Rundown of the Top 15 Cybersecurity Threats of 2019-2020

Every year the European Union Agency for Cybersecurity (ENISA) releases a series of reports itemizing the top cybersecurity threats of the past year. As part of a cybersecurity risk assessment, reports like these are invaluable because they tell us how best to allocate security resources.

In our office, I wanted to organize some of our thinking around the threats identified in the ENISA report.

Me: Hi. I need a rundown of the top threats in the most recent ENISA report, can you get that to me?
Jim: Sure!
Me: Yeah.
Jim: Okay.

One of the biggest developments over the year was the marked increase in employees working from home all over the world . The ability to do this was a major component in our economy’s ability to persevere despite brick-and-mortar shutdowns. While working from home, cybersecurity specialists had to adapt existing defenses to new infrastructure, particularly where the entry points were employees’ home networks and devices. In other words, while cybersecurity frameworks, for the last decade, have been trying to increase management of employee devices, suddenly the world’s banks, insurance carriers, and industrial conglomerates were being run off of employees’ unprotected home networks.

The landscape was changing quickly, so I needed to get this information out to our clients asap…

Jim: When did you need that rundown by?
Me: As soon as possible.
Jim: Okay.
Me: Just get it right.
Jim: Yeah. Gotcha. Of course. I’m gonna dive in. To the rundown. I’ll be exhausted ’cause it’s like a triathlon. [At door.] Do you want to close this? Close, or keep it?

Fortunately, ENISA provided a summary that would make this rundown easier to explain, with ten main trends in the threat landscape over the last year:

1. The attack surface in cybersecurity continues to expand as we are entering a new phase of the digital transformation.

2. There will be a new social and economic norm after the COVID-19 pandemic even more dependent on a secure and reliable cyberspace.

3. The use of social media platforms in targeted attacks is a serious trend and reaches different domains and types of threats.

4. Finely targeted and persistent attacks on high-value data (e.g. intellectual property and state secrets) are being meticulously planned and executed by state-sponsored actors.

5. Massively distributed attacks with a short duration and wide impact are used with multiple objectives such as credential theft.

6. The motivation behind the majority of cyber-attacks is still financial.

7. Ransomware remains widespread with costly consequences to many organizations.

8. Still many cybersecurity incidents go unnoticed or take a long time to be detected.

9. With more security automation, organizations will be invest more in preparedness using Cyber Threat Intelligence as its main capability.

10. The number of phishing victims continues to grow since it exploits the human dimension being the weakest link

Jim: Hey dude, you know what a “rundown” is?
Oscar: Use it in a sentence.
Jim: “Uh, can you get this rundown for me?” [impersonating me]
Oscar: Try another sentence.
Jim: “This rundown better be really good”?
Oscar: I don’t know but it sounds like the rundown is really important.
Jim: He asked me to do this rundown of the Enisa Top 15.
Oscar: Why don’t you just ask him–
Jim: No. I can’t. It was like, hours ago.
Oscar: What have you been doing?
Kevin: Try it in another sentence.

Because of the increased complexity of cyber threats worldwide, assessments like these are becoming more and more important for businesses trying to address the most likely cyber threats. They are becoming more costly, and in some cases harder to prevent. So I wanted my best people to gather the data and report back with a rundown of the biggest threats.

Me: You started on that rundown yet? [Looks at Jim’s screen.]
Jim: Oh, this is just something I’m taking a break with.
Me: Oh.
Jim: I will get back to the rundown, uh, right now.
Me: Okay, great.
Jim: Hey you know what? Do you have a rundown that I could take a look at, just so I know what type of rundown you’re looking for ?
Me: Just keep it simple.
Jim: Keeping it simple -that’s what I’m doing. But I am working hard on this one. Real hard.
Me: You’re working hard? On this?
Jim: No. Not too hard. Not harder than I should.

After a short delay as we determined to best way to present this information, we were able to assemble ENISA’s Top 15 cybersecurity threats, with executive summaries for each topic. Enjoy!

ENISA’s Top 15 Security Threats

1. Malware

   Malware is a common type of cyber-attack in the form of malicious software.Families of malware include cryptominers, viruses, ransomware, worms and spyware. Its common objectives are information or identity theft, espionage and service disruption.

   During 2019, cryptominers were one of the most prevalent malware family in the threat landscape, resulting in high IT costs, increased electricity consumption and reduced employee productivity. Ransomware presented a slight increase in 2019 compared with 2018, though still remaining at the bottom of the malware type list.

   Web and e-mail protocols were the most common initial attack vectors used to spread malware. However, using brute force techniques or exploiting system vulnerabilities, certain malware families were able to spread even further inside a network. Although global detections of attacks have remained at the previous year’s levels, there was a noticeable shift from consumer to business targets.

2. Web-based Attacks

   Web-based attacks are an attractive method by which threat actors can delude victims using web systems and services as the threat vector. This covers a vast attack surface, for instance facilitating malicious URLs or malicious scripts to direct the user or victim to the desired website or downloading malicious content (watering hole attacks1, drive-by attacks) and injecting malicious code into a legitimate but compromised website to steal information (i.e. formjacking) for financial gain, information stealing or even extortion via ransomware. In addition to these examples, internet browser exploits and content management system (CSM) compromises are important vectors observed by different research teams being used by malicious actors.

   Brute-force attacks, for example, operate by overwhelming a web application with username and password login attempts. Web-based attacks can affect the availability of web sites, applications and application programming interfaces (APIs), breaching the confidentiality and integrity of data.

3. Phishing

   Phishing is the fraudulent attempt to steal user data such as login credentials, credit card information, or even money using social engineering techniques. This type of attack is usually launched through e-mail messages, appearing to be sent from a reputable source, with the intention of persuading the user to open a malicious attachment or follow a fraudulent URL. A targeted form of phishing called ‘spear phishing’ relies on upfront research on the victims so that the scam appears more authentic, thereby, making it one of the most successful types of attack on enterprises’ networks.

   An emotional response justifies many people actions when they are phished and is exactly what hackers are looking for. In a training context, that is what a phishing simulation should try to achieve. Training e-mail users is one of the often used measures for preventing phishing, but results are not convincing since threat actors are constantly changing their modus operandi. The domain-based message authentication, reporting, and conformance (DMARC) standard ensures that e-mail from fraudulent domains is blocked, diminishing the rate of success of phishing, spoofing and spam attacks.

   In the future, e-mail continues to be the number one mechanism for phishing but not for long. We are already seeing an increase in the use of social media messaging, WhatsApp and others to conduct attacks. The most relevant change will be in the methods used to send the messages, which will become more sophisticated with the adoption of adversarial Artificial Intelligence (AI) to prepare and send the messages. Phishing and spear phishing are major attack vectors of other threats such as unintentional insider threats

4. Web application attacks

   Web applications and technologies have become a core part of the internet by adopting different uses and functionalities. The increase in the complexity of web application and their widespread services creates challenges in securing them against threats with diverse motivations from financial or reputational damage to the theft of critical or personal information.1Web services and applications depend mostly on databases to store or deliver the required information. SQL Injection (SQLi) type of attacks are a well-known example and the most common threats against to such services. Cross-site scripting (XSS) attacks are another example. In this type of attack, the malicious actor misuses weaknesses in forms or other input functionalities of web applications that leads to other malicious features such as being redirected to a malicious website.

   While organizations are becoming proficient and developing more consistent automation in their web application lifecycle, they are demanding security as the most crucial part of their offering and prioritization. This introduction of complex environments drives the adoption of new services such as Application Programming Interfaces (APIs). APIs, which create new challenges for web application security the organizations involved to consider more prevention and detection measures. For instance, roughly 80% of organizations adopting APIs deployed controls on their ingress traffic. In this section, we review the threat landscape of web applications during 2019.

5. Spam

   The first spam message was sent in 1978 by a marketing manager to 393 people via ARPANET. It was an advertising campaign for a new product from the company he worked for, the Digital Equipment Corporation. For those first 393 spammed people it was as annoying as it would be today, regardless of the novelty of the idea. Receiving spam is an inconvenience, but it may also create an opportunity for a malicious actor to steal personal information or install malware. Spam consists of sending unsolicited messages in bulk. It is considered a cybersecurity threat when used as an attack vector to distribute or enable other threats.

   Another noteworthy aspect is how spam may sometimes be confused or misclassified as a phishing campaign. The main difference between the two is the fact that phishing is a targeted action using social engineering tactics, actively aiming to steal users’ data. In contrast spam is a tactic for sending unsolicited e-mails to a bulk list. Phishing campaigns can use spam tactics to distribute messages while spam can link the user to a compromised website to install malware and steal personal data.

   Spam campaigns, during these last 41 years have taken advantage of many popular global social and sports events such as UEFA Europa League Final, US Open, among others. Even so, nothing compared with the spam activity seen this year with the COVID-19 pandemic.

6. Denial of service

   Distributed Denial of Service (DDoS) attacks are known to occur when users of a system or service are not able to access the relevant information, services or other resources. This stage can be accomplished by exhausting the service or overloading the component of the network infrastructure.1Malicious actors increased the number of attacks by targeting more sectors with different motives. While defense mechanisms and strategies are becoming more robust, malicious actors are also advancing their technical skills. Reports suggest that the usage of reflected and amplified attack techniques facilitating new vectors other than the commonly known ones (UDP amplification etc.) has increased. Malicious actors are also improving their commercial tactics by starting to advertise their services on the web. Historically, DDoS services were advertised in the dark web forums, but now they use common social media channels such as YouTube and Reddit to promote their services.

   In 2019, we saw new entries in the top 10 list of source countries generating DDoS traffic (Hong Kong, South Africa, etc.). It was also the year that saw an increase in DDoS activity by botnets. IoT devices are a ‘hotbed’ for DDoS botnets, and China (24%), Brazil (9%) and Iran (6%) were considered as the countries most infected with botnet agents.3A security researcher predicted that, the implementation and distribution of 5G networks will exponentially increase the number of connected devices, hence the expansion of botnet networks.

   Although DoS attacks are not new to cybersecurity and network defenders, their level of sophistication is increasing, and malicious actors are observed to be actively running more reconnaissance activities than before.

7. Identity theft

   Identity theft or identify fraud is the illicit use of a victim’s personal identifiable information (PII) by an impostor to impersonate that person and gain a financial advantage and other benefits.

   According to an annual security report, at least 900 international cases of identity theft or identity-related crimes were detected. The most significant incidents reported were:

   • the exposure of nearly 106 million American and Canadian bank customers’ personal information from the Capital One data breach incident in March 2019;

   • the exposure of 170 million usernames and passwords used by digital game developer Zynga in September 2019;

   • the stealing of 20 million accounts from the British audio streaming service Mixcloud;

   • the compromise of 600,000 drivers and 57 million users personal information from Uber’s data breach incident in November 2019;

   • and the theft of 9 million personal records from EasyJet customers including identity cards and credit cards.

   The trend of identity theft is reflected to a great part in data breaches, which, compared with 2018, saw a record number of 3.800 publicly disclosed cases, 4,1 billion records exposed and an increase of 54% in the number of breaches reported.

8. Data breaches

   A data breach is a type of cybersecurity incident in which information (or part of an information system) is accessed without the right authorization, typically with malicious intent, leading to the potential loss or misuse of that information. It also includes ‘human error’ that often happens during the configuration and deployment of certain services and systems, and may result in unintentional exposure of data.

   In many cases, companies or organizations are not aware of a data breach happening in their environment because of the sophistication of the attack and sometimes the lack of visibility and classification in their information system. Based on research, it takes approximately 206 days to identify a data breach in an organization. Thus, the time to contain, remediate and recover the data means that it takes longer to return to normal.

   Despite all the risks involved, organizations keep even more data4using cloud storage infrastructures and complex on-premises environments. These environments are gradually more exposed to new and different risks, proportional to the sensitiveness of the information stored. It comes as no surprise that, the number of data breaches increased in 2019 and 2020. New findings also suggest that the impact is not felt exclusively when a data breach is discovered -the financial impact can remain for more than 2 years after the initial incident.

9. Insider threat

   An insider threat is an action that may result in an incident, performed by someone or a group of people affiliated with or working for the potential victim. There are several patterns associated with threats from the inside. A well-known insider threat pattern (also known as ‘privilege misuse’) occurs when outsiders collaborate with internal actors to gain unapproved access to assets. Insiders may cause harm unintentionally through carelessness or because of a lack of knowledge. Since these insiders often enjoy trust and privileges, as well as knowledge of the organizational policies, processes and procedures of the organization, it is difficult to distinguish between legitimate, malicious and erroneous access to applications, data and systems.

   The five types of insider threat can be defined according to their rationales and objectives:

   • the careless workers who mishandle data, break use policies and install unauthorized applications;

   • the inside agents who steal information on behalf of outsiders;

   • the disgruntled employees who seek to harm their organization;

   • the malicious insiders who use existing privileges to steal information for personal gain;

   • the feckless third-parties who compromise security through intelligence, misuse or malicious access to or use of an asset.

   All five types of insider threats should be continuously studied, as acknowledging their existence and their modus operandi should define the organization’s strategy for security and data protection.

10. Botnets

    A botnet is a network of connected devices infected by bot malware. These devices are typically used by malicious actors to conduct Distributed Denial of Service (DDoS) attacks. Operating in a peer-to-peer (P2P) mode or from a Command and Control (C2) center, botnets are remotely controlled by a malicious actor to operate in a synchronized way to obtain a certain result.

    Technological advancements in distributed computing and automation have created an opportunity for malicious actors to explore new techniques and improve their tools and attack methods. Thanks to this, botnets operate in much more distributed and automated ways and are available from self-service and ready-to-use providers.

    Malicious bots, referred as ‘bad bots’, are not only constantly evolving but people’s skill sets and the bots’ level of development are becoming highly specialized in certain applications, such as defense-providers or even evasions techniques. From a different perspective, botnets provide a vector for cyber-criminals to launch various operations from e-banking fraud to ransomware, mining cryptocurrencies and DDoS attacks.

11. Physical manipulation, damage, theft and loss

    Physical tampering, damage, theft and loss has drastically changed in the past few years. The integrity of devices is vital for technology to become mobile and for most implementations of the Internet of Things (IoT). IoT can enhance physical security with more advanced and complex solutions. This way, IP security-based systems with smart sensors, Wi-Fi cameras, smart security lighting, drones and electronic locks can provide surveillance data that are evaluated by Artificial Intelligence (AI) and Machine Learning (ML) mechanisms to identify threats and respond with minimum delay and maximum accuracy.2However, intelligent buildings, mobile devices and smart wearables can be exploited to bypass physical security measures.

    In 2019, ATM and POS related physical attacks continued in Europe and worldwide, but the resulting losses were lower than the average over the past decade. The good news is that the companies, IT managers and decision makers are leaning towards hybrid cyber and physical security plans, although in the past physical security was not a priority.

12. Information leakage

    A data breach occurs when data, for which an organization is responsible, is subject to a security incident resulting in a breach of confidentiality, availability or integrity.1A data breach frequently causes an information leakage, which is one of the major cyber threats, covering a wide variety of compromised information from personal identifiable information (PII), financial data stored in IT infrastructures to personal health information (PHI) kept in healthcare providers’ repositories.

    When security breaches are encountered in the headlines of bulletins, blogs, newspapers, and technical reports, the focus is mostly either on adversaries or on the catastrophic failure of the cyber-defense processes and techniques. Nevertheless, the indisputable truth is that, despite the impact or scope of such an event, the breach is usually caused by an individual’s action or by an organizational process failure.

13. Ransomware

    Ransomware has become a popular weapon in the hands of malicious actors who try to harm governments, businesses and individuals on a daily basis. In such cases, the ransomware victim may suffer economic losses either by paying the ransom demanded or by paying the cost of recovering from the loss, if they do not comply with the attacker’s demands. In an incident in 2019, Baltimore, Maryland suffered a lockout and recovery is expected to pay US $18.2 million (ca. €15,4 million), although the city refused to pay the ransom. With the growing number of incidents growing, it is evident that becoming a victim is not an ‘if’ but rather a ‘when’ hypothesis. However, in the majority of countries’ fights against ransomware, several challenges need to be addressed, such as the lack of coordination and collaboration between agencies and authorities, and the lack of legislation, that clearly criminalizes ransomware attacks.

    Although cyber insurance policies exist since early 2000, ransomware attacks are one of the main reasons for the increased interest in this type of insurance during the last 5 years. In some of the 2019 incidents, the ransom or the costs of recovery was covered by such contracts. Unfortunately, if potential ransomware targets are known to be insured, the attackers assume that they will most probably be paid. Another downside for the victim is that insurance providers are paying the ransom in advance to mitigate the damage and to keep the victim’s reputation intact. However, such compliance by paying ransoms encourages the hacker community and ensures neither the victim’s recovery nor their reputation.

14. Cyberespionage

    Cyber espionage is considered both a threat and a motive in the cybersecurity playbook. It is defined as the use of computer networks to gain illicit access to confidential information, typically that held by a government or other organization.

    In 2019, many reports revealed that global organizations consider cyber espionage (or nation-state-sponsored espionage) a growing threat affecting industrial sectors, as well as critical and strategic infrastructures across the world, including government ministries, railways, telecommunication providers, energy companies, hospitals and banks. Cyber espionage focuses on driving geopolitics, and on stealing state and trade secrets, intellectual property rights and proprietary information in strategic fields. It also mobilizes actors from the economy, industry and foreign intelligence services, as well as actors who work on their behalf. In a recent report, threat intelligence analysts were not surprised to learn that 71% of organizations are treating cyber espionage and other threats as a ‘black box’ and are still learning about them.

    In 2019, the number of nation-state-sponsored cyber-attacks targeting the economy increased and it is likely to continue this way. In detail, nation-state-sponsored and other adversary-driven attacks on the Industrial Internet of Things (IIoT) are increasing in the utilities, oil and natural gas (ONG), and manufacturing sectors. Furthermore, cyber-attacks conducted by advanced persistent threat (APT) groups indicate that financial attacks are often motivated by espionage. Using tactics, techniques and procedures (TTPs) akin to those of their espionage counterparts, groups such as the Cobalt Group, Carbanak and FIN7 have allegedly been targeting large financial institutions and restaurant chains successfully.

    The European Parliament’s Committee of Foreign Affairs called upon Member States to establish a cyber-defense unit and to work together on their common defense. It stated that ‘the Union’s strategic environment has been deteriorating ... in order to face the multiple challenges that directly or indirectly affect the security of its Member States and its citizens; whereas issues that affect the security of EU citizens include: armed conflicts immediately to the east and south of the European continent and fragile states; terrorism –and in particular Jihadism –, cyber-attacks and disinformation campaigns; foreign interference in European political and electoral processes’.

    Threat actors motivated by financial, political, or ideological gain will increasingly focus attacks on supplier networks with weak cybersecurity programs. Cyber espionage adversaries have slowly shifted their attack patterns to exploiting third-and fourth-party supply chain partners.

15. Crytojacking

    Cryptojacking(also known as cryptomining) is the unauthorized use of a device’s resources to mine cryptocurrencies. Targets include any connected device, such as computers and mobile phones; however, cybercriminals have been increasingly targeting cloud infrastructures. This type of attack has not attracted much attention from law enforcement agencies and its abuse is rarely reported, mainly because of its relatively few negative consequences. Nevertheless, organizations may notice higher IT costs, degraded computer components, increased electricity consumption and reduced employee productivity caused by slower workstations.

Jim: There’s the rundown you asked for. I may have expanded some areas that you weren’t prepared for.
Charles: Great. Fax that to everyone on the distribution list.
Jim: Yeah sure. You want to look at it first?
Charles: Do I need to?
Jim: No. No, I just wanted to make sure, it was in the same format. So that distribution list is gonna be my…?
Charles: What’s that?
Jim: The one I have. I’ll use the one I have.

Thank you for your patience as we fax this important rundown out to our distribution list.