2017 predictions for security
Many companies will continue to have a blind spot
We predict attacks will continue to be successful in 2017 as organisations still don’t address the blind spot that exists with attacks over encrypted channels being missed due to the lack of SSL inspection capabilities. 2016 saw a huge rise in attacks against enterprises using PowerShell. Microsoft PowerShell is a framework and scripting language that is installed by default on all Windows computers and attackers are using it as many organisations lack adequate protection in place for malicious use. As it’s already part of the Windows system, it is easier for an attacker to use it as part of their attack cycle and difficult for network defenders to identify malicious use, if they’re monitoring at all. Tools such as PowerShell Empire, frequently used by penetration test teams, are also used by attackers to make it easy to bypass the perimeter, create backdoors and then move laterally around a network. Organisations will need to review their monitoring capabilities, logging levels and also work to identify what known good scripts are in use across their network in order to have the ability to detect malicious attacks where possible.
Artificial Intelligence will change the approach to analysis in SOC’s
As organisations seek to use Artificial Intelligence (AI) and machine learning capabilities, the approach of analysing security events in 2017 will change. The principle of ‘what good looks like’ in cyber security terms has been around for a long time. Machine learning is an extension to this concept with algorithms of what good behaviour is deemed to be, such as how certain system calls should or shouldn’t be made or how certain file types are put together; so any deviation from this should be deemed suspicious. Core network monitoring for anomalous behaviour such as large transactions or first attempts to access a database will be a change in approach for Security Operations Centres who need to move towards an intelligence led approach. They will no longer be reacting and triaging ‘known bad’ traffic via an Antivirus or Intrusion Detection Alert but will need to investigate an alert advising them something unusual has happened based on a machine learning algorithm. One further area to watch out for in 2017 is attackers using the same AI capabilities as they seek to defeat network and security controls.
Core banking applications will continue to be a focus area for criminals
Core banking applications became a huge target in 2016. Major compromises at international banking institutes saw millions of dollars stolen directly as a result of weaknesses in the SWIFT global payment network, the largest case being $81 million dollars from a Bangladeshi bank. We also observed the growth of banking Trojans targeting ‘back office’ applications in order for criminals to exploit legacy technologies to steal financial rewards directly from banks; we consider this a significant risk to the banking sector in 2017. SWIFT has introduced 16 mandatory controls and will inspect banks in 2018 for conformance or be reported to banking regulators, but this still presents a window of opportunity for cyber criminals. Researchers identified the Odinaff Trojan targeting SWIFT late in 2016 and we expect to see new variants and methods of attack this year.
Attackers will increase focus on the mobile market
Improved security on new Operating Systems and the increasing use of smart devices for personal and business data will make mobile platforms an increased target in 2017. Many organisations are now upgrading from legacy Microsoft operating systems that have been frequently targeted for their vulnerabilities and taking advantage of the improved security features that come with a Windows 10 build, Edge browser and improved server operating systems. Small apps such as Adobe Flash whilst also frequently targeted, particularly by exploit kits, are also now being removed from enterprise networks and browser providers , with Google Chrome making HTML5 the default option in December 2016. Individuals now have many smart devices, many of which hold vast amounts of personal and business data due to modern storage capabilities and as such, attackers will continue to develop innovative attacks against mobile platforms such as mobile ransomware demanding payment for the return or decryption of personal photos. Mobile Device Management will need to be supplemented by robust security controls, particularly for business devices.
Smart cities will be targeted by hackers
As we continue to see the exponential growth of the Internet of Things devices, we will continue to observe security issues that we hadn’t even considered before. When an architect put together the design of smart motorway noticeboards, they won’t have considered Hacktivists would target them to display politically motivated messages instead of motorway warnings to motorists. The same is true of IoT manufacturers who built the hundreds of thousands of CCTV camera’s, DVR’s and SOHO routers that now make up the IoT ‘Mirai’ botnet.
Lessons will clearly be learned from Mirai such as avoiding hard coding default passwords but many of the protocols designed for smart connected devices will have their own potential flaws and vulnerabilities as we have seen with the Zyxel routers. We will see more of these vulnerabilities in 2017.
Attackers have exploited these vulnerabilities to their advantage already so whilst ransomware having the ability to take out a city of ‘smart’ connected lights would have seemed unlikely and unfeasible 12 months ago, recent events have changed that perception.
It’s not only the potential vulnerabilities in smart devices but these platforms also need to be controlled and the governance around the management of those control platforms will be paramount. This includes the security controls of the supply chain involved in the delivery and control of any part of the smart city we’re now connecting. If it only takes a breach of one part of the supply chain to compromise the platform managing the smart devices then we should expect to see more of these attacks. Attackers may not try to exploit vulnerabilities in connected cities but they may seek to install ransomware in a critical part of the infrastructure.