2022: A cybersecurity odyssey

F5 Labs (and friends)

2022 will be eye-catching year for cybersecurity incidents, fallouts, and innovations.

To make sense of it all, F5 Labs assembled a group of solution architects, analysts, engineers, fraud specialists, former law enforcement and intelligence officers – as well as an erstwhile CISO or two. Here’s what they had to say:

Prediction 1: State-sponsored actors will adopt cybercrime toolsets

Well-resourced determined threats, also known as advanced persistent threats (APTs), have previously capitalized on the legwork of cybercriminal gangs.

This year, we expect to see more APTs, specifically state-sponsored actors, modifying known commodity malware strains and using techniques cybercriminals have become famous for, such as setting up command-and-control (C&C) over Telegram messenger.

In other words, the place to look for the newest APT accomplices will be the cutting edge of criminal operations.

Remi Cohen, Senior Threat Intelligence Engineer at F5

Prediction 2: Fintechs will front for collecting credentials

For someone to use the services of a fintech, they need to enable connections between the fintech organization and all of their other financial accounts. This means that they need to hand over usernames and passwords for all relevant accounts. Some fintechs are well established and reputable, whereas others come and go. My prediction? In 2022, we will learn that one or more fintechs were nothing more than a front for a criminal organization established only to collect usernames and passwords.

Dan Woods, Global Head of Intelligence at F5

Prediction 3: The cloud will eat traditional IT

We’re nearing a tipping point where the cloud will become a part of default IT skills.

With multi-cloud becoming the new normal, there will be growing expectations that IT pros have the requisite skills.

Over time, we will see a shift in IT management paradigms in which on-premises ways of working will look more like cloud paradigms. Why not manage your local hardware the same way as the cloud? Most multi-cloud and hybrid tools lean that way, so why use two paradigms to manage your tech?

Raymond Pompon, Director of F5 Labs

Prediction 4: Ransomware will target the rich

As part of the 2021 Application Protection Report, F5 Labs reported that it was more useful to think of ransomware as a monetization strategy rather than as a form of denial-of-service—an alternative to enriching stolen data for later use in digital fraud.

It is only a matter of time before somebody starts targeting the extremely wealthy on their own personal networks. These targets clearly have the means to pay the ransom, and their information systems are often as complex as those of small enterprises. We already know that many ultra-high-net-worth individuals have things to hide about their finances, so it follows that at least some of them might be hesitant to bring in law enforcement in the event of an attack.  

Sander Vinberg, Threat Research Evangelist at F5 Labs

Prediction 5: Cybercrime and cyberwarfare will overlap beyond distinction for defenders

Why do insurance carriers care about cyberwars? Because it’s happening more and more. In 2021, over a hundred incidents fell into this category.

A technology can be used for both good (peaceful) or evil (warfare) means. A good example is the debate around penetration testing tools, used by attacker and defender alike. Remember, all cyberattack tools that can be used for cybercrime can also be used for cyberwarfare, from DDoS to ransomware to cryptominers.

We’ve already seen plenty of state-sponsored attacks, like WannaCry, that come with a side of fraud. If your company gets hit by state-sponsored ransomware, was it an act of war or an act of crime? Or both? For example, with 85% of U.S. critical infrastructure in the hands of civilians, what is a military target and what is not?

Cyberwar or not, it doesn’t matter. The distinction only seems to matter to cyber-insurers and tut-tutting politicians. What can we all do in the face of state-sponsored attacks, war or otherwise? As Éowyn said in J. R. R. Tolkien’s Lord of the Rings, “Those without swords can still die upon them.”

This isn’t really a prediction – it’s already happening and it’s going to get worse. Perhaps it’s better to predict when we will all wake up to it?

Raymond Pompon, Director of F5 Labs

Prediction 6: Organizations will have more key problems

A cryptocurrency exchange recently experienced a theft of $200 million worth of various cryptocurrency tokens after the exchange’s private key was compromised.

At the same time, several new options for more secure key storage became available in 2021 through the provisioning of hardware security modules (HSMs) in the cloud. These tools can be expensive, and they require a lot of infrastructure to ensure they work properly and make keys accessible around the clock.

You can, of course, secure private keys by encrypting the key file and using a passphrase, but as the number of keys you manage increases, this can quickly get out of hand—you can easily end up with a duplicate password scenario.

For enterprises and large organizations, cloud HSM services should look like the only way to go, but I think that it even makes sense for individual power users. However, it’s just a question of whose keys get compromised this year. So, get yourself a secure key storage tool and make sure you’re not one of the compromised.

Peter Scheffler, Senior Solution Architect at F5

Prediction 7: Cybercriminals will act more like businesses

The signs are increasing that specialization and division of labor are intensifying in the attacker community. We have also observed similar signs of specialization and division of labor in the fraud community.

Worryingly, the actors offering these services are beginning to resemble a corporation that employs people with diversified roles and outsources specific activities.

Furthermore, our observations indicate a shift away from specialization within subsets of subgroups in the attacker community—for example, among the Russians or the FIN6 threat group—and toward a generalized market of specialists who will work with nearly anyone.

Today, it is not just individual actors or threat groups making decisions like a business, but the entire attacker landscape coalescing into a mature, capitalist industry composed of businesses that link up with one another as needed.

Sander Vinberg and Remi Cohen

Prediction 8: Supply chain compromises will continue to dog us

The source of supply chain problems in application security are assumptions and impatience. Vetting code is laborious, and the decentralized way we build applications now makes it even more so. If we remember that those ‘other developers’ are just like us—in a hurry and right at the edge of our abilities—we can see the magnitude of the task.

I can guarantee another big third-party vulnerability like Log4Shell or Apache Struts from a few years ago. I just can’t tell you exactly where and when. The only way you can protect yourself is to ensure that you are validating the code, inspecting your application stack, and inventorying your libraries.

Peter Scheffler, Senior Solution Architect at F5