In summer 2017, on the heels of the WannaCry campaign, we made a series of predictions about the future of web attacks. These predictions were primarily oriented toward emerging capabilities of the most sophisticated attackers. The fact that, in the intervening years, most web attacks remain unsophisticated and imitative has only masked the growth in sophistication and capability among elite attackers—until now.
As details trickle in about the recent state-sponsored UNC2452/SUNBURST attack campaign against public- and private-sector targets in the United States using the SolarWinds Orion product, it is clear that sophisticated state-sponsored attackers have combined tradecraft, ingenuity, and patience to accomplish something historic. One of the things that stands out to us is the use of a novel, domestically hosted command-and-control domain to help avoid detection—just as we predicted when the U.S. government’s exploitation techniques were first stolen.1
Meanwhile, in April 2020, as the effects of the COVID-19 pandemic started to pinch on a mass scale, we made some predictions about what the pandemic would mean for cybersecurity, and how the rest of the year would unfold for IT and security staff. One of those predictions was a proliferation of new tech startups, as newly unemployed workers took the opportunity to pursue ideas now that they were freed from the golden handcuffs of a steady job. Indeed, the 2020 startup boom we predicted has materialized.2
And so, instead of retiring from the prediction game undefeated, we’re unwisely following these predictions with more. Here are our prognostications for cybersecurity in 2021, based on the trends in attack, defense, and business models that F5 Labs has measured and documented—with the unfortunate caveat that the entire SolarWinds scenario has thrown everything into disarray.
Prediction 1: The confluence of legitimate mail and phishing will ruin email
Phishing is a growing problem. The 2019 Application Protection Report found that at least 15% of the confirmed breaches in the United States in 2019 were directly attributable to phishing. The 2020 Phishing and Fraud Report found a 15% annual increase in phishing attacks in 2020 as well as an increase in phishing domains using HTTPS and sophisticated URLs.
If current trends continue, phishing is going to compromise users’ trust in email to the point that it will essentially render email useless. However, the trend that stands to make phishing so damaging isn’t an attacker tactic at all, but a business trend. It is harder to distinguish phishing emails from real ones, not because phishes look like real emails, but because real emails increasingly look like phishes.
The growth in outsourced customer services like content delivery networks and satisfaction surveys means that many of the emails we get from trusted organizations don’t come from trusted domains. Paired with the widespread sales of user data for marketing purposes, the result is that we are inundated with nonmalicious but opaque emails that, at scale, make email nearly worthless. Take, for example, a survey request I received in October 2020. The organization ultimately responsible for the mail, a well-known security vendor, is not represented in the link at all. The email offers a $10 Amazon gift card in exchange for following this mess: https://b2b-surveys.mautic[.]net/r/a8aeed6a9ce6984171b49417b?ct=YTo1OntzOjY6InNvdXJjZSI7YToyOntpOjA7czoxNDoiY2FtcGFpZ24uZXZlbnQiO2k6MTtpOjI2NjA7fXM6NToiZW1haW4iO2k6MTg4O3M6NDoic3RhdCI7czoyMjoiNWY5OThkODg5ZWI5OTE0MTczNjczMSI7czo0OiJsZWFkIjtzOjY6IjkyNTg1MSI7czo3OiJjaGFubmVsIjthOjE6e3M6NToiZW1haWwiO2k6MTg4O412&. No clear-headed person would click on that link in exchange for $10.
As attackers learn to use Transport Layer Security and fix typos and grammar before they launch phishing campaigns, the security field has begun to train users to examine domains and certificates to vet an email. At the same time, business models have resulted in a proliferation of mail that is practically indistinguishable from a phish. We are not far now from a future in which it will be impossible for a user to read unsolicited email and follow security awareness training at the same time. If businesses want to continue to use email for marketing and sales, they need to change their marketing and sales practices. At present we are literally training our users to act like phish bait, and that—not any new attacker ideas—is what will make phishing dangerous in 2021. Sander Vinberg
We are training our users to act like phish bait
Prediction 2: Pandemic changes will increase the efficiency and prevalence of currently known attacks
The global COVID-19 pandemic is changing how many of us do things, in ways that are still coming to light. Retail sectors that previously paid little attention to online ordering and delivery are having to rapidly spin up new e-tail operations, and a number of new companies are emerging to fill in the gaps. To enable critical business activities, companies are having to deploy remote access solutions to undersecured home networks and allow greater leniency when it comes to access control.
Both these trends offer expanded opportunities for threat actors, providing them with targets with a lot of information and money, and that, in a rush to market or deployment, may be less than well-secured.
Due to these trends, we expect to see a major uptick in breaches and stolen credentials as well as fraud targeting things like gift cards. Additionally, we anticipate more malware landing on home systems and the development of large IoT botnets, as attackers use these new opportunities to find ways to exploit undersecured home networks. Malcolm Heath
Prediction 3: Increased use of alternative social media and chat apps will provide new opportunities for malware campaigns
The last few years have seen a number of new developments in terms of social media applications. Several large chat platforms, ranging from Signal to Slack to Discord, have exploded in popularity. A plethora of screensharing tools, such as Zoom and Microsoft Teams, has become critical for both business and pleasure. Bespoke software for telemedicine enabled care to continue during the COVID-19 pandemic. As the social media industry strengthened its position on what it allows on its platforms, we saw a sudden increase in alternative social media platforms like Parler. We expect these tools to be the conduit for at least one major malware or phishing campaign. Weaponized viral content distributed via undermoderated platforms targeting less savvy users is a potent combination, and we’d be surprised if malware actors don’t seize this opportunity. Malcolm Heath
Prediction 4: The failure of vulnerability management will make software providers realize they need to rewrite old code—but most won’t do it
If we are frank, vulnerability management on the web is a failure. Even when they are not exploiting zero-day vulnerabilities, attackers rapidly weaponize critical vulnerabilities by publishing proof-of-concept code as quickly as two hours after a vulnerability is released. Meanwhile, on the defensive side, it takes an average of 100 days for organizations to patch a critical vulnerability. And vulnerabilities targeted in attack campaigns (typically critical remote code execution vulnerabilities) exist for an average of 2.1 years before being patched. When FireEye’s attack tools were compromised as part of the UNC2452 campaign, it cast yet another spotlight on critical vulnerabilities with known exploits. The enormous gap in time between attacker targeting and defensive remediation gives attackers enormous advantages. The industry needs fundamental change. Simply saying “just do a better job patching,” when that has always been the desire, is frankly crazy.