Preparing for the cybersecurity threats that await in 2022
Facing a rapidly changing threats landscape, it’s important for Australian organisations to reflect on the past 12 months to understand how the cybersecurity landscape has changed and how to better prepare for 2022’s threats, writes CrowdStrike’s chief technology officer Michael Sentonas.
At the end of last year, CrowdStrike released its ‘Global Security Attitude Survey’, conducted by independent research firm Vanson Bourne. The survey highlights the complexities of the modern threat landscape Australian businesses are operating in and demonstrates the sophisticated tools, techniques and procedures (TTPs) adversaries use to exploit vulnerabilities.
Companies are dealing with a constant increase in ransomware including different monetisation techniques like double extortion. They are witnessing an increase in supply chain attacks bringing into question their partner relationships; and the amount of vulnerabilities that were discovered and emergency patches required have really stretched already under pressure businesses.
Trust in legacy IT vendors erodes as software supply chain attacks take centre stage
The last 12 months have been a watershed moment for software supply chain vulnerabilities, with recent high profile attacks bringing these threats to the fore. This was echoed in the survey, with almost half (49%) of Australian organisations experiencing a software supply chain attack in the last year.
Amidst pressures to maintain a robust security posture, 55% of Australian organisations are reportedly losing trust in key software suppliers due to cybersecurity concerns—a sentiment that is exacerbated for legacy IT vendors. In fact, 75% of Australian businesses said they were specifically losing trust in vendors like Microsoft due to increasing attacks—more than any other country surveyed.
As a result, we are seeing zero-day vulnerabilities drive stretched security teams into “patch panic” mode as they frantically try to respond to constant critical vulnerabilities that require immediate software updates. This is a real challenge for businesses who not only have to try to keep up with what is quickly becoming ‘zero day Tuesday’, but also have to contend with critical vulnerabilities such as Log4J.
While concerns over software supply chain attacks are top of mind for organisations, unfortunately a majority still aren’t doing enough to protect themselves. Out of all Australian businesses surveyed, less than half (44%) have actively vetted all of their suppliers in the last 12 months.
Ransomware double extortion is fuelling the ‘extortion economy’
The findings from the survey indicate that ransomware attacks continue to be an effective attack vector, with the average ransomware payment made by Australian organisations in 2021 sitting at $2.15 million.
In the past 12 months, 67% of organisations reported being the victim of a ransomware attack, with 79% revealing that they would consider paying a ransom to recover important encrypted data in the event of a software supply chain attack—the highest reported figure in all of Asia Pacific and Japan.
But it doesn’t stop there. A surprising finding of the survey was 93% of Australian organisations who paid a ransom in the last 12 months have also been victims of extortion fees. This involves adversaries demanding ransom for the return of data and additional fees to prevent the data from being leaked or sold to other criminals, essentially a double extortion. Because of this, an entire underground economy is being built around the businesses of data exfiltration and extortion.
Ransomware groups are always looking for ways to monetise their victims, evolving tactics, techniques, and procedures to hone in on their targets to more effectively exfiltrate and sell stolen data. CrowdStrike Threat Intelligence has witnessed this double extortion ransomware model rise in the last 12 months and we expect to see it achieve higher levels of sophistication in 2022.
Australia leads in time-to-detect but remote working remains a hinderance
Encouragingly, the survey found that Australian organisations are ahead of their global counterparts when it comes to how quickly they detect cyber incidents. Globally, respondents estimated it would take 146 hours – or six days – to detect an incident, up from 117 hours in 2020. Once a threat is detected, the survey revealed that it takes organisations 11 hours to triage, investigate, and understand it, and an additional 16 hours to contain and remediate any damage caused.
Almost half (46%) of Australian organisations, however, estimated that they are capable of detecting a cyber incident within a day, with 36% stating it would take them only an hour. This is a positive sign and shows that Australian organisations are taking a proactive approach to mitigating cyber incidents and investing in the necessary tools to quickly detect, understand, and eradicate threats.
However, in light of onset effects from the pandemic, remote working continues to be a challenge for security teams. Trying to initiate incident response when both the team and impacted systems are remote is a complex task. In fact, 80% of Australian organisations who have experienced a cybersecurity incident over the last 12 months cited remote working as the direct cause.
Preparing for what’s to come
With software supply chain attacks, favoured by nation states and criminal groups, on the rise, a growing extortion economy, and the ongoing challenges of remote working; businesses need to ensure they are equipped with a modern and proactive solution to mitigating threats. It's clear that traditional approaches that include legacy security technologies are not keeping up.
With adversaries constantly evolving their tradecraft, Australian businesses need to adapt to leverage the latest cybersecurity techniques in order to defend themselves.
Technology alone will not stop every threat. Proactive threat hunting has become a necessity as adversaries continue to evolve their TTPs, using techniques that go beyond malware. Understanding how cybercriminals are pivoting can be the difference between being hit by ransomware or experiencing significant supply chain disruption and staying ahead of the threat curve in 2022.