Cybersecurity predictions for 2022.
Rick Howard: Hey, everyone. Welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. And today's episode is titled "Cybersecurity Predictions for 2022." Since we're at the end of 2021, it's time to gather some smart security professionals and forecast what trends and attacks will be most prevalent in the year ahead and how organizations should prepare for the new year.
Rick Howard: A program note - each "CyberWire-X" special features two segments. In the first part, we'll hear from industry experts on the topic at hand. And in the second part, we'll hear from our show's sponsor for their point of view.
Rick Howard: I'm joined by Kevin Magee. He's the CSO of Microsoft Canada and an old friend of mine. Kevin, welcome to "CyberWire-X."
Kevin Magee: Hey, Rick. Thanks for having me.
Rick Howard: We're recording this show right before the holiday break here in the U.S. And as is obligatory of all security podcasts, this is our prediction show for 2022. And, you know, I think it's the law that every infosec podcast does one of these, so we're doing ours.
Rick Howard: So Kevin and I are going to make some guesses about what the community will see next year, but I promise we will steer away from lame predictions like, you know, ransomware will continue. Duh. Of course that's going to happen. But we may get into some ransomware nuance. Let's see where this goes.
Rick Howard: So, Kevin, we're going to start by something you and I were joking about in prep for this show about how disappointed you and I were both going to be for things that we both want to see happen in 2022 but know that we won't see it for lots of reasons. So let's start with our favorite - adversary playbooks. Why don't you tell me why you define adversary playbooks when you're out in the world to your customers?
Kevin Magee: I really thought adversary playbooks would be the way the industry would be going that much sooner. And I'm hoping this year is the year we make the breakthrough. I use the analogy of, we seem to be, as an industry, trying to catch arrows when we should be focusing on figuring out how to take on the adversary, which is the archer.
Rick Howard: Let's talk about what I think it means, which is, you know, it's the idea that there's about 250 or so known adversary groups. And this is not attributing to any kind of people or nation-state. It's just that here's a collection of attack patterns that we've given unique names, and they work on the internet on any given day running various campaigns. But because of the MITRE ATT&CK framework, we know how most of these groups operate across the intrusion kill chain, in terms of tactics and procedures.
Rick Howard: So you and I have been saying for the last couple of years that we would love to be able to have prevention controls in place across our security stack for all the known things that adversaries do, which we are not doing very well.
Kevin Magee: And I have this dream with automation, with SOAR, with AI and whatnot that we'll be able to fingerprint the adversary. And as they change their TTP, we'll be able to modulate the shields in this "Star Trek" sort of fashion.
Rick Howard: Oh, I love that. I love that analogy. OK. That's a new one for you. I like it.
Kevin Magee: Yeah. So...
Rick Howard: (Laughter).
Kevin Magee: ...Maybe this is the year that we make that leap. I think a couple things that are making us move forward - the MITRE D3FEND approach to building vocabulary in a framework for countermeasures as opposed to just to analyze attacks and whatnot. We're putting together some of the pieces.
Rick Howard: MITRE D3FEND - spelled D-3-F-E-N-D because, you know, leet speak - is an add-on to the MITRE ATT&CK framework funded by the NSA with the design goal to review adversary techniques and procedures across the intrusion kill chain and to devise specific countermeasures for each. In other words, the ATT&CK framework is a collection of what the cyber adversaries are doing, and MITRE D3FEND is what we, as network defenders, can do to stop it.
Kevin Magee: Taking the same approach that we did for analyzing attacks and how we define and build a common vocabulary for countermeasures I think maybe is that next piece of the puzzle that could give us that next step into finding my dream of self-modulating "Star Trek" shields around our resilient organizations.
Kevin Magee: But you're absolutely right. When I talk to, say, a critical infrastructure customer, they know who the adversaries they're most concerned about, so why aren't we focusing on protecting them from that adversary as opposed to the specific techniques? If you think about the physical world, if you knew someone - an individual or group - was going to harm you, you would build protections against that individual or group, not against knives, poison, gunshots...
Rick Howard: Right.
Kevin Magee: ...All of the actual weapons being used. So I think there's a huge opportunity we're missing. It also changes the economics. The more expensive we can make it for these groups, the more difficult we can make it for these groups to mount successful attacks, the better chance, you know, we have as a collective defense of really repelling them - almost a herd immunity to their tools, tactics and procedures.
Rick Howard: Well, you mentioned automation, and that's going to be the key here. That's - I think that's one of the main reasons that we have not embraced the MITRE ATT&CK framework or tracking adversaries by all their tactics and techniques across the kill chains, because grabbing that information and doing something useful with it is really time-consuming. And the only way to fix it is with some sort of automation, DevSecOps kind of thing. I see things on the horizon, though, and I'm wondering what your opinion is about this.
Kevin Magee: DevSecOps is that other one we keep getting wrong every year.
Rick Howard: Yeah (laughter). They're kind of combined there, right? I think DevSecOps solves a bunch of these problems.
Rick Howard: But one of the things on the horizon that I am - I see hope, I see a glimmer of hope is XDR. XDR has been around for - I don't know - the idea of it since about 2018 or so. And now vendors are starting to crank this thing out and sell it as a robust tool.
Rick Howard: But here's what I like about it, Kevin. You tell me if I got this wrong. Before, you had to go out and buy a complete suite of tools to do everything. And then you had to automate all of that, and it was just really hard. What I like about XDR is it's just connecting to the tools that you already have through APIs - right? - and automating what you could do. You could automate the telemetry collection from the tools, whatever tools you have. And then if you're really good at this, you could automate the updates to the configuration files. The vendors building these XDR tools don't have to have a tool for everything. They can just plug into what customers already have and - which will facilitate the automation of this. How off base do you think I am for this?
Kevin Magee: Well, there's my prediction. I think we're going to finally give up trying to solve the great, big problem and look at, these are the tools we have available. How do we best utilize them? And automation - where I think a lot of the problems have been is we've been trying to go full automation. So my prediction will be we'll find a middle ground. We'll become cyborgs, where human-computer interaction will be the way. Some things that are automated, and some things are integrated, but then we'll have that human-driven - much like we're seeing the adversaries do with human-driven ransomware and whatnot, where they're using tools and techniques, where they automate portions, where they make decisions.
Kevin Magee: I think the promise of SOAR was always it was going to be fully automated and we wouldn't need analysts. I think we're coming to a realization that's not the case. We're going to see technologies like XDR that automate portions using an existing infrastructure we have or different tools we have, but then really just extend the abilities of the analyst in a lot of ways so we can get more value, more work effort out of every analyst 'cause we can't just throw more people at these problems. It's not possible. They don't scale.
Rick Howard: All right, so let's move to another one you have. I thought this was really interesting. I had not considered this, although this has been one of my horror stories since I was a young InfoSec person, you know, back in the day. You mentioned in our prep work that ransomware - we've seen criminals do availability attacks. Like, they encrypt everything, so you can't get access to your data. Or they do a confidentiality attack, where they extort you. They say, we're - if you don't pay us, we're going to release this to the public. So both of those things were going on in the last year. But your third one that you're going to see as more prominent is integrity attack vector. Can you explain what you mean by that?
Kevin Magee: Yeah, I haven't really seen evidence of this yet, but I'm searching for it. It's got to be coming because we see constant innovation in ransomware. It was something they just executed, you know, dropped on your machine, went after a certain amount of money, and if you paid it, great, if you didn't - it was all a volume business.
Kevin Magee: Then it became a very - much more sophisticated business. Specialization started to occur. And then there was competition among cybercriminals, you know, for encrypting systems with one vector. We saw the double-extortion threat vector being used very effectively either for leverage or for additional revenues for the cybercriminal gangs.
Kevin Magee: I see an innovation, at some point, where we look at data integrity, where the threat actor maybe says, hey, I changed a number of blood types in your hospital information system as a ransom vector or whatnot. What really worries me about this is you can tell when your systems are encrypted. They either are, or they aren't. You have access to them. They don't. You can be given a sample document to know if you've been doxxed, or they're either threatening to extort.
Kevin Magee: With integrity attacks, it's going to be very difficult to determine whether they're legitimate or not and to what degree the cyberthreat actors will be able to leverage these types of techniques to build new, innovative ransom scenarios. So this is the type of thinking I'm thinking about. I'm using some game theory approaches, some tabletop and just asking other folks, how can we start thinking about and preparing for attacks like this before the threat actors innovate in this direction?
Rick Howard: The third prediction you made, Kevin, was interesting to me, too. You're - I think you're predicting that the cyber insurance market is going to collapse. Am I exaggerating that? Or what are you saying (laughter)?
Kevin Magee: Well, I don't think that cyber insurance is going to collapse.
Rick Howard: (Laughter).
Kevin Magee: But it's - these renewals are coming up now with a lot of businesses that wrote paper two, three years ago, and it's getting much more expensive. So there is a business imperative now for governments to start taking action to solve some of these cybercriminal problems because they are now business problems.
Kevin Magee: If you can't operate a vehicle without insurance, are you going to be able to operate a business in the future without cyber insurance? These are the type of challenges that policymakers and legislators are going to have to weigh in on. And they have avoided it to this point because it's been sort of on the fringes.
Kevin Magee: It's now starting to impact national security. It's starting to impact the economy in big ways. And, you know, we have relied on mitigating the risk by outsourcing it to a third party, i.e., insurance. I think in a lot of cases, businesses are just not going to be able to afford to write some of these renewals. What are we going to do next?
Kevin Magee: So my prediction is that the rising price of cyber insurance is going to force legislators and policymakers to take some action that maybe they've been holding off in ransomware and maybe some drastic action in the very near future.
Rick Howard: Well, the thing I've been disappointed with in the insurance market is something you and I both agree on, is the - our ability to forecast risk. This is something that cybersecurity people are really bad at. But I - you know, these cyber insurance people, they have all the math people. They understand, you know, predicting when bad things will happen. And they can - they've known how to do this in other areas of our lives, you know, in order to make a profit in that business world.
Rick Howard: I'm really disappointed that they haven't been able to figure this out, that - you know, this is 30 years into cybersecurity. And I've even read some articles this year, this past year, that they've given up on it because their prediction models are so bad. They haven't come up with a way to forecast risk in these areas. I don't know. Are you seeing any of that in your readings?
Kevin Magee: I think the actuarial tables - and I'm not an expert in this area - are comprised of data over, you know, decades. So you think about car safety. You know, there's been some iterations, but - I mean, seatbelts. Then we added airbags and whatnot. But there's enough data, and there's enough people driving cars, and there are enough known situations - intersections, highways and whatnot - that they can control the variables.
Kevin Magee: The problem is with our industry, things change on a dime. You know, when there's a new exploit found or a zero-day, it can really just completely change the threat landscape. And I think it breaks the models of insurance that were built on sort of physical insurance - fires, accidents and whatnot. And it's hard to extrapolate that, and there just isn't enough data.
Kevin Magee: Maybe it's a longer stretch of data or - I don't know what the models will be, but I know it's definitely - the models are not as accurate as they should be, which means prices are driving up, which means that, you know, we're going to have to start looking at a different approach to insurance.
Rick Howard: This is where I push back a bit, too. You and I, we're both students of the game. We've read all the most important cybersecurity risk forecasting books, like "Superforecasting" by Tetlock, "How to Measure Anything in Cybersecurity Risk" by Hubbard and Seiersen and "Measuring and Managing Information Risk: A FAIR Approach" by Freund and Jones. And we know that especially for cybersecurity, we all live in a stochastic world, meaning that there are no concrete answers like an on-off switch, answers to the hard problems like the ones that insurance companies are trying to forecast.
Rick Howard: Like, what are the chances that this specific customer will file a legitimate claim of material impact due to a cyber incident that the insurance company will have to pay out? That calculation doesn't reside in old-fashioned actuarial tables. That data doesn't exist. But you can find the answer in projected probability distributions.
Rick Howard: And scientists have used that technique to solve some of the hardest problems when data was scarce. Turing used probability distributions to crack the Enigma machine. And the scientists at Los Alamos used the technique to build the nuclear bomb. And, Kevin, our favorite author, Neal Stephenson, in his book "Seveneves," writing about rocket ships trying to avoid space debris in orbit, his Neil deGrasse Tyson character says that at a certain point, the math calculation ceases to be Newtonian and is more about probability. In other words, missing debris in space is not about plugging numbers into a math formula and finding the correct course. It's more about calculating the likelihood of missing debris across a distribution of possible courses and making your best guess.
Rick Howard: And I know that makes people uncomfortable, not being able to know the answer. But that method works for complex problems. And cyber insurance is a really complex problem. And I'm just frustrated that the cyber insurance companies haven't figured that out yet.
Kevin Magee: And it may be the government taking action to say, just like you can't operate a vehicle without insurance, you can't get a mortgage for your house without insurance, it becomes ingrained in just how we do business in the future.
Kevin Magee: But my prediction is they no longer can ignore it in the coming year, that government policymakers are going to have to start thinking about this and taking action, or losses are going to be catastrophic to the economy in general and continue to mount. In a time where inflation's rising, the pandemic is causing unemployment and whatnot, this cannot be allowed to continue. So that's my prediction, and I'll likely be wrong at the end of next year. But it'll be interesting to see how it progresses this year.
Rick Howard: I will hold you to it next year, my friend. I think you and I could literally talk about this for the next 17 hours, but let's cut it off there. Is there any prediction you want to make that we haven't covered yet?
Kevin Magee: I just think having read "Ghost Fleet" - the thought exercise at the beginning, the opening. You know, what would a next-generation cyberwar look like? I've become fascinated with satellites as an endpoint, and I'm looking at, what are the new endpoints of the futures? We've - Rick and I have discussed cars - it went on to pass (ph) - satellites, drones, some of these new technologies.
Kevin Magee: At what point do we start to see traditional attacks like ransomware or whatnot used in those spheres? If you were to capture and lock out the GPS satellites or communication satellites, you know, as an attack vector, is that going to be a attack vector we see in the coming year? - because that would be a very ripe target for cybercriminals that have the technical ability to do it. So I foresee satellites, drones and some of these other nontraditional endpoints become threat vectors for not just nation-states, but cybercriminals in the coming year.
Rick Howard: Well, I love that prediction, especially as we expand internet connections out to space. I know there's a couple of companies launching satellites, trying to figure out how to extend the backbone up there. And that's a whole 'nother phase that we haven't even considered. So I'm glad you threw it on this program (laughter). That's a really good one.
Kevin Magee: Maybe it's not "Star Wars," its lasers and light sabers. Maybe it'll be hackers at keyboards fighting the next - or the first space war. I'm not really sure, but...
Rick Howard: Finally, I have a cool job.
Kevin Magee: (Laughter).
Rick Howard: I love it (laughter).
Kevin Magee: But I - yeah, I think we'll take the cyberthreat landscape to space in the coming year.
Rick Howard: All right. Perfect, man. Well, thanks, Kevin. Thanks for coming on the show and giving us your predictions for 2022. And I'll definitely bring you on for the end-of-year show next year so you can see how good you did.
Kevin Magee: Thanks, Rick. Can't wait to see what we get wrong this year and do it again next year.
Rick Howard: Next up is Dave's conversation with Craig Lurey, CTO and co-founder of Keeper Security, our show's sponsor.
Dave Bittner: Before we jump into some predictions here for 2022, let's take a minute and just sort of look back on 2021. I know one of the things that you and your colleagues at Keeper predicted as we went into 2021 was that we were going to see ransomware continue to be an issue here. And I think it's fair to say that you all nailed that one. When you look back on our ransomware situation in 2021, why do you think it was so bad?
Craig Lurey: There's several factors. One of them is that, you know, we have so much technology in our lives now. And, you know, we've got a lot of vulnerabilities in software. And you've got the expansion of that whole surface area. That whole attack surface is just expanding.
Craig Lurey: So we have people working from home. You have - now, instead of being in an office in a physical location, you have people from their houses that are accessing secure assets. And so now you're dealing with devices that are maybe not that secure. Maybe they didn't load your endpoint security. You know, maybe they don't have antivirus. Maybe they're out of date, you know? So now you have management of these potentially old and legacy devices that are now on the internet. Now you're dealing with things like your home-work networking devices.
Craig Lurey: You know, what - you know, when was the last time you thought about deeply what router you have, and is the router software up to date at your house? Or have your kids shared the Wi-Fi password with somebody and, you know, and someone that shouldn't have access has access? So you've just expanded this surface area, this attack surface just so much wider.
Dave Bittner: Yeah. As we head into 2022, what do you suppose people can expect on the ransomware front?
Craig Lurey: Well, I think - I mean, government's cracking down a lot more on it, right? So there's more prevention that's happening. And people are - especially enterprises are starting to deploy more protection for users. They're starting to deploy things like getting rid of traditional VPNs and going with more zero trust models where non-VPN solutions are used to access assets. So I think that while - there is a ton of protection that's going into play there.
Craig Lurey: But also, you know, you see things that happened like last week with, you know, the Log4j vulnerability, things like that that are happening, that are continuing to expand. And I think that you'll see more vulnerabilities like this, that it just - expose services and users as we go on to 2022. I mean, you just - just in the last week, a lot of things have happened (laughter).
Dave Bittner: Yeah, absolutely. I think it's fair to say that that ransomware is here to stay.
Dave Bittner: You know, one of the things that I think really took off in prominence throughout 2021 was zero trust and that sort of coming to the fore as a concept. And lots of organizations are promoting that. Do you think zero trust is here to stay as well?
Craig Lurey: Well, I do because, you know, the language is now kind of everywhere - you know, marketing language, product language. So it's kind of the new buzzwords in cyber. But also, you have government agencies that are now demanding that their software vendors are adhering to zero trust. And that's not just in the U.S. That's around the world. So you have just more awareness of that.
Craig Lurey: You have people fully understanding now that, you know, traditional VPN solutions and trusting the perimeter is really not the way to protect data and to protect applications. So I do think it's here to stay, and I think that you're going to just see more and more products talking about zero trust. You know, you're just going to see that companies and software and decision-makers are going to be - they're going to be making the decision to choose products that are zero trust because they want to get out of that legacy mindset of trusting the perimeter.
Dave Bittner: Do you have any insights for organizations looking to adopt zero trust or increase how much they rely on it? I mean, it's my understanding that zero trust really is a journey, that, you know, it's not just a sort of a switch that you can throw. Is that an accurate perception?
Craig Lurey: Yeah, it is because, you know, it's not like you can just go into a little configuration screen and click the box, you know? So it's the kind of thing where you have to look at all of your assets. You have to look at all of your services. How do people access it? What are your requirements? You know, maybe, you know, zero trust for you means something completely different than someone else.
Craig Lurey: So I think it really just comes out to what services you need your users to access. Where does it need to live? How is it going to be locked down? How is access control configured? You know, what identity provider you're going to use, you know? So really, it comes down to a lot of choices.
Craig Lurey: And I think it's really more of a strategy and just understanding that when you deploy new software or you deploy, like, an identity product that you have to consider that users are not within an enterprise VPN anymore. They're everywhere. And so it's just a lot of decisions for a lot of different products, yeah. So it's not just one little check-the-box sort of thing. It's just a new mindset.
Dave Bittner: Yeah. As we look toward 2022, what sort of recommendations do you have for organizations to prioritize the things that they can do to protect themselves, to - is there a particular order that you put things in?
Craig Lurey: Well, I mean, for us, you know, obviously, we're in the password security space. So we see that as the primary line of defense. You know, protecting your passwords, protecting your secrets, your assets that have access into other parts of your infrastructure is obviously critical. So, you know, we're - you know, we're always leading with that, you know, as being a critical aspect of protecting the organization.
Craig Lurey: And, of course, there's ensuring that you have endpoint protection and you have, you know, cloud-based secure monitoring and endpoint protection of all of your assets - so all of your end users in their homes, all of the physical devices, the mobile devices, you know? So zero trust is going to protect all the different services and, like, you know, target infrastructure and applications and things like that.
Craig Lurey: But if you think about the devices and how the data is protected, you know, the things you have to think about are, how do you protect the secrets, the passwords, the credentials that are being used by the users? And then how do you protect their physical devices using an endpoint protection?
Dave Bittner: You know, if I ask you to look into your crystal ball - which I acknowledge is an unfair thing to do, but (laughter) - but I'm going to do it anyway - what do you suppose we're going to see this coming year in terms of hot trends? Is there anything that you think is going to rise to the top?
Craig Lurey: Yeah. Well, I think that last week was a great indication of what's to come. You know, there's - you know, a huge vulnerability on the internet was released and disclosed with some open-source software. And I think what we're going to see is a lot more research going into vulnerabilities, the low-hanging fruit, you know, things like that. And so I think attackers are going to look for those types of attack vectors.
Craig Lurey: And especially with what happened recently with Log4j and those types of issues where there's potentially massive impact for very small amount of effort, that's what these attackers are going to go after. So I think we're going to see more of that. But at the same time, we're going to see more protection is being put in place and more - hopefully more effort and funding into protecting these open-source assets, things that are being used by enterprises all around the world.
Dave Bittner: As we head into the new year, are you optimistic that we're going to be able to gain some ground on these things?
Craig Lurey: Well, I think so. You know, there's a lot of work being done by white hat hackers, you'd call them, you know, or people that are - the good people doing research work and vulnerability research. So that whole space is expanding. So there's a lot of good people doing research to protect, you know, organizations.
Craig Lurey: But, you know, I think just increased expansion of the good hackers, you know, the white hat hackers and more attention being paid into the utilities and the services that are open-source, especially that are being utilized by most companies around the world - protecting that is going to be something that is going to be critical.
Craig Lurey: And then also, you know, as zero trust products come onto the market, especially around password management like Keeper and secure data management, zero knowledge management of data is critical - you know, who - understanding, where is your data? Is it encrypted? Who's protecting it? What systems do they have in place? What infrastructure are they using, you know? So I think more and more companies are just understanding the need for products like that, and there's a large expansion of these privacy-focused products.
Rick Howard: And that's a wrap. We'd like to thank Kevin Magee, the CSO of Microsoft Canada, and Craig Lurey, the CTO and co-founder of Keeper Security, for being on the show.
Rick Howard: And lastly, we would love to hear from you. If you have any questions about what we covered on this "CyberWire-X" episode or suggestions for topics in future shows, send them to firstname.lastname@example.org.
Rick Howard: "CyberWire-X" is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And on behalf of Dave Bittner, my co-host, this is Rick Howard signing off. Thanks for listening.