Over recent years, organisations have quickened the pace at which they migrate applications to multiple clouds and leverage new software architectures to increase the agility and feature velocity of their application development.
According to my company’s The State of Web Application and API report, 70% of production web applications now run in cloud environments. This increase in distributed and hybrid infrastructure and application complexity is creating even more challenges for organisations in keeping the wide attack surfaces under control.
The report reveals that approximately one-third of respondents anticipate that their organisation’s most significant application security concern over the next two years will be maintaining a coherent security policy across heterogenous environments. Nearly as many respondents believe that their most significant concern will be gaining visibility into the security events impacting their organisation.
Despite the implementation of new security technologies, organisations continue to struggle maintaining visibility and consistency of security policies across the heterogenous collection of platforms, infrastructures, and technologies.
There are five key challenges for securing hybrid environments. These include emerging threat vectors, broader attack surfaces, agile software development and DevOps cultures that often leave security as a secondary priority, and multi-cloud deployments that convolute the implementation of coherent security policies. Many organisations have simply been unable to overcome all of these challenges.
Hackers for hire
Meanwhile, attackers have been organising their underground ecosystems and gathering followers from skilled hackers-for-hire and affiliates, who are happy to enjoy the profits of large extortion campaigns. For example, the Avaddon, SunCrypt and Ragnar Locker ransomware gangs have been known to use DDoS attacks to put additional pressure on their victims.
Ransomware groups regularly post messages to hire experts in domains such as backup technology, not to fix but to destroy, and conduct high-profile DDoS attacks. For example, cybercrime gang Lockbit was found to be posting ads to recruit affiliates, including Mēris botnet operators.
The incentives are large. A survey of 300 US based IT decision-makers found 83% of ransomware victims paid the ransom demand. And the demand for hacking skills and underground resources has been growing ever since ransomware operators began conducting successful campaigns.
With highly motivated threat actors looking for payments from organised cybercrime groups, attacks have shifted from automated to human operated attacks. Agari researchers determined that most leaked password reuse was done by humans and not automation. It is one thing to defend against automation, but far more difficult to defend against human intelligence and perseverance driven by multi-million-dollar payouts.
Because authorities around the world are making efforts to crack down on criminals and roll up parts of their organisations, criminals might be tempted to hit back where it hurts the most.
The attacker economy is currently out of balance with defenders' security budgets. There is little to no opportunity to take out the hacking economy by putting up more barriers and making it more costly and time consuming for attackers to breach organisations and infrastructures. These threat actors are sitting on a mountain of crypto gold. The US Treasury recently said that $5.2 billion in Bitcoin transactions can be tied to ransomware payments over the past two years.
In just one example, US travel services firm CWT Global paid a reported $4.5 million in July 2020 to the Ragnar Locker ransomware gang. A recent report from Unit 42 security consulting group indicated that the average ransomware payment increased 82% since 2020 to a record $570,000 in the first half of 2021. That increase follows a reported 171% increase over 2019.
Cybercrime here to stay
Even if the ransomware issue is resolved more quickly than expected, criminals will pivot and find new ways to monetise crime. The security community will have to be vigilant, and organisations will need to make considerable efforts to keep their attack surfaces under control.
Unfortunately, 2020 and 2021 brought in a new dawn for cybercrime and information security, and it’s not going away any time soon — certainly not in 2022.