Trends and challenges in 2019 and beyond
This post will shed light on some of the exploit trends and developing breach threats we see emerging over the course of the coming 12 months. The post is co-authored by the team from cybersecurity provider Loryka, which was recently acquired by Baffin Bay Networks, including Justin Shattuck, founder Loryka, Zac Lindsey and Josh Woodbury.
Key themes include:
- increasing formalization of malicious activity into structures that resemble conventional business operations and company structures
- use of social exploitation to target individuals, bypass security systems
- greater effectiveness of multi-stage malware
- increasing integration of organizations’ IT security and legal teams
- vulnerabilities associated with cloud platform add-ons
1. Business operations and company structures
Bad guys go mainstream
Malicious actors are becoming increasingly organized. In a growing number of cases, such actors take on characteristics of conventional enterprises in terms of having teams providing 24/7 support under contract and establishing management positions, such as CEO and CFO, similar to a legitimate business, representing the formalization of criminal and unauthorized activity.
Furthermore, actors are becoming increasingly organized in terms of the amount and nature of data they gather, exploiting existing vulnerabilities and creating new ones.
Key takeaway: we are likely to see nefarious actors increasingly move towards an enterprise software model, reflecting the continued rapid development of innovative and advanced unauthorized activity. The “bad guys” are becoming more enterprising, and they are being increasingly more structured about the way they conduct such activity.
2. Social exploitation
This time, it’s personal
A growing number of malicious actors use increasingly sophisticated psychological methods rather than malware to target individuals and consumers, a practice referred to as social exploitation. This has the advantage for such actors of bypassing security technology introduced by companies and organizations. As security technology improves at enterprises, criminal parties have to target the weakest link – and the weakest link tends to be individuals. The number of people who click on spam links in email, for example, remains high.
Actors are gaming individuals rather than machines. They’re going after people’s brains rather than machines to make people do the work.
We see a rise in the number of attacks where people contact individuals saying that they have, for example, their password to one of their social media accounts, suggesting that they have access to a target’s computer, data, and contacts. Targets are told that evidence of some potentially embarrassing behavior or their Internet search history will be sent to their contacts unless they make a payment to the perpetrator, typically in Bitcoin.
We’re likely to see continued innovation in sexploitation attacks and phishing schemes. This, coupled with a huge trend-up in multi-stage malware and better obfuscation, is going to lead to higher infection rates.
Key takeaway: expect social engineering attacks to become even more frequent and sophisticated in 2019. We’re likely to see continued innovation in sexploitation attacks and phishing schemes. This, coupled with a huge trend-up in multi-stage malware and better obfuscation, is going to lead to higher infection rates. To mitigate such attacks, we would encourage service providers to ensure that customers apply existing security measures. Some providers already do this, for example by awarding users points for how well they use security settings.
3. Multi-stage malware
Low and slow: the manipulation of machine learning
The third area where we see evidence of increased activity, and greater effectiveness of exploits, is multi-stage malware that introduces small incremental changes to systems over time that tricks and skews algorithms, thereby altering their perception of what is approved or normal behaviors.
Such activity, particularly common in the banking and finance sectors, is a persistent annoyance, with some targets reporting up to 10 percent of their bandwidth affected.
In financial markets, for example, rouge actors, prepared to invest the necessary time, will track technical and fundamental indicators and introduce small incremental changes to trades over time. By injecting trades, they start to trick technical indicators to effectively skew a moving average.
We also see chatbots performing unsupervised learning, paving the way for the dissemination of malicious information, potentially publishing misleading or inaccurate content. For example, if Wikipedia populated itself through machine learning in an unsupervised way from chatbots, bad actors would have the ability to skew information displayed on that page.
Key takeaway: we are likely to see some larger, public-facing services that use machine learning to discover that their services are skewed by misinformation that has been fed to them this year and last. It is theoretically possible that an exploit could be launched this year but go undetected for a number of years.
4. IT security and legal
IT know-how and legal expertise combine
Enterprises are under growing pressure from clients to define legal liability in terms of cybersecurity concerns. GDPR, NIS directive and similar legislations add to it. This is increasingly resulting in organizations’ IT and legal functions working closer together. While compliance and legislation are also playing a role here, client demand is the key driver.
Businesses are asking their lawyers and legal counsel to provide clear guidance on how liability is shared and to establish answers to questions such as: who is responsible in the event of a breach; and who is responsible on the front-end as part of ethical requirements.
In the same way as lawyers now face ethical issues over using document sharing services and document storage software, lawyers are also likely to face similar requirements from state bar associations in terms of understanding security.
This also leads to increases in cybersecurity insurance premiums and growing demand for professional service providers, who in turn need to know more about cybersecurity to be able to help advise clients.
Key takeaway: the pace with which organizations integrate their IT and legal functions is likely to accelerate in 2019. As growing numbers of companies move towards combining IT and compliance, demand for more security orientated IT professionals with legal knowledge is set to increase.
5. Cloud platform add-ons
We have seen the use of cloud platforms expand considerably in recent years. And while security measures taken by cloud provides are generally effective, devices that communicate between cloud platforms are potentially more vulnerable. How cloud providers respond to this challenge will be a key aspect of the cybersecurity threat landscape in the years ahead. Arguably, a contradiction exists between cloud services claiming that they are simple to use, and then requiring action from users to be safe. Individuals are still required to work with cloud services actively to ensure that their data remains secure.
Bad guys aren’t longer looking for data on drives anymore, they’re looking for data in buckets. Using third parties to access data in buckets is definitely an up-trend, probably more of an attack we’re likely to see in 2020, but it’s coming.
Key takeaway: with more organizations implementing a hybrid cloud strategy, our concern is with the connectors and add-ons that are common to such services that potentially expose individuals and organizations to attack. Therefore, we would argue that attacks are more likely to target the services that sit on top, rather than major cloud vendors.
So, how do we fight back?
Over the past five years, understanding among the general population of what cybersecurity is and what it takes to achieve it has improved. However, while there is increased awareness of security, people still tend to underestimate threat levels.
Similarly, security professionals underestimate certain risks and overestimate others. This makes it more likely that limited resources are wasted on unnecessary or ineffective measures. While an organization might acquire costly, high-end hardware, it may allocate insufficient time or resources for user training to get the most out of their investment. Smaller businesses tend neither to have sufficient funding to buy the latest security hardware nor the staff to run it.
Cybersecurity must not simply be walled off and tasked to an obscure and opaque security team that gets blamed if something goes wrong. Increasingly, everyone is at risk because everyone uses the Internet. Therefore, everyone is responsible to keep the Internet safe. Because security touches us all, we need to move towards introducing the idea of self-service security, bridging the gap between security and non-security professionals.
Everyone is at risk because everyone uses the Internet.
People underestimate the value of basic IT training for users, but it remains critical to deny nefarious actors the opportunities they search for to mount exploits - and this is certain to continue to be the case for the foreseeable future.