizations.
But you're absolutely right.
When I talk to, say, a critical infrastructure customer, they know who the adversary is they're
most concerned about.
So why aren't we focusing on protecting them from that adversary as opposed to the specific techniques?
If you think about the physical world,
if you knew someone, an individual or group
was going to harm you, you would build protections
against that individual or group,
not against knives, poison, gunshots,
or all the actual weapons being used.
So I think there's a huge opportunity we're missing.
It also changes the economics.
The more expensive we can make it for these groups, the more difficult we can make it for these groups to mount successful attacks.
The better chance, you know, we have as a collective defense of really repelling them, almost a herd immunity to their tools, tactics, and procedures.
Well, you mentioned automation, and that's going to be the key here. I think that's one of the main reasons that we have not embraced the MITRE ATT&CK framework
or tracking adversaries by all their tactics and techniques across the kill chains
because grabbing that information and doing something useful with it is really time-consuming.
And the only way to fix it is with some sort of automation DevSecOps kind of thing.
I see things on the horizon, though. I'm wondering what your opinion is about this.
DevSecOps is that other one we keep getting wrong.
Yeah, they're kind of combined there, right?
I think DevSecOps solves a bunch of these problems.
But one of the things on the horizon that I see hope,
I see a glimmer of hope is XDR.
XDR has been around for, I don't know,
the idea of it since about 2018 or so.
And now vendors are starting to crank this thing out and sell it as a robust tool.
But here's what I like about it, Kevin. You tell me if I got this wrong.
Before, you had to go out and buy a complete suite of tools to do everything. And then you
had to automate all of that. And it was just really
hard. What I like about XDR is it's just connecting to the tools that you already have through APIs,
right? And automating what you could do. You could automate the telemetry collection from the tools,
whatever tools you have. And then if you're really good at this, you could automate the
update to the configuration files. The vendors building these XDR tools
don't have to have a tool for everything.
They can just plug into what customers already have,
which will facilitate the automation of this.
How off-base do you think I am for this?
Well, there's my prediction.
I think we're going to finally give up
trying to solve the great big problem
and look at these are the tools we have available.
How do we best utilize them?
And automation, where I think a lot of the problems have been,
we've been trying to go full automation.
So my prediction will be we'll find the middle ground.
We'll become cyborgs, where human-computer interaction will be the way.
Some things that are automated and some things are integrated,
but then we'll have that human-driven.
Much like we're seeing the adversaries do with human-driven ransomware
and whatnot, where they're using tools and techniques,
where they automate portions, where they make decisions. I think the promise of SOAR was always
it was going to be fully automated and we wouldn't need analysts. I think we're coming to
realization that's not the case. We're going to see technologies like XDR that automate portions
using an existing infrastructure you have or different tools you have,
but then really just extend the abilities of the analyst in a lot of ways so we can get more value or more work effort out of every analyst
because we can't just throw more people at these problems.
It's not possible. They don't scale.
All right, so let's move to another one you have.
I thought this was really interesting. I had not considered this,
although this has been one of my horror stories since I was a young InfoSec person, you know, back in the day.
You mentioned in our prep work that ransomware, we've seen criminals do availability attacks,
like they encrypt everything so you can't get access to your data, or they do a confidentiality
attack where they extort you. They say, if you don't pay us, we're going to release this to the public. So both of those things were going on in the last year. But your
third one that you're going to see is more prominent is integrity attack vector. Can you
explain what you mean by that? Yeah, I haven't really seen evidence of this yet, but I'm
searching for it. It's got to be coming because we see constant innovation in ransomware. It was
something that just executed,
you know, dropped on your machine, went after a certain amount of money, and if you paid it great,
if you didn't, it was all a volume business. Then it became a very much more sophisticated business.
Specialization started to occur. And then there was competition among cyber criminals, you know,
for encrypting systems with one vector. We saw the double extortion threat vector being used very effectively either for leverage
or for additional revenues
for the cyber criminal gangs.
I see an innovation at some point
where we look at data integrity
where the threat actor maybe says,
hey, I changed a number of blood types
in your hospital information system
as a ransom vector or whatnot.
What really worries me about this
is you can tell when your
systems are encrypted. They either are or they aren't. You have access to them, they don't. You
can be given a sample document to know if you've been doxxed or they're threatening to extort.
With integrity attacks, it's going to be very difficult to determine whether they're legitimate
or not and to what degree the cyber threat actors will be able to leverage these types of techniques
to build new innovative ransom scenarios.
So those are the type of thing that I'm thinking about.
I'm using some game theory approaches, some tabletop, and just asking other folks, how
can we start thinking about and preparing for attacks like this before the threat actors
innovate in this direction?
The third prediction you made, Kevin, was interesting to me too.
I think you're predicting that the cyber insurance market is going to collapse. Am I exaggerating
that or what are you saying? Well, I don't think that cyber insurance is going to collapse, but
these renewals are coming up now with a lot of businesses that wrote paper two, three years ago,
and it's getting much more expensive. So there is a business imperative now for governments to start taking
action to solve some of these cyber criminal problems, because they are now business problems.
If you can't operate a vehicle without insurance, are you going to be able to operate a business
in the future without cyber insurance? These are the type of challenges that policymakers
and legislators are going to have to wade in on.
And they have avoided it to this point
because it's been sort of on the fringes.
It's now starting to impact national security.
It's starting to impact the economy in big ways.
And we have relied on mitigating the risk
by outsourcing it to a third party, i.e. insurance.
I think in a lot of cases,
businesses are just not going to be able to afford
to write some of these renewals.
What are we going to do next?
So my prediction is that the rising price of cyber insurance
is going to force legislators and policymakers
to take some action that maybe they've been holding off
in ransomware and maybe some drastic action
in the very near future.
Well, the thing I've been disappointed with in the insurance
market is something you and I both agree on is our ability to forecast risk. This is something
that cybersecurity people are really bad at. But I, you know, these cyber insurance people,
they have all the math people. They understand, you know, predicting when bad things will happen
and they can, they've known how to do this in other areas of our lives, you know, in order to make a profit in that business world.
I'm really disappointed that they haven't been able to figure this out that, you know, this is
30 years into cybersecurity. And I've even read some articles this year, this past year,
that they've given up on it because their prediction models are so bad.
They haven't come up with a way to forecast risk in these areas.
I don't know.
Are you seeing any of that in your readings?
I think the actual aerial tables,
and I'm not an expert in this area,
are comprised of data over decades.
So you think about car safety.
There's been some iterations,
but I mean seatbelts,
let me edit airbags and whatnot,
but there's enough data
and there's enough people driving cars and there are enough known situations, intersections, highways, and whatnot, that they can control the variables.
The problem is with our industry, things change on a dime.
When there's a new exploit found or a zero day, it can really just completely change the threat landscape.
change the threat landscape. And I think it breaks the models of insurance that were built on sort of physical insurance, fires, accidents and whatnot. And it's hard to extrapolate that. And there just
isn't enough data. Maybe it's a longer stretch of data, or I don't know what the models will be.
But I know it's definitely, the models are not as accurate as they should be, which means prices
are driving up, which means prices are driving up,
which means that we're going to have to start looking at a different approach to insurance.
This is where I push back a bit too. You and I, we're both students of the game. We've read all the most important cybersecurity risk forecasting books, like Super Forecasting by
Tetlock, How to Measure Anything in Cybersecurity
Risk by Hubbard and Syerson, and Measuring and Managing Information Risk, a Fair Approach
by Freund and Jones.
And we know that especially for cybersecurity, we all live in a stochastic world, meaning
that there are no concrete answers like an on-off switch, answers to the hard problems
like the ones that insurance companies are trying to forecast, like what are the chances that this specific customer will file
a legitimate claim of material impact due to a cyber incident that the insurance company will
have to pay out. That calculation doesn't reside in old-fashioned actuarial tables. That data
doesn't exist. But you can find the answer in projected probability distributions.
And scientists have used that technique to solve some of the hardest problems when data was scarce.
Turing used probability distributions to crack the Enigma machine. And the scientists at Los
Alamos used the technique to build a nuclear bomb. And Kevin, our favorite author, Neil Stevenson,
in his book Seven Eves, writing about rocket ships trying to avoid space debris in orbit,
his Neil deGrasse Tyson character says that at a certain point, the math calculation ceases to be Newtonian and is more about probability.
In other words, missing debris in space is not about plugging numbers into a math formula and finding the correct course.
It's more about calculating the likelihood of
missing debris across a distribution of possible courses and making your best guess. And I know
that makes people uncomfortable not being able to know the answer, but that method works for
complex problems and cyber insurance is a really complex problem. And I'm just frustrated that the
cyber insurance companies haven't figured that out yet. And it may be the government taking action to say, it's just like you can't operate a vehicle without insurance.
You can't get a mortgage for your house without insurance.
It becomes ingrained in just how we do business in the future.
But my prediction is they no longer can ignore it in the coming year, that government policymakers are
going to have to start thinking about this and taking action. Or losses are going to be
catastrophic to the economy in general and continue to mount. In a time where inflation's
rising, the pandemic is causing unemployment and whatnot, this cannot be allowed to continue.
So that's my prediction, and I'll likely be wrong at the end of next year,
but it'll be interesting to see how it progresses this year.
I will hold you to it next year, my friend.
I think you and I can literally talk about this for the next 17 hours,
but let's cut it off there.
Is there any prediction you want to make that we haven't covered yet?
I just think having read Ghost Fleet,
the thought exercise at the beginning, the opening,
what would a next generation cyber war look like?
I've become fascinated with satellites as an endpoint.
And I'm looking at what are the new endpoints of the future? Rick and I have discussed cars and went on the past.
Satellites, drones, some of these new technologies.
At what point do we start to see traditional attacks like ransomware or whatnot used in those spheres?
If you were to capture and lock out the GPS satellites or communication satellites, you know, as an attack vector,
is that going to be an attack vector we see in the coming year?
Because that would be a very ripe target for cyber criminals that have the technical ability to do it.
So I foresee satellites, drones, and some of these other non-traditional endpoints become threat vectors for not just nation states but cyber criminals in the coming year.
Well, I love that prediction, especially as we expand internet connections out to space.
I know there's a couple of companies launching satellites
trying to figure out how to extend the backbone up there.
And that's a whole nother phase
that we haven't even considered.
So I'm glad you threw it on this program.
That's a really good one.
Maybe it's not Star Wars, it's lasers and lightsabers.
Maybe it'll be hackers at keyboards
fighting the next or the first space war.
I'm not really sure.
Finally, I have a cool job.
I love it.
But I think we'll take the cyber threat landscape
to space in the coming year.
All right, perfect, man.
Well, thanks, Kevin.
Thanks for coming on the show
and giving us your predictions for 2022.
And I'll definitely bring you on
for the end of your show next year
so you can see how good you did.
Thanks, Rick. Can't wait to see what we get wrong this year and do it again next year.
Next up is Dave's conversation with Craig Lurie, CTO and co-founder of Keeper Security, our show's sponsor.
show's sponsor. Before we jump into some predictions here for 2022, let's take a minute and just sort of look back on 2021. I know one of the things that you and your colleagues at Keeper
predicted as we went into 2021 was that we were going to see ransomware continue to be an issue here. And
I think it's fair to say that you all nailed that one. When you look back on our ransomware
situation in 2021, why do you think it was so bad? There's several factors. One of them is that,
you know, we have so much technology in our lives now, and we've got a lot of vulnerabilities in software, and you've got the expansion of that whole surface area, that whole attack surface is just expanding.
So you have people working from home.
You have now, instead of being in an office in a physical location, you have people from their houses that are accessing secure assets. And so now you're and legacy devices that are now on the internet.
Now you're dealing with things like your homework networking devices.
You know, when was the last time you thought about deeply what router you have?
And is the router software up to date at your house?
Or have your kids shared the Wi-Fi password with somebody and, you know, and someone that shouldn't have access has access?
password with somebody and, you know, and someone that shouldn't have access has access. So you've just expanded this surface area, this attack surface, just so much wider. Yeah. As we head
into 2022, what do you suppose people can expect on the ransomware front? Well, I think, I mean,
government's cracking down a lot more on it, right? So there's more prevention that's happening and people are, especially enterprises, are starting to deploy more protection for users.
They're starting to deploy things like getting rid of traditional VPNs and going with more zero trust models where non-VPN solutions are used to access assets. So I think that while there is a ton of
protection that's going into play there, but also you see things that happened like last week with
the Log4J vulnerability, things like that that are happening that are continuing to expand.
And I think that you'll see more vulnerabilities like this,
that it just exposed services and users as we go into 2022. I mean, you just,
just in the last week, a lot of things have happened.
Yeah, absolutely. I think it's fair to say that ransomware is here to stay. You know,
one of the things that I think really took off in prominence
throughout 2021 was zero trust and that sort of coming to the fore as a concept. And lots of
organizations are promoting that. Do you think zero trust is here to stay as well?
Well, I do because, you know, the language is now kind of everywhere, you know, marketing language, product language.
So it's kind of the new buzzwords in cyber.
But also you have government agencies that are now demanding that their software vendors are adhering to zero trust.
And that's not just in the U.S., that's around the world.
So you have just more
awareness of that. You have people fully understanding now that traditional VPN solutions
and trusting the perimeter is really not the way to protect data and to protect applications. So
I do think it's here to stay. And I think that you're going to just see more and more products talking about zero trust. You're just going to see that companies and
software and decision makers are going to be making the decision to choose products that
are zero trust because they want to get out of that legacy mindset of trusting the perimeter.
Do you have any insights for organizations looking to
adopt zero trust or increase how much they rely on it? I mean, it's my understanding that zero
trust really is a journey that, you know, it's not just a sort of a switch that you can throw.
Is that an accurate perception? Yeah, it is because, you know, it's not like you can just
go into a little configuration screen and click the box, you know.
So it's the kind of thing where you have to look at all of your assets.
You have to look at all of your services.
How do people access it?
What are your requirements?
You know, maybe, you know, zero trust for you means something completely different than someone else.
So I think it really just comes out to what services you need your users to access,
where does it need to live? How is it going to be locked down? How is access control configured?
You know, what identity provider you're going to use, you know, so really, it comes down to a lot
of choices. And I think it's really more of a strategy. And just understanding that when you
deploy new software, or you deploy like an identity product, that you have to consider that users are not within an enterprise VPN anymore.
They're everywhere.
And so it's just a lot of decisions for a lot of different products.
Yeah.
So it's not just one little check the box sort of thing.
It's just a new mindset.
check the box sort of thing. It's just a new mindset. You know, as we look toward 2022,
what sort of recommendations do you have for organizations to prioritize the things that they can do to protect themselves? Is there a particular order that you put things in?
Well, I mean, for us, you know, obviously we're in the password security space, so we see that as the primary line of defense.
Protecting your passwords, protecting your secrets, your assets that have access into other parts of your infrastructure is obviously critical.
So we're always leading with that as being a critical aspect of protecting the organization.
And, of course, there's ensuring that you have endpoint protection and you have, you know, cloud-based, secure monitoring and endpoint protection of all of your assets.
So all of your end users in their homes, all of the physical devices, the mobile devices.
So Zero Trust is going to protect all the different services
and target infrastructure and applications and things like that.
But if you think about the devices and how the data is protected,
the things you have to think about are how do you protect the secrets,
the passwords, the credentials that are being used by the users? And then how do you protect their physical devices using that endpoint protection? You know, if I ask you to look into
your crystal ball, which I acknowledge is an unfair thing to do, but I'm going to do it anyway.
What do you suppose we're going to see this coming year
in terms of hot trends? Is there anything that you think is going to rise to the top?
Yeah, well, I think that last week was a great indication of what's to come. There's a huge
vulnerability on the internet was released and disclosed with some open source software. And I think what we're going to see is
a lot more research going into vulnerabilities, the low hanging fruit, you know, things like that.
And so I think attackers are going to look for those types of attack vectors. And especially
with what happened recently with Log4j and those types of issues where there's potentially massive impact for a very small amount of effort.
That's what these attackers are going to go after.
So I think we're going to see more of that.
hopefully more effort and funding into protecting these open source assets,
things that are being used by enterprises all around the world.
As we head into the new year, are you optimistic that we're going to be able to gain some ground on these things?
Well, I think so.
There's a lot of work being done by white hat hackers, you'd call them, you know, or people that are the good people doing research work and vulnerability research.
So that whole space is expanding.
So there's a lot of good people doing research to protect, you know, organizations. But, you know, I think just increased expansion of the good hackers,
you know, the white hat hackers and more attention being paid into the utilities and the services that are open source, especially that are being utilized by most companies around the world.
Protecting that is going to be something that is going to be critical. And then also, you know, as zero trust products come onto the market, especially around password management like Keeper and secure data management, zero knowledge management of data is critical.
You know, understanding where is your data?
Is it encrypted?
Who's protecting it?
What systems do they have in place? What infrastructure are they using? So I think more and more companies are just
understanding the need for products like that. And there's a large expansion of these privacy
focused products. And that's a wrap. We'd like to thank Kevin McGee, the CSO of Microsoft Canada,
and Craig Lurie, the CTO and co-founder of Keeper Security, for being on the show.
And lastly, we would love to hear from you.
If you have any questions about what we covered on this CyberWire X episode
or suggestions for topics in future shows, send them to cwx at the cyberwire, all one word, dot com.
Cyber Wire X is a production of the Cyber Wire and is proudly produced in Maryland at the startup
studios of Data Tribe, where they are co-building the next generation of cybersecurity startups and
technologies. Our senior producer is Jennifer Iben. Our executive editor is Peter Kilpie.
And on behalf of Dave Bittner, my co-host,
this is Rick Howard signing off. Thanks for listening.