Cybersecurity goes hand in hand with changes in the information sphere: new technologies are always accompanied by new threats, which protection methods must counter. This report examines what's been happening in the information security world over the past five years: how cybercriminals have operated and how approaches to security have changed.

To analyze the changes, we drew on our own research on current cyberthreats from 2017 to 2021, as well as on the results of numerous studies of corporate information security. By analyzing the progression of real attacks and the security data of organizations, plus the opinions of those in charge, we investigate how cybersecurity has changed in recent years.

How attacks are changing: cybercriminal trends and methods

No end in sight

With the ongoing informatization of society, many processes are being automated and services are gradually moving online. For example, governments can now provide most services remotely, removing the need to wait in line. Everyday actions, be it booking tickets, making a doctor's appointment, paying for goods and services, or even buying real estate, are increasingly taking place online. But as technology develops, so too do cybercriminals' capabilities, so we are seeing a rise in their activity. For instance, the total number of attacks This study treats each mass incident (such as a ransomware attack affecting several company departments, or a virus attack in which phishing emails were sent to multiple addresses) as one unique cybersecurity threat. in 2021 increased by 2.5 times against 2017.

Big profits and lower attack costs are the priority

Since 2017, we have seen a gradual rise in the number of attacks targeting specific organizations or industries. And this trend has become ever more pronounced over the past half decade: if in 2017 the share of targeted attacks was 43 percent of the total number, by 2021 the figure had reached 74 percent.

Year after year, the public sector takes a hit. According to our data, government agencies have consistently ranked first by number of attacks in recent years. Government agencies are attractive targets: more and more services are provided electronically, and government systems contain vast amounts of data. It is impossible to overlook the hike in attacks on healthcare systems that we observed in 2020: the number of attacks on medical institutions increased by 91 percent compared to 2019. We attribute this fact to the accelerating digitalization of medicine and the pandemic-related increase in patient data.

Cybercriminals are also showing interest in industry: the number of attacks in 2021 surpassed the results of 2017 by more than seven times. Industry's lack of readiness in the face of sophisticated malware leads to targeted attacks, and the damage from business downtime forces some companies to strike deals with cybercriminals and pay large ransoms. Recall that Colonial Pipeline paid out more than $4 million.

Note, however, the comparative resilience of the financial sector: although the number of attacks on banks is increasing, the growth cannot be described as rapid. Moreover, the share of attacks on financial organizations in the total number of attacks on companies actually halved by 2021. This is especially obvious in comparison with cybercriminal interest in industry: if before 2018 attacks on the financial sector significantly exceeded those on industry, since the beginning of 2019 this trend has reversed.

That the number of attacks on financial institutions is growing less rapidly can be explained by the fact that to extract money from a bank, the attackers must be highly skilled. Banks invest heavily in security and comply with information security standards, so, compared to other companies, their security has improved in recent years (as confirmed by security analysis results below). What's more, it was previously assumed that maximum profit came from stealing money, and access to the bank systems allowed the largest possible amount to be siphoned off. These days, however, attackers have largely switched to ransomware, and instead of targeting banks specifically, they can select any large company that is less well protected. Now the main source of profit is extortion, which does not require high-level skills or in-depth knowledge of financial institutions' infrastructure.

Cybercriminals are showing increasing interest in data stored in various organizations, such as information about customers and users, or trade secrets. Whereas previously cybercriminals were more focused on stealing funds directly, say, from the accounts of companies or individuals, nowadays information that can be used for attack development, extortion purposes, or sale on the dark web is of greater value. Therefore, the number of attacks aimed at confidential data theft is on the rise (from 12% to 20%). Most in demand are personal data (32%) and credentials (20%), as well as medical information (9%).

How cybercriminal methods and goals have changed

Looking at the popular attack methods of five years ago, we notice some clear differences from today. For instance, 2017 is memorable not only for a string of mass ransomware attacks, among which the WannaCryepidemic warrants special mention. (Note that back then these were not yet the main weapon of attackers, and the ransomware-as-a-service model was just gaining popularity.) At that time, the financial sector was the main target: cybercriminal groups attacked banking systems (including SWIFT) and carried off large sums of money. For example, the Cobalt group, which specializes in attacks on finance, inflicted more than 1 billion rubles worth of damage on Russian banks. Another target was ATMs: in India, for instance, cybercriminals emptied dispensers in a matter of minutes, while in 2017 in Moscow alone more than 5 billion rubles was stolen from ATMs. As cryptocurrencies and blockchains took over the digital world, malefactors explored new attack opportunities. This trend is confirmed by the prevalence of miners and major attacks on ICOs: for example, an attack on the NiceHash cryptocurrency mining platform resulted in the theft of more than $70 million worth of bitcoin.

Some of the trends continued in 2018, which saw some high-profile attacks on POS terminals and ATMs worldwide (a jackpotting wave) engulfed the U.S. at the start of the year), and a series of 51% attacks on the Monacoin, Verge, Bitcoin Gold, and ZenCash cryptocurrencies. That same year, we observed some of the most powerful DDoS attacks ever seen and a number of major data breaches, one of which hit theMarriott hotel chain. Another important development concerns the activities of regulators: the European Union introduced the General Data Protection Regulation (GDPR) to improve the protection of personal data. One of the first to get caught out was a Portuguese hospital, which was fined €400,000 for a vulnerability in its patient records storage system.

Large-scale leaks also marked 2019: researchers found large amounts of data in the public domain and databases for sale on the dark web. A separate mention goes to the notorious Collection #1, containing more than 700 million unique account credentials. The stolen data, totaling 87 GB, was published on a free cloud service, and compromised passwords were later used by cybercriminals to access the accounts. Also in 2019 there were many Magecart attacks on online resources through the injection of malicious JavaScript code (JavaScript sniffers); the number of attacks by APT groups went up.

2020 was dominated by the pandemic. While employers endeavored to keep employees safe and sound, cybercriminals sought out security flaws to exploit. The year saw a surge in attacks on the back of the mass transition to remote working, which in many cases was done hastily and without proper protection measures. For instance, as of mid-2020, software vulnerabilities were being exploited in more than 30 percent of organizations due to the emergence of many unprotected servers. Attackers looked for vulnerabilities in VPN and remote access solutions, exploited flaws in web applications, and brute-forced passwords for RDP access. At the same time, ransomware resurfaced, accounting for 45 percent of all malware used. What's more, many of the attacks were no longer of a mass nature: ransomwarers, eyeing a large ransom, began to handpick their victims, studying each company's resources and position in the market and industry. Also in 2020 we observed some major attacks on the supply chain: who doesn't remember the SolarWinds hack, one of the biggest incidents of the year. This attack is one of the most potentially devastating we've seen in recent times. The attackers were able to inject malware into an update of a company product, which was soon downloaded by thousands of SolarWinds customers, including U.S. government agencies and more than 400 major U.S. companies.

The growth in cybercriminal activity during this difficult period is noteworthy not only for the number of attacks: the black market is also picking up the pace. For example, the number of new access-related ads on dark web forums in Q1 2021 increased by more than seven times against the same period in 2020. The number of new ads in search of cybercriminal partners and operators also climbed, which indicates that collaboration and recruitment are on the rise.

The effects of the pandemic continued into 2021, but organizations, having learned from bitter experience, were now able to implement security measures, causing the growth in the number of attacks to slow. In the first half of the year, ransomware set records for the number of attacks, and amounted to 69 percent of all malware incidents. Ransomware attacks had severe consequences for entire industries: for example, a REvil ransomware attack temporarily shut down JBS Foods factories in the U.S. Law enforcement started cracking down on ransomware, which caused a lull in activity, but it is still too early to talk about the end of such attacks.

Last year was also notable for the disclosure of critical vulnerabilities: for instance, the discovery of a Log4j vulnerability turned into a real pandemic in the cybersecurity world. After it was published, attackers began to exploit the vulnerability en masse. And the attacks will continue: CISA warned о том, что найденный недостаток библиотеки Apache будет эксплуатироваться и в ближайшие годы. that the flaw discovered in this Apache library will be exploited for years to come.

Attack damage: new records

Cyberattacks are becoming increasingly disruptive to business, especially with the rise of ransomware. Ransomwarers seek to maximize profit, and we are seeing ever more demands for large payments. In 2017, the highest was for $1 million, while the average demand was in the hundreds of dollars. By 2021, the average ransom demand had risen to $6 million, and the insurance firm CNA Financial paid out a record $40 million to regain access to its data. It's not just individual organizations that suffer from cyberattacks, but entire industries, regions, and even countries. For example, the May 2021 attack on Colonial Pipeline temporarily shut down the largest fuel pipeline in the U.S. A state of emergency was declared in 17 states and the District of Columbia. The economy didn't wait long to respond: fuel prices rose to a seven-year high, causing panic among the population.

Cybersecurity Ventures expects the global cost of cybercrime to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $6 trillion in 2021.

Takeaways

Cybercriminals' goals, motives, and methods are changing, and companies need to regularly review their cybersecurity approaches to ensure effective protection. As the number of targeted attacks increases, it is important to keep developing ways to identify complex threats, while compliance with regulatory requirements can only guard against typical attacks on the industry. The pandemic-hit 2020 showed how quickly a company's interaction with employees can change, and how cybersecurity implementation lags behind the challenges of the times. The scale of damage is also increasing, with attacks affecting entire industries and even countries.

Demand for protection: changes in security approaches

What worries business: from economics to cyberrisks

The impact of cybersecurity on business is growing. According to a PwC report, cyberrisks ranked 10th in the list of threats of most concern to CEOs in 2017. However, the later events described in the first section had a massive impact on companies, and by the start of 2022 cyberthreats were in first place, outstripping even macroeconomic volatility. As such, we now observe that almost half (49%) of CEOs consider cyberthreats to be one of the most impactful factors on business. Interestingly, greatest concern is shown by financial institutions: 59 percent of respondents from this industry fear cyberthreats.

Russia's financial sector, too, is keen to ensure sufficient cybersecurity: the regulatory and legal framework is constantly being refined; there is a steady information exchange between FinCERT (Financial Sector Computer Emergency Response Team) and more than 800)companies; and information security forums are held.

Executives worldwide are most concerned that the actualization of cyberthreats can impact sales (62%) and hinder innovation in technologies and processes (56%). Such fears are more than justified: every year we observe major attacks that significantly affect business development. For example, one consequence of the above-mentioned attack on SolarWinds was a collapse in the company's share price.

Attacks are growing in scale, and every year corporate outlays on information security are increasing. According to a study, more than two-thirds (69%) of executives expect costs to rise, with 26 percent forecasting cybersecurity outlays to increase by more than 10 percent. In Russia, 65 percent of organizations expect the information security budget to grow.

As a rule, information security budgets are spent primarily on bringing the infrastructure in line with regulatory requirements, in particular, the drafting of organizational and administrative documents and the implementation of protection tools (for example, antiviruses, firewalls). To identify security flaws in the corporate network and detect potential attacks, some companies conduct internal security reviews, with penetration testing being one of the most effective methods.

No improvement in corporate security

Many organizations commission an annual pentest to assess the security of their infrastructure (more than 100 companies have had their infrastructure tested by Positive Technologies in the past five years). Most of them are in the industrial (32%) and financial (27%) sectors.

Most companies' results showed a low level of protection against both external and internal attackers. Maximum privileges could be obtained in the infrastructure of all companies, and corporate network penetration succeeded in more than 90 percent of cases. Moreover, in 2021, the network perimeter of all organizations was breached.

The financial sector is the best prepared for attacks: in 2020, 17 percent of organizations in this industry withstood attempts to penetrate the internal network. In other companies, the level of protection was much lower. At the same time, in most cases, even an inexperienced attacker with only basic knowledge would have been able to gain access to local network resources and develop an attack to take full control over critical systems, and this fact has not changed in the past five years.

Top security issues remain unchanged

Overall, we see that the most popular attack vectors for internal network penetration remain the same: in 2017, dictionary attacks on accounts to network perimeter resources and exploitation of vulnerabilities in web applications were the main methods of internal network penetration, and they were still highly effective in 2021. However, as more services are moved to the network perimeter, the number of internal network penetration vectors also grows: in 2017, on average, there were two LAN penetration vectors per project; today there are three. Note that in 2017 the maximum number was 10, while in 2021 the figure was 19.

The main methods in the toolkit of internal attackers have also changed little over the past five years. The most common are: bruteforcing of accounts; manipulation of OS architectural features and authentication protocols; and exploitation of vulnerabilities in software used.

It would seem that a robust password policy is a protection measure that every company can implement. Nevertheless, the share of vulnerable systems remains significant, and the severity level of vulnerabilities has been reduced only slightly from critical to high. Most often, attackers exploit password policy weaknesses to get past the network perimeter and brute-force account credentials to penetrate the internal network: in H2 2020–H1 2021, 71 percent of attacks used these vulnerabilities. Bruteforcing account credentials was also used for internal network attacks: this method was used in 93 percent of successful attacks.

It is a fact that we are seeing ever more critically dangerous vulnerabilities in software used. Their presence and exploitability allow even inexperienced attackers to inflict damage on a company, never mind APT groups. Outdated versions of software make it possible to use known vulnerabilities both to breach the network perimeter and to continue the attack in the organization's internal network. According to a recent study, known vulnerabilities in software were exploited in 60 percent of internal network penetration attack scenarios.

Critically dangerous vulnerabilities related to insufficiently protected web applications were most often found in 2020: during the switch to remote working, many organizations moved web services to the external perimeter wholesale, which presented additional opportunities to penetrate their internal structure. There is a way to penetrate the local network of virtually any company through web applications.

The human factor, too, is of great importance for corporate security: employee awareness studies by Positive Technologies show a low level of readiness for phishing attacks on the part of personnel.

For example, during a series of projects in 2017, 26 percent of employees clicked on a link in a phishing email, 16 percent opened an attached file, and 11 percent entered credentials in fake authentication forms. The situation has only got worse: today 38 percent of employees follow links in phishing emails, 31 percent enter credentials, and 39 percent are prone to opening a malicious attachment..

From testing individual systems to analyzing business impact

What does a poorly secured infrastructure mean for business? As the corporate IT infrastructure grows, so too does the number of vulnerabilities, and locating weaknesses in any one part of the system or in the links between them is becoming increasingly laborious, as is the task of collating pentest results with real-life consequences for business. Therefore, the goals of security analysis become more concrete every year.

There is demand from companies to identify and verify unacceptable events that can be actualized by gaining access to certain components of the corporate infrastructure. Today, in one in three projects, clients specify target systems to be checked for attack vectors that could lead to serious consequences for the company. Such target systems might be: ICS, an ATM management system, the SWIFT interbank transfer system, accounting software, or a site administration interface. The formulated objectives for security analysts are becoming more specific and complex, and pentest goals more numerous and serious (for example, gaining access to a treasury system able to make payments while the token for confirming important financial transactions is active).

Among unacceptable events, client companies most often cited breaches of business and service delivery processes, theft of monetary funds and important information, compromise of the digital identity of top management, and fraud against users. Unfortunately, the results of projects to verify such events reflect the general lack of security: in H1 2020–H1 2021, for example, 87 percent of unacceptable events for industrial companies were actualized, and 62 percent for banks.

The harm from cybercrime is on the rise, and business leaders are increasingly eager to carry out security audits. If previously experts compiled mainly technical reports, now individual presentations and reports for top management are an integral component of many projects: for example, twice as many project-related presentations and reports were prepared for top managers of client companies in 2021 than in 2020.

Takeaways

Overall, despite the shifting cyberthreat trends and attacker motives, we see that corporate security issues have not undergone significant changes. In its security analysis projects, Positive Technologies managed to compromise core infrastructure systems both five years ago and in 2021. In 2020–2021, a total of 79 percent of unacceptable events identified by companies were actualized.

Conclusion

The notion of a secure system used to be considered somewhat utopian, and building an ideal secure system was based largely on compliance with regulatory standards. It was thought that a system first and foremost had to be impenetrable; internal processes were not yet scrutinized in such detail. But since 2020, information security has moved towards building and maintaining systems and processes so as to prevent the actualization of unacceptable events for business. This means that even if the internal infrastructure is penetrated, the intruder should not be able to reach target systems or disrupt internal business processes, which would threaten the operation—or even the very existence—of the organization. And whereas early security audits lacked specific goals, nowadays they increasingly involve verification of unacceptable events (that is, analysis of what business processes are vulnerable to attack), what they can lead to, and what needs to be done to avoid them.

CEOs, who just a few years ago attached little importance to information security, believing it to be a hindrance to business development, now prioritize it. Top managers are increasingly working with CIOs and supplying feedback during security analysis projects.

Attention is now being paid not only to building protection, but to detecting attacks already in progress in the infrastructure, as well as monitoring system processes and events, in which regard there are many incident monitoring and response solutions available. Organizations recognize the need to upskill personnel so as to defeat real-world attacks. We are also seeing the emergence of cyberranges—systems that simulate part of an organization's real infrastructure, where defenders can hone their security skills against white-hat attackers. The need to automate attack detection and rapid response is growing, and we expect such systems to develop going forward.