Guest written by: Alain Penel, Regional Vice President – Middle East, Fortinet
With the growth and pervasiveness of online devices and digital tools, we reached a critical tipping point in 2016. The need for accountability at multiple levels is urgent and real and affects us all. If something isn’t done, there is a real risk of disrupting the emerging Digital Economy.
The rise of the digital economy is not just changing how organizations conduct business. The effects of this “fourth industrial revolution” are much more pervasive, and the speed of change is unprecedented beyond anything that has come before it. Slamming the brakes on a global economy in such a transition could be devastating. Vendors, governments, and consumers driving this change need to step up and be accountable for making sure that doesn’t happen. Cybersecurity is a strategic decision in all of these scenarios. It won’t be easy.
From smart to smarter: automated and human-like attacks will demand more intelligent defense
Most malware is dumb. Sure, it might have evasion techniques built into it, and be good at hiding in the noise of a device or the network. But it is only programmed with a specific objective or set of objectives. A hacker simply points it at a target, and it either accomplishes its task or it doesn’t. Cybercriminals compensate for the binary nature of such malware in two ways; either through the time-intensive management of multiple tools to guide an attack to a specific target, or through volume. This is about to change.
Threats are getting smarter and are increasingly able to operate autonomously. In the coming year we expect to see malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and make calculated decisions about what to do next. In many ways, it will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection. We will also see the growth of cross-platform autonomous malware designed to operate on and between a variety of mobile devices.
Autonomous malware, including transformers, that are designed to proactively spread between platforms can have a devastating effect on our increasing reliance on connected devices to automate and perform everyday tasks. It will require highly integrated and intelligent security technologies that can see across platforms, correlate threat intelligence, and automatically synchronize a coordinated response.
IoT manufacturers will be held accountable for security breaches
Increasing attacks targeting IoT devices is probably the safest prediction for 2017. With over 20 billion IoT devices online by 2020, versus one billion PCs, the math is pretty easy. Most of these IoT devices are headless, which means we can’t add a security client or even effectively update their software or firmware. We predict that attacks targeting IoT devices will become more sophisticated, and be designed to exploit the weaknesses in the IoT communications and data gathering chain.
We predict the growth of massive Shadownets, a term we use to describe IoT botnets that can’t be seen or measured using conventional tools. Right now, these Shadownets are being used as blunt instruments to deliver unprecedented DDoS attacks. The most likely first step will be targeted DDoS attacks combined with demands for ransom.
Concurrent with the growth of Shadownets will be the development of an IoT Deepweb. The Deepweb is traditionally that part of the Internet that is not indexed by search engines. We predict that Shadownets of compromised IoT devices will begin to be used for such things as temporarily storing stolen information, creating an IoT-based Deepweb. Swarm or P2P (peer-to-peer) tools will be used to surreptitiously store, manage, and access data across millions of devices. TOR-like functionality is likely to also be introduced, allowing IoT networks to be used to anonymize data and traffic.
Most IoT devices are designed to provide customized experiences for their owners, and collect marketing and use information for their manufacturers. Most of these companies, however, have no specialized technology skills. Instead, macroeconomics dictates that multiple vendors will buy IoT components from a single OEM vendor and simply plug them into whatever device they are selling. This means that a single compromise can be multiplied across dozens or even hundreds of different devices distributed by different manufacturers under multiple brand names and labels. We predict that these OEM vendors will be targeted and that an exploit will be used to compromise the supply chain of millions of devices.
IoT is a cornerstone of the digital revolution. IoT manufacturers have flooded the market with highly insecure devices. In addition to being compromised, millions of IoT devices could simply be disabled or “bricked.” This would lead to consumer help desks being overwhelmed and creating a denial of service attack on a targeted company.
While enterprises have a number of options available for managing many of the security issues that IoT devices and networks introduce, such as access control and network segmentation, consumers have few if any. If IoT manufacturers fail to secure their devices, the impact on the digital economy could be devastating should consumers begin to hesitate to buy them. We predict that unless IoT manufacturers take immediate and direct action they will not only suffer economic loss, but will be targeted with legislation designed to hold them accountable for security breaches related to their products.
20 billion IoT and endpoint devices are the weakest link for attacking the cloud
The move to cloud-based computing, storage, processing, and even infrastructure is accelerating. Naturally, this expands the potential attack surface. Most cloud providers have responded by designing their networks with Layer 2 and 3 security technologies to segment the cloud between tenants, control access, and protect the cloud providers’ internal network from their public offering. More sophisticated security tools, like Next Gen Firewalls and IPS solutions, can be added and paid for by the tenant.
The weakest link in cloud security, however, is not in its architecture. It lies in the millions of remote devices accessing cloud resources. In this next year we expect to see attacks designed to compromise this trust model by exploiting endpoint devices, resulting in client side attacks that can effectively target and breach cloud providers.
The cloud is also being used to provide ubiquitous access to applications, resources, and services. Using this same client-side exploit, we expect to see the injection of malware into cloud-based offerings by compromised endpoint clients, a process known as cloud poisoning.
Businesses were initially slow to adopt cloud-based strategies precisely because they were concerned about the security of an environment they didn’t own or control. If the cloud-based environments and solutions they are now adopting are suddenly found to be untrustworthy, it could radically affect the current migration to the cloud and the resulting evolution of network infrastructures.
Attackers will begin to turn up the heat in smart cities
We are seeing a move towards smart cities in order to drive sustainable economic development, better manage natural resources, and improve the quality of life for citizens. The interconnectedness of critical infrastructure, emergency services, traffic control, IoT devices (such as self-driving cars), and even things like voting, paying bills, and the delivery of goods and services will create unprecedented efficiencies in urban and even suburban environments.
The potential attack surface in such an environment is massive. The potential for massive civil disruption should any of these integrated systems be compromised is high, and are likely to be a high-value target for cybercriminals, cybervandals and politically motivated hacktivists.
We predict that as building automation and building management systems continue to grow over the next year that they will be targeted by hackers. We have already seen the compromise of the data of a large US retailer through the exploitation of its IP-enabled HVAC system. Like with the IoT DDoS attacks, these exploits will likely be blunt instrument attacks at first, such as simply shutting down a building’s systems. But the potential for holding a building for ransom by locking the doors, shutting off elevators, rerouting traffic, or simply turning on the alarm system is significant. Once this happens, taking control of centralized systems deployed across a smart city is not too far over the horizon.
Ransomware was just the gateway malware
Holding high value assets hostage in exchange for some sort of payment is not new. Ransomware attacks have been in the news for the past couple of years, and no one expects them to go away any time soon. But the growth of ransomware-as-a-service (RaaS) in 2016 – where potential criminals with virtually no training or skills can simply download tools and point them at a victim, in exchange for sharing a percentage of the profits with the developers – means this high-value attack method is going to increase dramatically. According to some experts, the total cost of ransomware for 2016 is expected to top one billion dollars, and is expected to grow exponentially in 2017.
For 2017, we predict the following ransom-based trends:
Higher costs for targeted attacks
We expect to see very focused attacks against high-profile targets, such as celebrities, political figures, and large organizations. In addition to simply locking down systems, these attacks are likely to include the collection of sensitive or personal data that can then be used for extortion or blackmail. We also expect to see the cost of ransom for these attacks to get much higher.
Automated attacks and IoT ransoming
There is a cost threshold for targeting average citizens and consumers that has traditionally prevented it from being cost-effective for attackers. We predict that this limitation will be overcome in 2017 as automated attacks introduce an economy of scale to ransomware that will allow hackers to cost-effectively extort small amounts of money from large numbers of victims simultaneously, especially by targeting online IoT devices.
Continued targeting of healthcare
The ransom value of a kidnapped record is based on its ability to be replaced. Patient records and other human data difficult, are difficult if not impossible to replace. These records also have higher value because they can be used to establish fraud. Unless they get serious about security, we predict an increase in the number of healthcare organizations that will be targeted for ransom-based attacks. We should also see an increase in the targeting of other businesses that collect and manage human data, such as law firms, financial institutions, and government agencies.
Technology will have to close the gap on the critical cyber skills shortage
The current shortage of skilled cybersecurity professionals means that many organizations looking to participate in the digital economy will do so at great risk. They simply do not have the experience or training necessary to develop a security policy, protect critical assets that now move freely between network environments, or identify and respond to today’s more sophisticated attacks.
For many, their first response will be to buy traditional security tools, such as a firewall or IPS device. But tuning, integrating, managing, and analyzing these devices requires specialized training and resources. And increasingly, such tools are inadequate for securing highly dynamic and widely distributed networks. We predict that savvy organizations will instead turn to security consulting services that can guide them through the labyrinth of security, or to managed security services providers, like MSSPs, who can provide a turnkey security solution, or they will simply move the bulk of their infrastructure to the cloud where they can simply add security services with a few clicks of a mouse.
Security vendors will need to respond to these changes and rethink their traditional, siloed approach to developing security tools. The historical goal has been to build a fortress against an invisible enemy. But with highly fluid, multi-platform networks, that approach needs to change.
Today’s security needs to START with visibility, and then dynamically build an integrated and adaptable security framework around that intelligence. Vendors that cannot adapt to the scope and scale of the borderless digital economy, and the evolving requirements of today’s digital businesses, will fail.