Copyright © 2016 Bob Carver CISM, CISSP, M.S.
Let's start with some of things I got right in 2016:
IoT - This was #1 on my list for 2016 Predictions last year. The beginning of IoT security problems have been seen and felt this year. The Mirai botnet took down 85 websites for a good part of the day in various parts of the U.S., parts of the UK and the EU. These botnets also took two well known websites offline for a large part of a day. Various reports of Internet interruption have been reported all over the world due to IoT botnet activity.
Signature based AV and IDS - continues to be worth less in all computing environments and unable to detect the vast majority of sophisticated malware.
Automation - is starting to be seen in several areas of information security; however, it has a way to go to fully integrate into monitoring, forensics and the incident response process.
Received a wish from last year's wish list:
UL-like certification - for security of various IoT or things that connect to the Internet. There are several organizations attempting to do this now. If I was a betting man, I would put my money on Mudge Zatko’s project to have some of the best success.
Predictions 2017:
1. More issues with the IoT (Internet of Things) – Although the U.S. Congress was shocked at a recent hearing of the power of hijacked IoT, it still does not want to legislate IoT, the majority of users don’t know how to secure IoT and vendors/resellers may not be under any legal threat to take any action to better their products. This means more mischief or worse will take place in the coming year. If no one is held responsible, the malware writers and botnet herders will play (“wreak havoc”).
The Mirai botnet was just the tip of the iceberg. It was a relative unsophisticated test just to see what can be accomplished. Just as we can only see the tip of an iceberg, the majority of the iceberg is submerged below water and has yet to be seen.
While we are on the subject of IoT, let’s put ICS (Industrial Control Systems), IIoT (Industrial Internet of Things) in this same risk bucket. Many of these devices can be hijacked similarly to IoT and cause major hurt for all networks and users involved.
The ICS and IIoT users/manufacturers have generally been more serious on securing their platforms in recent times; however, there are laggards and legacy systems that are still in need of shoring up their security.
The question still remains when and who will ultimately take responsibility for this mess?
2. Advanced Endpoint Security – If you haven’t purchased Advanced Endpoint Security yet, this is the year everyone should have an RFP out to upgrade their endpoint protection. All traditional AV is evaded with malware that has any level of sophistication. Cybercriminals are selling malware with guarantees that their malware will not be detected by any traditional AV.
3. Compliance to Insurance Standards vs. Compliance to traditional Cybersecurity Standards (NIST, ISO and the list goes on) – In the near future, your Cybersecurity Insurance provider will have the larger influence on what type of security defenses, detection, mitigation, people, processes and technology you will need to have in place. If you don’t follow their recommendations/guidelines, you either won’t be able to obtain insurance or your premiums and deductibles will be so high that it will most likely force you to abide. Note currently insurance companies can only assess relative risk by the industry a business is in. The statisticians/actuaries will be working night and day to be able to assess risk factor down to a much more granular level than categorizing the industry a business is in. Their job will not be easy since the risk factors can be extremely dynamic in nature.
4. Traditional IOC (Indicators of Compromise) MD5/SHA256 hashes of malware, IP addresses, URLs or domain names of botnet command and control servers may become less important. Why? Hashes can change with minor modifications of code making an almost infinite number of variants. URL’s and domains can change daily, hourly or even by the minute. By the time all IOC’s have been vetted and published, the game has changed and the last IOC’s merely point to past historical data. If they are to be of any value, the dwell time will make it necessary to vet and publish these IOC’s in as close to "real-time" as possible.
Of course, knowing IOC’s in advance, like cracking DNG (Domain Name Generation) algorithms is also useful.
As a result, we need to focus more weight on TTP’s (Tactics, Techniques and Procedures) used in cyberattacks and how we will immediately recognize or block those attacks.
5. Malware, where is the malware?
Yes, Kaspersky estimates there are 323,000 pieces of new malware each day while Virustotal recently saw 413,720 pieces of new malware in a day. So why do I say where is the malware?
Fileless malware, Exploit Kits, memory resident malware and legitimate operating system processes will continue to increase and be responsible for a larger portion of malicious cybersecurity activity. Hijacked legitimate processes or simply using legitimate user credentials will make it more difficult to determine whether a legitimate process is used for good or malicious activities. Note most traditional Antivirus have these processes whitelisted, indicating they can only be used for good, legitimate work. Unfortunately, the cybercriminals have discovered that good legitimate tools can also be used for nefarious purposes.
6. Banking/Financial Sector – The famous question to a bank robber was, "Why do you rob banks?" The answer, “Because that is where the money is.” Various cybercrime schemes in the financial industry have been started by testing in the East and gradually moving their exploits to the West and most likely will not be slowing down any time in the near future.
Traditionally the goal for cybercriminals was simply to move cash from banks to their own accounts. New exploits to make money are being coded and executed every day.
Some recent trends that are bound to evolve and get more creative over time:
- ATM’s - exploit one ATM and be able to empty the entire network of ATM’s.
- Mobile banking apps – the mobile or app is compromised and the account is taken over by the cybercriminal.
- One European bank that was often used to hide money from tax collectors was breached and its clients were blackmailed to ensure their tax evading plans were not revealed to the authorities.
- Risk of malicious manipulation of ledgers and databases.
If you can imagine a reasonable scenario, most likely it will be attempted.
7. The Cloud – The cloud is already one of the favorite methods for distributing malware. Enterprises are still honing their abilities to monitor, scan for vulnerabilities, lock down and protect the cloud. When cybercriminals take advantage of the cloud, then the enterprise will truly know their weaknesses, continuing to refine their monitoring, hardening and security practices.
8. Ransomware – will continue to grow; however, it may not be the traditional "encrypt your computer and demand bitcoin" to give you the decryption key. Cybercriminals will be concocting new business models and new platforms to execute them. Encryption is becoming old school. Data destruction, data manipulation, being locked out of digital platforms and old-fashioned blackmail could be some of those new criminal activities. It may go into the cloud, automobiles, IoT/IIot/ICS and beyond.
9. Mobile – in spite of unending patches and upgrades the smartphone still is one of the most vulnerable platforms. There has been progress; however, if the sophisticated actor wants to compromise your emails, texts, contacts or banking apps, they most likely will gain access. Blackberry was the king of secure phones for the longest time. Unfortunately, they did not keep up with consumer demands for modern, convenient apps and browsing the Internet. Let’s hope security is better embedded by design in the phones the general public purchases getting back to the level of security Blackberry was known for. Look for financial exploits and access to personal information.
10. Terrorists and Rogue Nations - will utilize traditional cybercriminal activities to raise money for their cause. They have been losing ground in their land grabs. This may cause some of them to go virtual and get behind the keyboard.
11. Phishing and Social Engineering – Simply said, it is not going away. This is still one of the most popular ways that a perpetrator gains the initial foothold in a network. As long as they get a regular, small percentage return on their continued attempts, it is not going away. In the meantime defenders need to continue to raise the bar in their detection algorithms, possibly utilizing machine learning, because the cybercriminals will continue to raise the bar with their exploits.
Wishes for 2017, the New Year:
1. That everyone understands there is no more "set it and forget it" security programs that are sufficient to protect you. You must be dynamic to keep up with the attackers.
2. That some group ultimately takes responsibility for IoT/ICS security matters.
3. Threat platforms progress to make IOC’s available as close to real-time as possible. That TTP’s become more important in Threat Intelligence and be made available more quickly.
4. That more IoT/IIoT/ICS be purchased that includes a warranty to support security patches for at least 5 years (or more) and forces users to change passwords (and ideally usernames) at initial login to the device.
5. Expiration dates on IoT/IIoT/ICS. If these devices have serious security flaws that can no longer be remediated, they should be forced to have an "end of life" date where they would be retired and taken out of service.
Remember, being compliant does not mean you are secure.
Everyone be vigilant and have a safe, great 2017!
No comments:
Post a Comment