Securonix Executives: Ransomware, XDR and MDR Evolve in 2021

This is part of an ongoing 2021 predictions series. We’ve asked top cyber experts to contribute their insights and expertise to provide a look ahead at what the new year may bring to cybersecurity.

Augusto Barros, VP of Solutions, Securonix

Ransomware cases will become more complex and hit big enterprises. We've seen in 2020 cases where ransomware caused major disruption to organizations' services, such as Garmin, and also cases where the attack moved from a purely malware-driven attack to an advanced threat scenario including human factors such as insider cooperation, such as Tesla. Criminals will keep expanding on the threat vectors used and move to more complex scenarios beyond simple malware automated attacks.

Remote workforce attacks will become even more noticeable. Organizations moved quickly to remote work situations in response to the COVID-19 pandemic. The rushed move greatly expanded the threat surface of all organizations, and attackers will continue to exploit that as a new vector for their campaigns.

XDR will skyrocket as it proves enterprise need. XDR will keep growing in adoption and buzz as organizations look for a way to cover an expanding threat landscape and keep complexity and operational overhead under control. Many will realize the complexity reduction and operational gains will not fully materialize as additional solutions to compensate for the lack of flexibility and threat coverage will need to be added.

MDR services will keep evolving beyond EDR based offerings. As organizations adopt more cloud services and expand their endpoint profile to IoT and mobile devices, the need to leverage security services that work even when an agent cannot be deployed will push MDR providers to evolve their offerings to integrate other technologies. The number of MDR providers adopting SIEM, UEBA and SOAR solutions in their backend will grow as part of this evolution.

SaaS solutions will rise in adoption. More organizations will move their security tools to the cloud. Organization-wide cloud first initiatives are putting pressure on security groups to also move their tools to the cloud. As these initiatives move forward, data gravity will force solutions that require the collection of massive data volumes from infrastructure and applications to move closer to the data sources.

Cloud and traditional hybrid threats will expand. As organizations expand their footprint into the cloud, more threat scenarios will persist where the compromise of cloud assets lead to the compromise of on-prem resources and vice-versa.. Organizations will see their cloud resources hijacked through users having their workstations in the corporate network compromised and cloud credentials stolen there. Others will see cloud-based applications being compromised and used as bridgeheads to reach on-prem sensitive systems such as corporate databases. Oleg Kolesnikov, VP of Threat Research, Securonix

New attack vectors and techniques used by ransomware in addition to the double extortion schemes to “up the ante,” including more Ransomware-in-the-Cloud (RIC) and “Shadow IT” vectors. Expanding on the current double-extortion ransomware approaches, there will be an increase in the use of new attack vectors to deploy ransomware payloads, including more RIC and Shadow IT vectors, in an attempt to “up the ante” and increase the chances of ransom payments. This is a continuation of the trend we’ve been observing for some time with malicious threat actors deploying ransomware payloads to move up the supply chain to amplify the impact using additional attack vectors, including Cloud, ranging from targeting Managed Security Providers (MSPs) to Cloud Providers to Data Center and national Healthcare Services providers.

MFA Bypass, Phishing, and Social Engineering attacks will become more believable, automated, and targeted. In an attempt to adapt to the evolved anti-phishing defenses, attackers will continue to move beyond the trivial phishing schemes to more multi-stage attacks involving increased automation and intelligent telemetry-based phishing. In some cases, this involves multiple rounds of active probing to identify the types of anti-phishing mechanisms and baits that are deployed to effectively bypass defenses.

More attack techniques targeting “grey areas” and common enterprise blindspots such as SSL termination/TLSv1.3 monitoring. Attackers will be increasingly blending in with legitimate enterprise activity, including both applications and user activity, and network activity associated with privacy-protected protocols and technologies, such as TLS v1.3 to evade both network-based and endpoint-based defenses more effectively.


###