First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Information Technology / ENISA threat report for 2021

By | 5 Minutes Read

ENISA threat report for 2021

cybersecurity

The European Union Agency for Cybersecurity (ENISA) has recently released its Threat Landscape 2021 Report, where it has identified prime threats, major trends observed with respect to threats, threat actors and attack techniques, and some suggested mitigation measures. ENISA’s findings are with respect to cybersecurity across Europe and its mandate of contributing to European Union cyber policy, which is established by the European Union’s Cybersecurity Act.

The main thrust of the report is that these threats are significant—Canadian organizations can extract some helpful information that transcends borders. I conclude with some of ENISA’s recommendations that Canadian organizations can use to address these threats.

As I have discussed previously here, here, and here, data breaches are extremely costly for organizations, and it is beneficial for organizations to operate with a goal of reducing uncertainties as much as is possible by implementing zero trust in order to protect their cybersecurity posture, which I described here.

But more must be done to deal with these threats. ENISA has reported that cybersecurity attacks have continued to increase through the years 2020 and 2021—not only in terms of vectors and numbers, but also in terms of their impact. It is not surprising that COVID-19 pandemic has aggravated the situation. Why? There has been an increase in attack surface and a corresponding rise in the number of cyber attacks targeting organizations and companies through home offices. In short, the ever-growing online presence, conversion of traditional infrastructures to online and cloud-based solutions, advanced interconnectivity, and the exploitation of new features of emerging technologies such as Artificial Intelligence (AI) have all led to an increase in sophistication and complexity of attacks. Furthermore, ENISA has noted that the threat to supply chains can potentially have “catastrophic cascading effects” that have reached the highest position among major threats (there is now a separate document that deals with the threat landscape for supply chain attacks here, which I will discuss at later time).

What were the prime threats in 2020–2021?

ENISA set out eight threats, which can be understood to be a collection of threats:

  • Ransomware—a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access
  • Malware—software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of a system
  • Email-related threats—a bundle of threats that exploit weaknesses in the human psyche and in everyday habits, rather than technical vulnerabilities in information systems
  • Threats against availability and integrity—Denial-of-Service (DoS) attacks are one of the most critical threats to IT systems since they target availability by exhausting resources and cause decreases in performance, loss of data, and service outages
  • Disinformation–misinformation—increased use of social media platforms and online presence due to the COVID-19 pandemic has enabled these campaigns to be frequently used in hybrid attacks to reduce overall perception of trust
  • Non-malicious threats—voluntary and malicious activities brought by adversaries that have some incentives to attack a specific target. This involves threats where malicious intent is not apparent (mostly based on human errors and system misconfigurations)

What were the key trends in 2020–2021?

ENISA noted a number of trends, some of which include:

  • COVID-19 drove cyber espionage tasking and created opportunities for cybercriminals
  • Cybercriminals were increasingly motivated by monetization of their activities (like ransomware), and cryptocurrency remained the most common pay-out method for threat actors
  • Compromise through phishing emails and brute-forcing on Remote Desktop Services (RDP) remained the two most common ransomware infection vectors
  • Malware targeting container environments became much more prevalent (including novel evolutions like file-less malware being executed from memory)
  • The volume of crypto mining in 2021 and cryptojacking activities were at a record high
  • COVID-19 remained the dominant lure in campaigns for email attacks
  • There was a surge in healthcare sector-related data breaches
  • Traditional Distributed-Denial-of-Service (DDoS) attacks moved towards mobile networks and Internet of Things (IoT)
  • Ransom-Denial-of-Service (RDoS) was characterized as “the new frontier” of denial-of-service attacks, phishing was “at the heart of disinformation attacks”, and misinformation and disinformation were considered “at the core of cybercrime activities”
  • Disinformation-as-a-Service (DaaS) business model grew significantly due to the increasing impact of the COVID-19 pandemic and the need to have more information

Who were the key threat actors?

The following were the key threat actors:

  • State-sponsored actors—groups conducting cyber espionage operations related to COVID-19 as well as using COVID-19-related lures for social engineering
  • Cybercriminals—social engineering remained the most prevalent attack technique, and cybercriminals exploited people’s interest, concern, curiosity, and fear by using phishing lures related to COVID-19 for financial gain
  • Hacker-for-hire actors—actors within the Access-as-a-Service (AaaS) market mostly comprised of firms that offered offensive cyber capabilities
  • Hacktivists—small groups of individuals who protested against regional events and targeted specific organizations such as financial institutions and governmental agencies

What can organizations take from this report?

For each threat, ENISA set out its recommendations; I have selected three of the above-mentioned threats, for which I share these recommendations:

Ransomware

  • Implementation of secure and redundant backup strategies
  • Implementation and auditing of identity and access management (least-privilege and separation of duties)
  • Training and raising the awareness of users (including privileged users)
  • Separation of development and production environments
  • Information sharing on incidents with authorities and the industry
  • Restricting access to known ransomware sites
  • Identities and credentials should be issued, managed, verified, revoked, and audited for authorised devices, users, and processes
  • Access permissions and authorizations should be managed, incorporating the principles of least privilege and separation of duties
  • Separation of development and production environments
  • Ransomware response and recovery plans should be tested periodically to ensure that risk and response assumptions and processes are current with respect to the evolving ransomware threats
  • Use of security products or services that block access to known ransomware sites
  • Execution of the Ransomware Readiness Assessment (RRA), a tool developed by CISA geared towards IT and industrial control system (ICS) networks, to evaluate their security against varying levels of ransomware threat readiness
  • Report any attack or attempted attack to the authorities and help restrict its spread
  • Systems’ monitoring for fast identification of infections
  • Keeping up with recent ransomware trends, developments and proposals for prevention

Malware

  • Implement malware detection for all inbound/outbound channels, including email, network, web and application systems in all applicable platforms (for instance, servers, network infrastructure, personal computers and mobile devices)
  • Inspect the SSL/TLS traffic allowing the firewall to decrypt what is being transmitted to and from websites, email communications, and mobile applications
  • Establish interfaces between malware detection functions (intelligence-led threat hunting) and security incident management to establish efficient response capabilities
  • Use the tools available for malware analysis for sharing malware information and malware mitigation (for instance, MISP)
  • Develop security policies that specify the processes to be followed in the event of infection
  • Understand the capabilities of various security tools and develop new security solutions. Identify gaps and apply the defence-in-depth principle
  • Employ mail filtering (or spam filtering) for malicious emails and remove executable attachments
  • Regularly monitor the results of antivirus tests
  • Use patch management for container infrastructure
  • Make use of log monitoring using security incident and event management (SIEM) solutions. Indicative log sources are anti-virus alerts, endpoint detection and response (EDR), proxy server logs, Windows Event and Sysmon logs, intrusion detection system (IDS) logs, etc
  • Disable or reduce access to PowerShell functions

Cryptojacking

  • Implement malware detection for all inbound/outbound channels, including email, network, web and application systems in all applicable platforms (for instance, servers, network infrastructure, personal computers and mobile devices)
  • Inspect the SSL/TLS traffic allowing the firewall to decrypt what is being transmitted to and from websites, email communications, and mobile applications
  • Establish interfaces between malware detection functions (intelligence-led threat hunting) and security incident management to establish efficient response capabilities
  • Use the tools available for malware analysis for sharing malware information and malware mitigation (for instance, MISP)
  • Develop security policies that specify the processes to be followed in the event of infection
  • Understand the capabilities of various security tools and develop new security solutions. Identify gaps and apply the defence-in-depth principle
  • Employ mail filtering (or spam filtering) for malicious emails and remove executable attachments
  • Regularly monitor the results of antivirus tests
  • Use patch management for container infrastructure
  • Make use of log monitoring using security incident and event management (SIEM) solutions. Indicative log sources are anti-virus alerts, endpoint detection and response (EDR), proxy server logs, Windows Event and Sysmon logs, intrusion detection system (IDS) logs, etc
  • Disable or reduce access to PowerShell functions

It is recommended that organizations review the entire document to become better equipped to deal with the above cybersecurity threats. The above recommendations could go a long way in helping Canadian organizations strengthen their cybersecurity posture.

Follow me
Latest posts by Christina Catenacci, BA, LLB, LLM, PhD (see all)

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Christina Catenacci, BA, LLB, LLM, PhD

Christina Catenacci, BA, LLB, LLM, PhD, is a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the Montreal AI Ethics Institute's AI Brief, International Association of Privacy Professionals’ Privacy Advisor, Tech Policy Press, and Slaw - Canada's online legal magazine.

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

Main Menu

Stay Connected