People waking up to the threat landscape of 2017 will say it is both familiar and yet unchartered terrain. While Trend Micro’s predictions for 2016 have become a reality, they only opened doors for more seasoned attackers to explore an even broader attack surface.
We are not far from 2017 and already millions of routers, security cameras, and IoT devices have been compromised to deliver DDoS attacks. Trend Micro says this is just the tip of the iceberg as it extends from home IoT to Industrial IoT (IIoT) and is going to get worse.
Trend Micro says the key issues will be:
- Ransomware operations will break off into several routes – fuller, as more variants are produced; deeper, as well-planned targeted attacks are launched; and wider, as threats affect non-desktop targets like mobile and smart devices.
- Simple-but-effective business email compromise (BEC) attacks will become cybercriminals’ next new favourite
- More hard-hitting business process compromise (BPC) attacks like the US$81-million Bangladesh Bank heist.
- More Adobe and Apple vulnerabilities will be discovered and exploited.
- Even innocuous smart devices will play a role in massive distributed denial-of-service (DDoS) attacks, and IIoT devices will be targeted by threat actors.
- The General Data Protection Regulation (GDPR) implementation looms nearer, and as enterprises scramble to change processes to comply, administrative costs for those affected will skyrocket, even as they grapple with threat actors worldwide bent on infiltrating their networks for various motives.
Dr. Jon Oliver, data scientist and senior architect at Trend Micro, said, “Next year will take the cybersecurity industry in ANZ into new territory after 2016’s threat landscape opened doors for cybercriminals to explore a wider range of attacks and attack surfaces. Cybercriminals have continuously changed their business models to ensure maximum profits from their activity, and we will continue to see this transform with new attack methods threatening corporations, expanding ransomware tactics impacting more devices.”
{loadposition ray}
Trend Micro’s “The Next Tier – 8 security predictions for 2017” is good reading; here is the executive summary.
#1 Ransomware growth will plateau in 2017, but attack methods and targets will diversify
Trend Micro predicts a 25% growth (15 new families a month) in the number of new ransomware families (that is malware families) as Ransomware as a service, a setup where a ransomware operator rents his infrastructure to cybercriminals - encourages even the nontechnical to get into the game.
#2 IoT devices will play a bigger role in DDoS attacks; IIoT systems in targeted attacks
It is going to move from desktops to servers, to the cloud and more but it also may move to smart devices like IoT and even cars – all held hostage until money is exchanged.
Service-oriented, news, company and political sites will get systematically pummelled by massive HTTP traffic either for money, as a form of indignation, or as leverage for specific demands.
Cybercriminals will develop Mirai-like malware in DDoS attacks aimed at IIoT where devices can be held for ransom affecting manufacturing or buildings.
#3 The simplicity of business email compromise (BEC) attacks will drive an increase in the volume of targeted scams
Trend Micro says this simplicity will make BEC, specifically CEO fraud, a more attractive mode of attack for cybercriminals.
The average payout for a successful BEC attack is US$140,000 – the price of a small house. The total estimated loss from BEC in two years is US$3 billion. In comparison, the average payout for a ransomware attack is US$722 (currently 1 Bitcoin), which could reach up to US$30,000 if an enterprise network is hit.
#4 Business process compromise (BPC) will gain traction among cybercriminals looking to target the financial sector
The Bangladesh Bank heist caused losses of up to US$81 million. Unlike BEC, which relies on erroneous human behaviour, the heist stemmed from a much deeper understanding of how major institutions processed financial transactions. Trend Micro calls this category of attacks “BPC.”
BPC will go beyond the finance department, although fund transfers will remain its most typical endgame. Possible scenarios include hacking into a purchase order system so cybercriminals can receive payment intended for actual vendors. Hacking into a payment delivery system can likewise lead to unauthorized fund transfers. Cybercriminals can hack into a delivery centre and reroute valuable goods to a different address. This already happened in an isolated incident in 2013, where the Antwerp Seaport shipping container system was hacked to smuggle drugs.
#5 Adobe and Apple will outpace Microsoft regarding platform vulnerability discoveries
Among the vulnerabilities disclosed through the Zero-Day Initiative (ZDI) so far in 2016 were 135 vulnerabilities in Adobe products, 76 in Microsoft products, and 50 in Apple - up from 25 the previous year.
The Apple vulnerabilities will focus more on older versions of iOS (due to end of support issues) and macOS. And simply because Apple is now considered a target.
#6 Cyber propaganda will become a norm
The rise in the Internet use has opened the opportunity for invested parties to use the Internet as a free-for-all tool to influence public opinion to go one way or another.
If it is not Facebook, Reddit or WikiLeaks influencing elections, it is easy to monetise “fake news”. Trend Micro has noticed that script kiddies advertise their earnings from fake election-related news. They claim to make around US$20 per month by driving traffic to fabricated content about electoral candidates.
There are also existing groups of dedicated cyber agents who are paid to post propaganda materials on social media sites like Facebook and LinkedIn. They take advantage of the platforms’ electronic content filtering to multiply the visibility of their content.
Entities that can navigate public opinion using this means in a strategic manner will be able to produce results that favour them. In 2017, there will be see much more use, abuse, and misuse of social media.
#7 General Data Protection Regulation implementation and compliance will raise administrative costs across organizations
The GDPR — mandatory breach reporting — will force changes in policies and business processes for affected companies that will significantly raise administrative costs.
These changes will force enterprises to conduct a top-to-bottom review of data processing to ensure or establish compliance. It will be especially difficult for multinational companies that must consider building entirely new data storage systems just for EU data. They will also need to review the data protection clauses of their cloud storage partners. Enterprises must invest in a comprehensive data security solution, including employee training, to enforce compliance to the GDPR.
#8 Threat actors will come up with new targeted attack tactics that circumvent current anti-evasion solutions
Trend Micro says there will be more methods primarily intended to evade most modern security technologies. Threat actors typically used binaries then moved on to documents, and are now using more script and batch files. They will start doing more deliberate sandbox detection to see if a network pushes unknown files to a sandbox resource and will even target or inundate sandboxes. The next prize will be virtual machine (VM) escapes.
And how do we crawl out from under a security rock and a hard place in 2017?
A layered approach including:
- Advanced anti-malware (beyond blacklisting)
- Antispam and antiphishing at the Web and messaging gateways
- Web reputation
- Breach detection systems
- Application control (whitelisting)
- Content filtering
- Vulnerability shielding
- Mobile app reputation
- Host- and network-based intrusion prevention
- Host-based firewall protection