With the growth and pervasiveness of online devices and digital tools, we reached a critical tipping point in 2016. The need for accountability at multiple levels is urgent and real and affects us all. If something isn’t done, there is a real risk of disrupting the emerging Digital Economy.
Even in recent weeks, IoT devices were hijacked to shut down a huge section of the Internet. Stolen documents were used in an attempt to influence the US presidential election. Ransomware began to reach epidemic proportions, including high value targeted ransom cases. These and similar attacks have had sweeping impacts beyond their victims.
The rise of the digital economy is not just changing how organizations conduct business. The effects of this “fourth industrial revolution” are much more pervasive, and the speed of change is unprecedented beyond anything that has come before it. Slamming the brakes on a global economy in such a transition could be devastating. Vendors, governments, and consumers driving this change need to step up and be accountable for making sure that doesn’t happen. Cybersecurity is a strategic decision in all of these scenarios. It won’t be easy.
Watching cyber threats evolve over the past year, a few trends have become apparent.
The digital footprint of both businesses and individuals has expanded dramatically, increasing the potential attack surface.
Everything is a target and anything can be a weapon
Threats are becoming intelligent, can operate autonomously, and are increasingly difficult to detect
There are two threat trends: automated attacks against groups of smaller targets and customized attacks against larger targets
In addition, these two trends are increasingly being blended together, with automated attacks being used as a first phase, and targeted attacks as a second. This attacks strategy was used in the BEC scam broken up by INTERPOL, which cost the digital economy over $61M USD.
In addition to new threats, old threats keep returning, but enhanced with new technologies
Using these trends as a guideline, here are six predictions about the evolution of the cyberthreat landscape for 2017 and their possible impact on the digital economy.
Note: You can also watch and hear the predictions here on video.
1. From smart to smarter: automated and human-like attacks will demand more intelligent defense
Most malware is dumb. Sure, it might have evasion techniques built into it, and be good at hiding in the noise of a device or the network. But it is only programmed with a specific objective or set of objectives. A hacker simply points it at a target, and it either accomplishes its task or it doesn’t. Cybercriminals compensate for the binary nature of such malware in two ways; either through the time-intensive management of multiple tools to guide an attack to a specific target, or through volume. Send out enough malware, or have it replicate itself enough times, and it will eventually find itself loaded onto a device that it can exploit.
This is about to change.
Threats are getting smarter and are increasingly able to operate autonomously. In the coming year we expect to see malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and make calculated decisions about what to do next. In many ways, it will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection.
For example: autonomous malware was used in the Central Bank of Bangladesh breach that learned wire transfer instructions. Investigators suspect that malicious software code designed to learn how to withdraw money was likely installed several weeks before the incident, which took place between Feb. 4 and Feb. 5, 2016, according to Bangladesh Bank officials.
This next generation of malware uses code that is a precursor to artificial intelligence, that replaces traditional ‘if not this, then that’ code logic with more complex decision-making trees. Autonomous malware operates much like branch prediction technology, which is designed to guess which branch of a decision tree a transaction will take before it is executed. A branch predictor keeps track of whether or not a branch is taken, so when it encounters a conditional jump that it has seen before it makes a prediction so that over time the software becomes more efficient.
Autonomous malware, as with intelligent defensive solutions, are guided by the collection and analysis of offensive intelligence, such as types of devices deployed in a network segment, traffic flow, applications being used, transaction details, time of day transactions occur, etc. The longer a threat can persist inside a host that better it will be able to operate independently, blend into its environment, select tools based on the platform it is targeting, and eventually, take countermeasures based on security tools in place.
Cross-platform “transformer” attacks
We will also see the growth of cross-platform autonomous malware designed to operate on and between a variety of mobile devices. These cross-platform tools, or “transformers,” include a variety of exploit and payload tools that can operate across different environments. This new variant of autonomous malware includes a learning component that gathers offensive intelligence about where it has been deployed, including the platform on which it has been loaded, then selects, assembles, and executes an attack against its target using the appropriate payload.
Transformer malware is being used to target cross-platform applications with the goal of infecting and spreading across multiple platforms, thereby expanding the threat surface and making detection and resolution more difficult. Once a vulnerable target has been identified, these tools can also cause code failure and then exploit that vulnerability to inject code, collect data, and persist undetected.
IMPACT: Autonomous malware, including transformers, that are designed to proactively spread between platforms can have a devastating effect on our increasing reliance on connected devices to automate and perform everyday tasks. It will require highly integrated and intelligent security technologies that can see across platforms, correlate threat intelligence, and automatically synchronize a coordinated response.
2. IoT manufacturers will be held accountable for security breaches
Increasing attacks targeting IoT devices is probably the safest prediction for 2017. With over 20 billion IoT devices online by 2020, versus one billion PCs, the math is pretty easy. And we are in the middle of a perfect storm around IoT: A huge M2M (machine-to-machine) attack surface, growing to over 20 billion connected devices, built using highly vulnerable code, and distributed by vendors with literally no security strategy. And of course, most of these devices are headless, which means we can’t add a security client or even effectively update their software or firmware.
Right now, attackers are having a lot of success simply exploiting known credentials, such as default usernames and passwords or hardcoded backdoors. And there is still a lot of low-hanging fruit to exploit in IoT devices beyond default passwords, including coding errors, back doors, and other vulnerabilities resulting from the junk code often being used to enable IoT connectivity and communications. Given their potential for both mayhem and profit, we predict that attacks targeting IoT devices will become more sophisticated, and be designed to exploit the weaknesses in the IoT communications and data gathering chain.
The rise of the Shadownet
We predict the growth of massive Shadownets, a term we use to describe IoT botnets that can’t be seen or measured using conventional tools. Right now, these Shadownets, such as the recent Mirai attack, are in their early stages, and are being used as blunt instruments to deliver unprecedented DDoS attacks. We believe, however, that these attacks were launched primarily to test the capabilities of these Shadownets. Since this is no longer a proof of concept threat, we are also predicting an increasingly sophisticated use of these swarms of compromised devices. The most likely first step will be targeted DDoS attacks combined with demands for ransom. Collecting data, targeting attacks, and obfuscating other attacks are likely to follow.
The IoT Deepweb
Concurrent with the growth of Shadownets will be the development of an IoT Deepweb. The Deepweb is traditionally that part of the Internet that is not indexed by search engines. We predict that Shadownets of compromised IoT devices will begin to be used for such things as temporarily storing stolen information, creating an IoT-based Deepweb. Swarm or P2P (peer-to-peer) tools will be used to surreptitiously store, manage, and access data across millions of devices. TOR-like functionality is likely to also be introduced, allowing IoT networks to be used to anonymize data and traffic.
Supply chain poisoning
Most IoT devices are designed to provide customized experiences for their owners, and collect marketing and use information for their manufacturers. Most of these companies, however, have no specialized technology skills. Instead, macroeconomics dictates that multiple vendors will buy IoT components from a single OEM vendor and simply plug them into whatever device they are selling. This means that a single compromise can be multiplied across dozens or even hundreds of different devices distributed by different manufacturers under multiple brand names and labels. We predict that these OEM vendors will be targeted and that an exploit will be used to compromise the supply chain of millions of devices.
IMPACT: IoT is a cornerstone of the digital revolution. IoT manufacturers have flooded the market with highly insecure devices. In addition to being compromised, millions of IoT devices could simply be disabled or “bricked.” This would lead to consumer help desks being overwhelmed and creating a denial of service attack on a targeted company.
One suggestion proposed by security experts in the EU is to attach a sticker to consumer IOT devices indicating whether they have met a certain level of security criteria. We already have this in the enterprise world, such as certification that a device meets Common Criteria standards, but there is currently no equivalent in the consumer realm.
While enterprises have a number of options available for managing many of the security issues that IoT devices and networks introduce, such as access control and network segmentation, consumers have few if any. If IoT manufacturers fail to secure their devices, the impact on the digital economy could be devastating should consumers begin to hesitate to buy them. We predict that unless IoT manufacturers take immediate and direct action they will not only suffer economic loss, but will be targeted with legislation designed to hold them accountable for security breaches related to their products.
3. 20 billion IoT and endpoint devices are the weakest link for attacking the cloud
The move to cloud-based computing, storage, processing, and even infrastructure is accelerating. Naturally, this expands the potential attack surface. Most cloud providers have responded by designing their networks with Layer 2 and 3 security technologies to segment the cloud between tenants, control access, and protect the cloud providers’ internal network from their public offering. More sophisticated security tools, like Next Gen Firewalls and IPS solutions, can be added and paid for by the tenant.
The weakest link in cloud security, however, is not in its architecture. It lies in the millions of remote devices accessing cloud resources. Cloud security depends on controlling who is let into the network and how much they are trusted. In this next year we expect to see attacks designed to compromise this trust model by exploiting endpoint devices, resulting in client side attacks that can effectively target and breach cloud providers.
The cloud is also being used to provide ubiquitous access to applications, resources, and services. Using this same client-side exploit, we expect to see the injection of malware into cloud-based offerings by compromised endpoint clients, a process known as cloud poisoning.
IMPACT: Businesses were initially slow to adopt cloud-based strategies precisely because they were concerned about the security of an environment they didn’t own or control. If the cloud-based environments and solutions they are now adopting are suddenly found to be untrustworthy, it could radically affect the current migration to the cloud and the resulting evolution of network infrastructures.
4. Attackers will begin to turn up the heat in smart cities
We are seeing a move towards smart cities in order to drive sustainable economic development, better manage natural resources, and improve the quality of life for citizens. Essential components of a smart city include such things as intelligent traffic control, on-demand streetlights, efficient energy management, and interconnected building automation. Building Automation Systems (BAS) provide centralized control of a building’s heating, ventilation, and air conditioning (HVAC) system, lighting, alarms, elevators, and other systems. Connecting these BAS platforms together will be a critical step towards building more tightly integrated and efficient smart cities.
The Olympic village being built for Japan’s 2020 games, for example, will include robots that guide visitors, instant language translation tools, self-driving cars, and integrated energy management through such things as centrally connected BAS technologies. Many of these services will extend into Tokyo as well, and will be used as a showcase for tomorrow’s smart cities. The interconnectedness of critical infrastructure, emergency services, traffic control, IoT devices (such as self-driving cars), and even things like voting, paying bills, and the delivery of goods and services will create unprecedented efficiencies in urban and even suburban environments.
The potential attack surface in such an environment is massive, including sensors, lighting, HVAC systems, fire alarms, traffic control, elevators, emergency systems, and more. The potential for massive civil disruption should any of these integrated systems be compromised is high, and are likely to be a high-value target for cybercriminals, cybervandals and politically motivated hacktivists.
We predict that as building automation and building management systems continue to grow over the next year that they will be targeted by hackers. We have already seen the compromise of the data of a large US retailer through the exploitation of its IP-enabled HVAC system. Like with the IoT DDoS attacks, these exploits will likely be blunt instrument attacks at first, such as simply shutting down a building’s systems. But the potential for holding a building for ransom by locking the doors, shutting off elevators, rerouting traffic, or simply turning on the alarm system is significant. Once this happens, taking control of centralized systems deployed across a smart city is not too far over the horizon.
IMPACT: The sorts of efficiencies that can be realized through the development of smart buildings and smart cities lie at the heart of the emerging digital economy. A significant disruption via cyber attack of this evolution will have serious, far-reaching economic consequences across multiple industries.
5. Ransomware was just the gateway malware
Holding high value assets hostage in exchange for some sort of payment is not new. Ransomware attacks have been in the news for the past couple of years, and no one expects them to go away any time soon. But the growth of ransomware-as-a-service (RaaS) in 2016 – where potential criminals with virtually no training or skills can simply download tools and point them at a victim, in exchange for sharing a percentage of the profits with the developers – means this high-value attack method is going to increase dramatically. According to some experts, the total cost of ransomware for 2016 is expected to top one billion dollars, and is expected to grow exponentially in 2017.
For 2017, we predict the following ransom-based trends
Higher costs for targeted attacks
We expect to see very focused attacks against high-profile targets, such as celebrities, political figures, and large organizations. In addition to simply locking down systems, these attacks are likely to include the collection of sensitive or personal data that can then be used for extortion or blackmail. We also expect to see the cost of ransom for these attacks to get much higher.
Automated attacks and IoT ransoming
There is a cost threshold for targeting average citizens and consumers that has traditionally prevented it from being cost-effective for attackers. How much will an individual pay to unlock their hard drive, or their car, or their front door, or have their fire alarm turned off? We predict that this limitation will be overcome in 2017 as automated attacks introduce an economy of scale to ransomware that will allow hackers to cost-effectively extort small amounts of money from large numbers of victims simultaneously, especially by targeting online IoT devices.
Continued targeting of healthcare
The ransom value of a kidnapped record is based on its ability to be replaced. For example, credit cards are easy to replace. It simply involves a phone call to the card issuer and a trip to the bank to get a new one. Patient records and other human data difficult, however, are difficult if not impossible to replace. These records also have higher value because they can be used to establish fraud.
Unless they get serious about security, we predict an increase in the number of healthcare organizations that will be targeted for ransom-based attacks. We should also see an increase in the targeting of other businesses that collect and manage human data, such as law firms, financial institutions, and government agencies.
IMPACT: Ransomware affects everyone. Organizations that are impacted by ransomware and other ransom-based attacks, especially if personal information is impacted, need to be held accountable for not being adequately prepared, beyond fines that can be rolled into the cost of doing business. At the consumer level, once ransom attacks on IoT devices are made public, without assurances that devices are protected against ransom attacks, consumers will be reluctant to adopt new connected devices, thereby slowing down an already sluggish global economy.
6. Technology will have to close the gap on the critical cyber skills shortage
A fundamental aspect of the growth of the digital economy is that previously unconnected businesses now need to be online or they will die. This demand for connectivity, and the need to address its associated risks, will create serious challenges for emerging countries, traditionally disconnected markets, and smaller companies adopting digital business strategies for the first time.
The current shortage of skilled cybersecurity professionals means that many organizations looking to participate in the digital economy will do so at great risk. They simply do not have the experience or training necessary to develop a security policy, protect critical assets that now move freely between network environments, or identify and respond to today’s more sophisticated attacks.
For many, their first response will be to buy traditional security tools, such as a firewall or IPS device. But tuning, integrating, managing, and analyzing these devices requires specialized training and resources. And increasingly, such tools are inadequate for securing highly dynamic and widely distributed networks.
We predict that savvy organizations will instead turn to security consulting services that can guide them through the labyrinth of security, or to managed security services providers, like MSSPs, who can provide a turnkey security solution, or they will simply move the bulk of their infrastructure to the cloud where they can simply add security services with a few clicks of a mouse.
Security vendors will need to respond to these changes by doing the following:
Design and build cost-effect and easy to manage SOCs (security operations center) for MSSPs and other security service providers to protect the millions of companies moving into the digital economy without the skills or technology needed to protect themselves. This needs to include either managed solutions for smaller companies, or “SOC-In-A-Box” solutions for larger enterprises that integrates threat intelligence, such as SIEM and CTI platforms, with visibility and actionable threat intelligence tools for autonomous protection.
Simplify the control and orchestration of security offerings, regardless of whether they are deployed locally or through a cloud service, through an integrated, single-pane-of-glass management and analysis interface, and where possible, a single underlying OS.
Build virtualized tools that can be implemented in private and public cloud environments, yet centrally managed and orchestrated with physical devices for consistent security across multiple domains
Build specialized security tools to be used locally (such as email or web security devices) that can be integrated with services-based security offerings
Enable more strategic approaches to security beyond point solutions, such as internal segmentation or automated universal policy to stay ahead of the threat landscape. Customers want integrated security strategies to address the full spectrum of challenges across the attack lifecycle.
IMPACT: Security vendors need to rethink their traditional, siloed approach to developing security tools. The historical goal has been to build a fortress against an invisible enemy. But with highly fluid, multi-platform networks, that approach needs to change. Today’s security needs to START with visibility, and then dynamically build an integrated and adaptable security framework around that intelligence. Vendors that cannot adapt to the scope and scale of the borderless digital economy, and the evolving requirements of today’s digital businesses, will fail.