Mark McArdle, CTO at cyber security company eSentire, along with Ben Hammersley, BBC journalist and technologist, recently compiled a list of 2017’s top IT security predictions and trends focusing on DDoS attacks, ransomware, cyber weaponry, and phishing-based attacks.
Read on for part 1 of this 4 part series to find out more about these predictions, how they directly impact small and mid-sized businesses, and what steps organizations can take to protect their networks from new and emerging threats.
Here’s a sneak peek at the trends that will be discussed:
#1: DDoS Attacks
While these attacks don’t (usually) yield devastating effects, they can be disruptive, particularly when it comes to organizations reliant on web traffic. Becoming a DDoS attack target isn’t fun, but neither is unknowingly participating in a DDoS attack against another network. There are a number of measures businesses can take to help guard against both scenarios.
#2: Ransomware
This throwback attack technique skyrocketed last year to become one of the most used and highly effective cyber-attack tools. Ransomware’s popularity won’t wane in 2017. In fact, we think that ransomware will evolve at a rapid and more sophisticated pace, morphing into somewhat of an internally-focused, disabling DDoS-style attack, with potentially crippling results.
#3: Cyber Weaponry
With an increase in nation-state attacks, expect to see cybercriminals adopt and adapt similar weaponry for attacks targeting small and mid-sized enterprise.
#4: Phishing-based Attacks
Phishing and business email compromise aren’t new, however these attacks will continue to plague businesses this year. Expect attackers to use more sophisticated veils and malicious attachments. Awareness is imperative – businesses who fail to invest in employee awareness training will find themselves at greater risk for phishing-based attacks.
#1: DDoS Attacks
While these attacks don’t (usually) yield devastating effects, they can be disruptive, particularly when it comes to organizations reliant on web traffic. Becoming a DDoS attack target isn’t fun, but neither is unknowingly participating in a DDoS attack against another network. There are a number of measures businesses can take to help guard against both scenarios.
DDoS attacks certainly stepped up in 2016 – we saw them used by hacktivists to affect someone’s ability to communicate (like the case of a well-known security blogger) and companies alike – and the trend will continue into 2017.
One of the striking things we discovered in the past year is that the botnets used to initiate DDoS attacks are actually commercial services that you can engage. Basically, it’s a payment model that allows you to pick a particular target and take them offline for a few hours, and it’s indicative of how evil some of the bad actors are becoming.
As an industry, we focus too much on malware. For example, some of the other mechanisms that we’ll discuss in the latter part of this series, like ransomware, are backed by commercial entities that don’t have the same moral compass that good citizens do. Robbing banks has evolved into people with political, business, or personal agendas walking into a cyber café, buying a hacking service with bitcoin, and satisfying themselves through these capabilities. This is something we’re going to see a lot more of. The internet itself was initially designed for collaborative users – meaning, it was designed as an infrastructure that was supposed to be resilient against backhoes cutting telephone lines, not malicious users trying to break the system.
The challenges we all face as technologists in trying to harden the internet is largely caused by having to bolt on architecturally things that harden the core infrastructure against abuse and DDoS attacks. It’s a great example where the underlying capabilities of TCPIP protocol sort of facilitate this, and the response is to have internet traffic filtered by large cloud services organizations that can provide some sort of effective filtering during an attack, yet these businesses largely exist because of this malicious activity.
Commercial services seem to be the general trend for all cybersecurity – you can see the lifespan of vulnerabilities and attacks and different methods of being a criminal sort of filtering down over the years. For example, what started as a zero day attack and being particularly elite, is now more of a middle of the road technique. A few years from now it will be easily searchable on Google by a twelve year old who can also put it into practice. DDoS attacks are one of those things, which where maybe, five, six, or seven years ago, would’ve taken a good deal of effort and expertise to put into practice, but today, anyone with a grudge, who knows the right terms to Google and knows where to buy bitcoin, can put into action. With this, we start seeing a demonetization of DDoS. We think the future of this will be on the same level as petty crime and low ranking – it won’t even necessarily be professional criminals setting up these attacks, but just “not nice” people doing it against their foe. It’s a real worry, especially when we look at all the new technologies we connect to the network, which are themselves, vulnerable and useable as DDoS attack vectors.
For example, all of the IoT devices that people hang off their networks (which they themselves are insanely vulnerable to being captured and used by someone else as part of a botnet) is going to make the whole situation worse. Over the next few years, we don’t think we’ll see many huge attacks, just millions of little attacks that make things incredibly annoying for people and organizations a like – kind of like mosquitos.
The IoT piece is an important one because of the disposable nature of the tech we have, especially the consumer markets, which makes it really hard for vendors of IoT devices to put additional efforts forth into securing them. If you’re going to buy a $20 device that makes your doorbell do something funny, how much extra will you be willing to pay to make that device be updated remotely, or to have a security capability built more on real technologies than something quickly cobbled together to get it out the door? Something we all have as consumers is the ability to drive that behavior in order to get the industry to change. However, we feel it’s very unlikely this will happen as consumers really take for granted the responsibility for these devices, and we doubt the vendors, out of altruistic interest, will make things better either. Couple this with the source of botnets and it’s going to continue to get bad.
Additionally, it’s not just the consumer’s fault here, but all the way down the supply chain. These super cheap IoT devices come from factories which buy components from other factories. So you have this long supply chain before you get back to the original silicone designer, or the original firmware offer, or so on, which makes it quite difficult to actually know who has the final right capability or the final responsibility to be able to fix the bugs in that firmware, or fix the design of that silicone. So, whose fault is it? Who is actually responsible? It’s likely some firmware author ten thousand miles away…and ten years ago!
This is not something easily fixed, as it requires attitude changes from some of the lowest component design guys, all the way to the IoT marketing people and how they’re going to position their products. And of course, there are those of us who buy them. What are we going to say with our wallets to drive the priority of security of these things?
Looking ahead, we’re starting to see the realization that these attacks, which we’ve previously seen on large and prominent targets, can now be used against your very small business, your local window cleaner, your rival down the high street, or even your horrible ex – whatever it is, it comes down to a sort of street level rivalry. How we get out of it not necessarily a technological fix on its own, but a social, political, and a legal fix as well. Things like DDoS attacks have to be seen as attacks on the common infrastructure and treated much more harshly than they currently are.
#2: Ransomware
This throwback attack technique skyrocketed last year to become one of the most used and highly effective cyber-attack tools. Ransomware’s popularity won’t wane in 2017. In fact, Mark and Ben agree that ransomware will evolve at a rapid and more sophisticated pace, morphing into somewhat of an internally-focused, disabling DDoS-style attack, with potentially crippling results.
We touched a little bit on our next prediction for 2017 in part 1 – the significant rise in ransomware attacks.
Ransomware is a very lucrative attack factor. Basically a commercial software package, with an economic model and fantastic end user support, its brand promise is largely kept – if you pay, you’ll get your data back. In a bizarre twist of morality, malware companies and authors are incented to make sure you depart a happy customer and get your data back once you’ve paid the ransom. This model has accelerated dramatically within the last few years and we see ransomware in concert with phishing as the primary recipe for these attacks.
This is something we are seeing over and over again and will continue to see. Companies involved in a ransomware attack often wonder why their firewalls and antivirus didn’t stop something like this from happening and the reality is that the malware and ransomware guys just move too fast – signatures can’t keep up so the focus really needs to be on watching for early signs of trouble instead – the ability to watch for downloads and command and control activity, have deep visibility in the endpoint, and the ability to take action when needed to try and stop the attack. This is a nasty problem because the moves that malware guys make now don’t tip their hand until the damage is done – they don’t have to go back to the command and control server to try and do a key exchange. Instead, they do all things locally, so after that initial download, they have the ability to have you fully leveraged – your data is already encrypted or well into the process of being encrypted before any third parties can intercede. This works because it continues to make money for the bad guys; we see it continuing to be a very healthy attack vector.
More interestingly and more recently, what we’ve seen with malware attacks is that instead of just attacking end user work stations, we’re seeing internet services specifically attacked, as well as technologies that run a lot of big internet service providers due to very poor hygiene by those that set those services up. This provides a new and interesting attack vector. It’s not just go and encrypt a bunch of laptops, which is painful enough, but imagine ransomware that goes for the big data – things like encrypting index files or doing something that causes significant pain or interruption to your business over your entire user base.
Previously, ransomware attacks were against employees at very large targets, or you had more of the viral, individual ransomware type attacks against unsuspecting downloaders. We think we’re going to start seeing more middle ground type attacks, where ransomware is bought “off the shelf” (as if it were off the dark market) and used against someone’s rivals. As we mentioned in part 1 of our series, these attacks will be against the small, two, three, four, or five, person firms who are attacked by their rivals down the street, or by low ranking criminals who only want to get a few thousand dollars at a time. This demonization is what’s super worrying, because if you are a large company, you likely have the resources, in-house knowledge, or understanding that there are services available that utilize security experts that you can employ. But, if you’re a three person law firm, doing property law in a medium-sized town, and suddenly all of your files are encrypted, the clock is ticking for the survival of your business, and that clock ticks very, very quickly.
Essentially every business needs to have two (computer) machines on their desk. Whether you’re a law firm, design firm, financial firm, etc. – if you are an information centric business that has business critical data on your machine, and that machine can touch the rest of the world, then you run a very big risk of your entire business going away, or at least becoming scrambled for ransom at any time because of the difficulty of protecting yourself against this stuff. Governments do that regularly – have a segmented, secure private network, and then a “dirty” network that may be connected to the internet. But then the practical challenges of that become real. Ultimately, you need to pull down updates that may only be available through the internet and alternatively, you don’t want to have them come from the internet, so you download them onto a laptop, copy the update to a USB key, and walk over to the highly secure system on the private network and do the update. As we have seen with Urania and their experience with their centrifuge labs, there’s really no practical way to completely air-gap a network unless you never change its state – you never allow any bits that were on the outside, or anything physically connected to the outside, to ever touch anything on the inside.
However, the above is unrealistic – and people (employees) hate it. In many ways, we need to use the internet. At the same time, having your data on the machine and your business air-gapped away from the world is also disastrous. This puts us in a bind because it comes down to a whole combination of digital security, of best practices, of social education, and also political and legal transformation that makes this stuff super, super, super bad because it’s critical, national infrastructure. If somebody is maliciously encrypting data to any business, it’d be the same thing as pouring small bottles of poison into the reservoir – it won’t do the general population any harm, but just the spirit behind it is really bad. It’s time for these things to be taken much more seriously, because in the long run, ransomware is seen something of a joke, rather than a very serious attack on the economy. Many people look at it and say, “Oh this won’t happen to me, it’ll happen to someone else” and then it does.
In summary, ransomware is going to continue to be a big problem in 2017. It’s going to accelerate because it is a highly effective means of stealing money from people and will continue the way it is as long as people rely on their traditional defenses. We need to stay vigilant as an industry, and as a society, because the free flow of information is the backbone of not just business, but of democracy, and everything we take for granted.
#3: Cyber Weaponry
With an increase in nation-state attacks, expect to see cybercriminals adopt and adapt similar weaponry for attacks targeting small and mid-sized enterprise.
This isn’t so much a prediction as it is an acknowledgement of what we’ve seen in the past where advanced, new capabilities from very organized, highly skilled, non-governmental hackers become aware of by everyone else – the good guys and the bad guys. It trickles down into other hands, and those hands are either used to identify ways in which to remedy and prevent those attacks, or used by evil hands to try and refactor those techniques and capabilities into new attacks.
The nation state activity we saw in 2016, especially with Russia and the DNC – is really a new territory for us all. We are now able to make a compelling argument that the U.S. and Russia have an undeclared war that is being fought in cyberspace today. The notion of a proportional response hasn’t really been figured out yet and that’s why we struggle in understanding what the response to the DNC hack is when we had President Obama saying things like, “at the time and place of our choosing”… what?
We are currently at a place now where we aren’t sure how this game is going to evolve, and obviously the stakes are enormously high. We’ve got two superpowers with nuclear capabilities and no one wants to think of an escalation that leads to actual physical warfare, but the net effect on the rest of us, aside from mutually shared destruction online, is that the tooling and capabilities that we see these large powers using will eventually find its way into attack vectors and weapons that are used at the small, mid, and large enterprise.
Years ago, we read about cyber warfare in novels, and now we’re living it. The real issue is the proliferation of this stuff – to countries and organizations that don’t necessarily have the restraint of a large nation state. While the news coverage gives us a superficial view of this challenge, the tooling we’re seeing come out, and the forensics we are getting (i.e. CrowdStrike’s investigation into the DNC hack) – the multiple tiers of capabilities deployed (things like steganography being used in concert with a Twitter account, etc.) – it’s becoming cloak and dagger spook like stuff that really shows tradecraft – it’s very advanced.
What’s so interesting about some of these techniques is the way that it can spread, and fast. With cyber weaponry, it only needs to leak once and then the source code technique is out there for everybody to have it. That enhanced speed of distribution makes it even more volatile.
The proliferation of the technique is a terrifying thing and we will likely see more of it, especially from countries, or even with groups of individuals that don’t have rigid command and control, where they can easily start using it for their own particular purposes. It’s a whole new era in terms of warfare and we really have to learn how to come to terms with as a society.
#4: Phishing-based Attacks
Phishing and business email compromise aren’t new, however these attacks will continue to plague businesses this year. Expect attackers to use more sophisticated veils and malicious attachments. Awareness is imperative – businesses who fail to invest in employee awareness training will find themselves at greater risk for phishing-based attacks.
Humans are buggy. They are a terrible system for ensuring that the proper actions are taken in response to an email, and those bugs manifest themselves in ways like being distracted. We are busy people; we’ve got lots of conflicting needs of our time and attention. We’re late for the next meeting, our boss is on us for a new report, etc. Being busy means we’re always in a hurry and distracted, which means our defenses are typically down. Layer on some of our human DNA flaws (i.e. sometimes we’re greedy, sometimes we want something that seems too good to be true, etc.) and we fall for it. All those “bugs” put together equals a wonderful attack surface for social engineers, and phishing is essentially an extension of social engineering, relying on our base flaws to be successful.
Phishing is often used in a very cynical and powerful way where a hacker will impersonate an executive at 10 minutes to 5 on a Friday and order a new wire transfer because of a deal that’s being done and if it doesn’t get out right away, the deal could be lost. Depending on the culture of that organization and the moral fortitude to say, “Hold on or slow down,” by the person involved, those attacks will either be spectacularly successful for the attacker or be thwarted by someone who takes pause to see if this circumvents the checks and controls in place.
These types of targeted attacks are often performed over a longer period of time, where surveillance and recognition is accomplished. This is where business email compromise comes into play – where an attacker can, through phishing, manage to get the credentials to an executive’s mailbox. From there, he may not even do anything for several weeks other than watch the cadence of the executive’s email conversations – who he’s speaking to, how he speaks to certain people, even how he signs his emails. Is he a good speller or a bad speller? Those attributes become the basis of an attack, where the email looks legit and the attacker may even know things about the CEO he’s impersonating. They do their homework and we’ve seen this play out numerous times. The bad guys have the benefit of trying this out lots of times, and while they may fail a lot of times, they only need to win once to get that big payday as a result from just one victim that falls for the trap.
We always hear about how spammers are stupid because of the “bad grammar” in spam, but these are not stupid people… so why are spam emails badly spelled?
If you look in your junk mail files, you’ll find plenty of quite obvious phishing attacks – mainly because of misspellings. However, the reason behind this is actually quite insightful once you understand it – it’s done on purpose.
Sending out millions of phishing emails is simple and cheap, but once they start engaging with a potential victim, the costs start to rack up for the criminal. The worse possible case for the criminal is for them to have a potential victim who goes 4-5 weeks into the process and then realizes it’s a con. So criminals have started filtering their victims for intelligence. Super intelligent and vigilant people are never even going to engage with criminals, so the criminal targets the “moderately intelligent” – those that may overlook a spelling error or not very well versed in grammar themselves – as a way to make sales prospects pipeline more efficient. These criminals are very sophisticated and rooted in psychology, persuasion, and touching on human nature as a vector to deliver their attacks, ending up with a pool of really willing victims.
The only other way around this, other than identifying a malware component that might have a signature, is to practice incredibly good digital hygiene and have very strong checks and balances in place, but people don’t like doing that because it’s a pain. Nevertheless, this is now the environment we live in and if you are responsible for a being a victim to phishing and you could be persuaded to transferring large sums of money out of your business to somebody’s else’s account, then this is something that needs to be thought about constantly – either on an hourly basis or with every transaction.
We’ve seen effective reductions in the likelihood of people being subject to phishing attacks, but as a society, we’re never going to be able to drive this down just because of the nature of email itself and the inherit limitations on restricting that kind of access. This is a hard problem we haven’t managed to solve yet, and there are things we can do within our organizations to reduce the likelihood that we are going to be compromised.
Just looking at some basic hygiene things – often, organizations let their users have admin rights to local systems, but right away, that’s just asking for trouble. We want to reduce the attack surface by layering on effective content filtering to detect certain techniques used in emails. At the end of the day, these attacks will continue to happen and humans need step up and make sure their folks are armed with awareness to hover and pause before clicking. But until people stop clicking on links in emails, we’re always going to be discussing this year after year. Were stuck with it, we just have to try to make it safer.
Awareness training helps drive this home and it needs to be repeated because humans forget things. It’s imperative to reinforce the message that when you get a link from somebody, hover over it, double check the address, don’t click it right away, make sure it’s legitimate. The human nature of being in a hurry and being distracted is exactly what the bad guys count on.
Another important thing, but very basic and not as widely employed as it needs to be, is multifactor or two-factor authentication. When we see big breaches that involve Yahoo and a billion user accounts it’s really a shame because most of the big providers have had two-factor identification for a long time, but most users don’t even turn it on. It may be a combination of lack of awareness and understanding, but also the provider is not guiding them down that path more aggressively. It’s imperative that we take responsibility for the cyber security of our organizations, especially when dealing with things like cloud services, because if all it takes to access your Salesforce account or Office365 account is a successful phishing campaign to cough up your CEO’s username and password, it’s hard to argue that you’re doing an effecting job at managing cyber security and the attack surface.
In the end, the traditional approach to keeping bad things out of your network just doesn’t work because the bad guys move faster than the good guys can keep up with. However, things like managed detection and response helps figure out what those “gray” signals mean and take action on them if needed – is that new connection coming from an endpoint that just downloaded something, a command and control connection? With managed detection and response, human analysts have these amazing tools to investigate these things in real time, and respond to threats as they arise, and help raise a company’s cybersecurity maturity by helping them evolve and reduce their attack surfaces.
[su_box title=”About Mark McArdle” style=”noise” box_color=”#336588″][short_info id=’101623′ desc=”true” all=”false”][/su_box]
[su_box title=”About Ben Hammersley” style=”noise” box_color=”#336588″][short_info id=’101626′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.