What’s Coming in 2020: An RSA Recap

VMWare Carbon Black recently published our Outlook 2020 Threat Report largely fueled by the work of our amazing Threat Analysis Unit. Greg Foss (@Heinzarelli) and Andrew Costis (@0x4143) did some in-depth research on Malware samples seen in 2019. As part of RSA, Greg and I had the chance to present on the findings. I wanted to highlight a few of them here:

  • Attacker behavior continues to become more evasive, a clear sign that attackers are increasingly attempting to circumvent legacy security solutions. Defense evasion behavior was seen in more than 90 percent of the 2,000 samples we analyzed.
  • Ransomware has seen a significant resurgence over the past year. Defense evasion behaviors continue to play a key role with ransomware: 95 percent of analyzed samples.
  • The top industries targeted by ransomware over the past year, according to VMware Carbon Black’s global threat data, have been: Energy and Utilities, Government, and Manufacturing—suggesting that ransomware’s resurgence has been a nefarious byproduct of geopolitical tension.
  • Ransomware’s evolution has led to more sophisticated Command and Control (C2) mechanisms and infrastructure for attackers. Cybercriminals continue to leverage standard application protocols in network deployments to operate under the radar and blend in with standard business traffic. They are also deploying secondary C2 methods on sleep cycles, allowing them to wake up a new method of C2 upon discovery or prevention of their primary method.
  • Wipers continue to trend upward as adversaries (including Iran) began to realize the utility of purely destructive attacks. Leveraging techniques across the full spectrum of MITRE ATT&CK™, wipers rely heavily upon Defense Evasion techniques to avoid detection: 64 percent of analyzed samples.
  • Classic malware families have spawned the next generation. Throughout our research, we analyzed malware (such as NotPetya) that initially appeared to be ransomware, but upon further inspection, found the decryption component removed or ineffective, resulting in purely destructive malware.
  • Emotet, once the gold standard for banking Trojans, is being retooled as a Swiss Army knife for modern attackers and is heavily leveraged to perform a myriad of additional attacks due to its modular framework.
  • IT and security teams appear to be aligned on goals (preventing breaches, efficiency, incident resolution) but 77.4 percent of survey respondents said IT and security currently have a negative relationship, according to our study conducted by Forrester Consulting.
  • 55 percent of survey respondents said driving collaboration across IT and security teams should be one of the organization’s top priorities over the next 12 months.
  • Nearly 50 percent of both IT and security respondents reported being understaffed with security respondents noting their teams are currently 48 percent understaffed and IT teams are 26 percent understaffed, according to the study.
  • The study found that in the majority of cases—45 percent—the CISO is reporting to the CIO. However, when asked whom the CISO should report to, the majority of respondents (37 percent) said directly to the CEO. Of note, Nearly half (46%) of CIOs said the CISO should report directly to the CEO.
  • The talent gap continues to be a theme across the IT and security landscape. According to the study, 79 percent of respondents said finding the right security talent is either “very challenging” or “extremely challenging” and 70 percent reported the same level of challenge for IT talent.
  • More than 50 percent of survey respondents said that both security and IT will share responsibility for key areas like endpoint security, security architecture, and identity and access management over the next three to five years.
  • When it comes to risk, security leaders said brand protection (81 percent of respondents) is the most important issue for company boards, according to our study.
  • Both security and IT have seen increased investments over the last year.  Among survey respondents, 77 percent said they purchased new security products, 69 percent reported an increase in security staff and 56 percent reported an increase in IT staff.

Attackers are becoming more punitive as demonstrated by the clear rise in ransomware, wipers, and destructive attacks over the year. Attackers have become adept at evading security solutions. Their quality assurance has risen. They have gotten stealthier when it comes to command and control. Organizations find themselves defending against attacks fueled by rising geopolitical tension.

Attackers are not leaving. This is our new reality and we must adjust. As defenders, we must shift not only our thinking but also our people, processes, and technologies to account for new attacker behaviors.

Moving into 2020, it’s not about focusing on one type of attack. Attack types are blending and learning from each other. In 2020, we should focus more on attacker behaviors and less on the noise. By focusing on behaviors, teams can move to become proactive and hunt these behaviors before they cause harm. 


For more on the RSA conference, check out our re-cap as well as this article from Market Watch about the event.

Read Now