2020 “broke all records when it came to data lost in breaches and sheer numbers of cyber attacks on companies, government, and individuals,” Forbes notes. Yet, attacks are still rising in 2021.
Incident response (IR) products and services protect our organizations and help us to limit the damage during a cyber attack and then recover from the effects.
The five incident response trends to watch in 2021 reflect the changing scope of attacks, increasing requirements, and how the market is responding to challenges:
5 Trends to Watch in Incident Response
1. Expanded Landscape for Incident Response
Some IT managers cling to the security model defined by firewalls, networks, servers, and personal computers. Unfortunately, that model no longer characterizes the average network in the modern workplace, and the scope of where, what, and who attackers will target continues to expand.
The arrival of the COVID-19 pandemic converted entire organizations to remote work entities, with many employees dialing into the secure corporate environment on mobile devices. A surge of attacks followed. Barracuda Networks reports a 667% increase in malicious phishing emails during the pandemic. Reports and Data notes that a minimum of one in eight leading corporations experience security breaches through social media, further highlighting another vulnerability with remote workers.
Many non-computer devices also present an enticing target for attacks. Reports and Data cites a 300% increase in cyber attacks on Internet of Things (IoT) devices, such as printers, televisions, phones, security cameras, and a wide variety of medical equipment. The arrival of 5G-enabled devices in factories and logistics chains should further increase the attack surface by “tens of billions of devices,” according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Outside of the corporate firewall, IndustryArc highlights how the “rising dependency” of organizations of all sizes on web technologies forces them to face issues related to cybersecurity, such as websites, web applications, or critical web services running in the cloud.
Each of these devices provides a possible entry point for an attacker looking for a weakness to exploit, expanding the where and what.
The selected target of an attack also continues to expand. Ransomware proved to be lucrative, or at least disruptive, against targets of all sizes, including in hospitals, municipalities, and schools:
- The FBI issued a warning regarding the Hive ransomware after it shut down Memorial Health System
- 22 small Texas towns were hit by ransomware when their security vendor was corrupted by an attacker
- Howard University in Washington, D.C. was forced to cancel classes after a ransomware attack
2. Increased State-Sponsored Activity
While attacks in general have become more sophisticated, state-backed attacks continue to drive incident response with high-profile, highly sophisticated attacks.
In a recent report, researchers found a 100% rise in significant state incidents between 2017-2020, with attacks against enterprises becoming the most common target.
Attacking commercial targets provides hostile states with both political and financial gain. Plus, using semi-independent attackers provides some deniability, even if experts continue to assign attribution to a state actor.
For example, Mordor Intelligence acknowledges that India has been one of the most prominent victims of cyber attacks, due to its relationship with the largest source of state-run actors, China. As of March 2021, 30% of global cyber attacks originated from China.
The Center for Strategic and International Studies (CSIS), maintains a list of significant Cyber Incidents since 2006. Here are a couple of the largest that made headlines:
- 2020: Hackers believed to be affiliated with Russia execute a supply chain attack on SolarWinds, compromising at least nine federal agencies and 100 private sector groups
- 2021: Attackers believed to be affiliated with China exploit zero-day vulnerability on Microsoft Exchange servers to gain backdoor access to as many as 125,000 privately hosted servers worldwide. Also notable because this incident forced the FBI to execute an unannounced hack on U.S. government and commercial servers to remove Chinese access, because organizations were moving too slowly.
Other countries believed to be associated with state-sponsored hacks include Belarus, Iran, Israel, the U.S., and Vietnam.
Few organizations have the resources to defend against a foreign government, but many attacks, such as the Microsoft Exchange server hacks, have been attacks of opportunity on poorly maintained infrastructure. The IR market will continue to grow in response to the more aggressive nation-sponsored attacks and the lackluster preparation of many victims.
3. Increased Regulation and Compliance
The U.S. federal government has yet to pass encompassing legislation regarding cybersecurity, but many laws punish companies for breaches, such as:
- U.S. states (e.g., California, New York) data privacy laws
- European Union General Data Protection Regulation (GDPR)
- U.S. Health Insurance Portability and Accountability Act (HIPAA)
Private organizations, such as the payment card industry (PCI), can also levy fines for data breaches that expose data such as credit card information.
Mordor Intelligence notes that increasingly “stringent government regulations and compliance requirements by enterprises” will be a significant factor in driving growth in the IR market. Meanwhile, not only are premiums for cyber-insurance policies increasing, many insurers have begun to specify what security needs to be in place and what IR vendors an organization may use.
Organizations will need to increasingly involve their insurers and legal counsel as part of the team to select IR providers and to ensure that the work product (evidence collected, reports produced, etc.) meets the needs of increasingly complex and overlapping regulations.
4. Continued Reliance on Service Providers
Organizations may prefer to maintain in-house capabilities, but they’re finding it increasingly difficult to do so. Varonis notes that 74% of respondents to the ESG/ISSA research report said that their firms are being affected by the shortage of skilled cybersecurity talent.
The shortage of talent leads to higher costs and retention difficulty for those attempting to maintain a full team of experts. Instead, most organizations rely upon outsourcing to service providers.
Mordor Intelligence details the wide variety of incident response capabilities sought by organizations, such as breach investigation, forensic services, handling chain of custody, and examination and analysis of applications, data, networks, and endpoint systems.
Verified Market Research notes key benefits with the adoption of incident response solutions: respond to an incident more efficiently; optimize IT employees’ productivity; protect sensitive data and applications; and meet stringent regulations.
5. Evolution in Tools
Increasing cybersecurity demands and talent shortages continue to be addressed through advancements in incident response tools. Existing tools may expand coverage or new tools may be developed to encompass the increasing device landscape of mobile devices, IoT, operational technology (OT), cloud computing, and container technology.
Computer-aided assistance also leverages machine learning (ML) and artificial intelligence (AI) algorithms. The SANS Institute cites a Ponemon Institute study that reveals 49% of security professionals found that machine learning enhances their ability to prioritize threats and vulnerabilities and 47% said it increases the productivity of security personnel.
Similarly, LogsTail notes that use cases involve AI techniques that can help security professionals recognize patterns in the vast amount of log file data that machines are producing and reduce the time compared to human review.
Unknown events may not permit automated response. However, computer algorithms will be able to quickly separate these events from the mundane and escalate them for human review.