Alex Vaystikh, CTO and co-founder, SecBI
As more IT infrastructure transitions to become cloud-based and accessible from anywhere, hackers will focus on targeting browsers as the weak point. Browsers are essentially the operating system today, no matter whether you are using Windows, Mac OS or Linux. Employees spend most of their time in the browser, talking on Hangouts, drafting documents on Google Docs, and using multiple plug-ins. It's a very large attack surface that hasn't been fully used by hackers, but that is about to change. And once hackers find a vulnerability within a browser, they'll have access to everybody who uses Chrome as their browser, regardless of OS. This will be a nightmare for IT security professionals, unless they are using incredibly sophisticated analytics tools.
The increase of cloud integration into business organizations will also lead to ransomware that targets corporate databases. There currently aren't many hackers attacking corporate networks with ransomware, because they know that most companies retain backup files and may simply refuse to pay. However, the cloud is a totally different story. I'm sure we will see ransomware targeting SMBs that have recently moved their files to the cloud, because they generally do not have backups and do not know how to recover. IT security professionals will certainly have their hands full.
We will see major offensive cyber action from the U.S. Government in response to a reported cyberattack. Because of the attribution problem with cyberattacks, there will be considerable ambiguity about the attacker's identity. Unlike Iraq, where we eventually found out we were misled, in this case we may never find out the truth.
We will see increased attacks on encryption by the FBI and other agencies. This will be a pivotal year in the development of this 25+ year long debate about the future of information, privacy, and security.
Attacks on code repositories and open source libraries will increase dramatically.
In general, 2017 promises to be a year in which smaller solution vendors come under increasing pressure to make their products fit into existing work flows while they also try to differentiate by providing added value or unique features.
Security teams will turn to network engineers for the truth contained in packet data as metadata and log data are increasingly compromised. At the same time, Security Analytics will become the "hot" topic for presentations at security conventions.
Sophisticated, state-sponsored security breaches will continue to increase. These adversaries are becoming more adept at bypassing traditional security measures, so as the number of breaches rises, network engineers will increasingly find themselves being called on to help security investigations. They will need to provide critical network packet data that efficiently answers the who, what, when and how of the intrusion – even weeks or months after being discovered.
Security stack complexity will continue to increase even more rapidly than attack surfaces, greatly increasing the tension between doing business (having low-friction systems and processes) and being in business (avoiding major security incidents), making it vital that enterprises have the capability to conduct rapid, accurate investigations into security incidents.
Security teams will be increasingly inundated by incidents requiring investigation. The only solution is to automate the routine parts of their workflow to help speed up the analysis process. Smart hackers find ways to disguise attacks as low-priority issues making quantity of investigations as important as quality. Automating data collection and alert correlation techniques will help these teams analyze alerts as they come in so that low-level alerts don't fly under the radar and go unchecked. With adequate automation technology in place, security analysts can expect up to a five-fold increase in the number of alerts that can be checked by the same manpower.
Security teams will see their budgets increase, but demands on their time and expertise will increase even more. The choice is between tolerating increased risk or increasing the efficiency of the security team through automation and machine intelligence.
More hawkish regulation enforcement by government entities. The U.S. government is no stranger to cybersecurity – it's been a primary focus for decades. But recent events like the U.S. election have highlighted how a lack of appropriate security measures can impact the entire globe in ways we hadn't considered.
Regulations that address the vast majority of cybersecurity threats already exist. It's the adoption of key technologies that help to adhere to these regulations that's lacking. And that isn't to say that companies aren't trying. Many organizations already have teams devoted to meeting the government and industry regulations they fall under – from PCI to HIPAA, FedRAMP to FISMA/CDM.
Still, in 2017, we'll likely see a renewed effort by government regulators to accelerate the implementation of security technologies. Ignoring the regulations or inching toward adherence will no longer be acceptable. Extensive progress will be expected – and required.
More ransomware. After a hugely successful 2016, we'll see additional increases in ransomware. And as a result, companies may start to actually budget money to buy back their own data after a ransomware event. As long as the majority of ransoms remain relatively low, companies will continue to pay them, and they may do so without involving law enforcement to avoid disruption of their businesses and blemishes to their brands.
Technologies to look out for:
Multifactor authentication. I again believe we'll see widespread adoption of two-factor authentication across all industries. This is a fundamental technology that effectively addresses a problem that's grown too big to ignore.
Granular management of privileges. Obviously, Plan A is keeping hackers outside your network. But that isn't always possible, so organizations must have a Plan B in place when perimeter technologies are breached. Most security experts today look at privilege management as an essential second layer of protection.
Simply put, privileged identity management (PIM) prevents hackers that gain access to your network from then accessing anything and everything inside it. The key is in assigning specific individuals access to specific information. Say, for example, a hacker breaks into the DNC network. Rather than gaining access to everything, they are denied access to any sensitive information because they don't have the necessary privileges.
Least privileged access. A component of PIM is least privileged access. This means that each person granted access to the network starts with the minimal level that will allow for normal functioning – the lowest level of rights that a user can have and still do their job.
Bitcoin. A final prediction is around bitcoin. Despite a hack in early August that resulted in the loss of 120,000 bitcoins worth $65 million, the cryptocurrency quickly rebounded and has continued to grow in popularity. Expect some additional security measures to be implemented in the exchanges. On a related note, look for the rapid commercialization of blockchain technology beyond the currency realm and into manufacturing, finance, shipping and entertainment. It should be an interesting year.
The industry will look at the cloud, from both sides now. While migration to the cloud will maintain momentum, some cloud business will start drifting back to, and get anchored on, the ground, while others will evince hybrid qualities between “Heaven” and “Earth.” This movement will be especially pronounced in the large enterprise applications space. Reasons include:
There will be a convergence of unstructured analytics of external and internal data. Unstructured analytics will begin to distinguish between external and internal data. Thus far, much of analytics has focused on external data, e.g., for marketing insights. Going forward, the treasure trove of internal unstructured data, such as email, files, and social media, promises to yield far more valuable insights on the characteristics and dynamics of an enterprise's human players. It should be noted that much of this internal data is already under governance functions, e.g., compliance.
The insider threat will be the new breed of security threat. The insider threat has emerged as a legitimate danger to companies with sensitive information spread across their network. In the past, organizations have been preoccupied with defending against the anonymous hacker, and so have focused efforts on maintaining the integrity of their firewall to prevent an external breach. While this is still important, the modern threat to data security often wears a familiar face. Employees and contractors are often most knowledgeable about where important files lie within the enterprise, and how to access them, making them a liability if files are not properly managed.
Unstructured analytics architecture will undergo a sea-change. Practically all unstructured analytics today use the “sandbox” architecture, which makes governance functions very difficult. Going forward, analytics will begin taking a more holistic approach which leverages existing governance capabilities such as e-discovery, compliance, records management, etc.
There will be a convergence of analytics and information governance. Analytics and Information Governance will begin convergence from both directions. Analytics will begin to factor in governance capabilities, in order to mitigate compliance and litigation risks. From the other direction, governance of enterprise data will begin to add unstructured analytics.
There will be a paradigm shift toward content control rather than network security. Companies need to be able to map files across the enterprise to identify exactly where sensitive information lies and regain control of their data. Absolute control of content is the only way to protect data from within. Fortunately, file analysis and behavioral analytics have made large strides, giving CSOs, CIOs, and IT new tools to secure sensitive information and detect suspicious behavior within their network. Accelerated content analysis can offer organizations insight into where their most important data lies – personally identifying information, credit card information, proprietary property – which can then be locked down or quarantined. Access privileges can be updated, and ongoing remediation policies standardized. Communication patterns and file access can be analyzed to detect unusual behavior and stop potential security hazards in progress.
Working with devops will be the holy grail for security. In 2017, DevOPs will go mainstream. While it's been steadily picking up speed, in 2017 DevOps will start being a symbol for teams with integrated skills to build, deploy and maintain applications in a continuous way. Security will be a cornerstone of that skill set. DevOps requires a reinvention of security, including a cultural change. To meet this need, security as a whole will recognize the need to integrate into DevOps to survive.
IoT is a battlefield. Home security for internet of Things devices will be a huge market by 2020. Right now it's nascent, but as people implement more and more devices in the home, the security risks will continue to increase. We're in uncharted territory, but many interesting technologies will be born in this space in 2017.
Security vendors will battle each other to the death. Over the last couple of years, there has been a spike in investment in security startups. In 2017, we'll start to see a thinning of the herd, especially in event-driven and compliance-driven security purchasing. We're getting smarter about buying solutions that work to make us safer, instead of just worrying about buying the Gartner-defined industry leading software. The security vendor industry will finally be held to standards of quality of detection.
The rise of cyber gangs. The past year has been rampant with attacks, and it's only going to get worse. Not just in the number of attacks, but the sophistication. Attackers have been getting smarter, their data gathering techniques more sophisticated, and they're becoming more organized. In 2017, we'll likely see growing groups of attackers, as well as a network of shared information they've stolen. These groups will also likely clash, and we'll see attackers going after each other as well as these virtual gangs grow, gain resources, and fight over territories in the digital landscape. As we all know everyone needs to protect against these threats, by taking a layered approach and ensure they have a proper cyber resilience strategy in place to combat these threats. But that can sometimes be out of reach for many organizations as they are always strapped for resources, budget and then management of said layers. Thus the massive shift of organizations moving to a cloud security strategy where you can get advanced security capabilities that would be out of reach to try and build on premise.
Ransomware continues to evolve yet don't take your eye off other threats. Ransomware will explode to become one of the biggest threats, fuelled by smaller ‘opportunist' attackers using off-the-shelf kits to deploy malware. This is an easy and cheap attack method that produces fruitful results. Few organizations have effective defences against this type of malware and now with bitcoins enabling the perpetrators to increase distance from their victims further, it has never been so easy to get away with it. In the coming year, we should also expect more crypto-lockers and evolving forms of ransomware that deny access to desktops, network drives and cloud services. And just as you focus your attention on ransomware issues you can't be caught off guard by adversaries impersonating the CEO to transfer thousands of dollars to an offshore account or by basic phishing attacks that will cause employees to launch attacks on your organization.
Focus on data mining. One theme that is still overlooked is that it's not just about wire transfers. Attackers aren't just focused on money, they're focusing on data mining and will use the data they gather in more advanced attacks to gather important data to be either sold on the Dark Web, or used in future attacks. (Remember the W-2 fraud uptick earlier this year? We're heading into tax season, and can expect to see this again.) While Wire Transfer fraud is, and will be an issue in the future, organizations need to also think about where else they're susceptible and ensure they have the appropriate protective measures in place. Backups are essential, but the evolution of ransomware is staggering and organizations need to ensure their gateway, firewall, endpoint and other security solutions are consistently up-to-date.
Cyberespionage to cause more political disruption. Nation states and their sponsored operatives will use cyber espionage more and more to cause political shifts, disruption, and to gain economic advantage. This will involve, but will not be limited to, email hacking and disclosure of other forms of intercepted private communications, disruption of and interference with critical national infrastructures (Stuxnet 2).
Reigning-in data residency and governance. The impending GDPR will focus European organizations on improving their security and privacy programs significantly in 2017. And, at the same time increased state-sponsored attacks will lead to more stringent rules around data residency and governance, as well as state firewalls being considered to mitigate threats and allow regional business activity to continue. Advancements in managing internet traffic from different geographies may also become a focus as global trade landscape changes.
Impersonation attacks in the spotlight. 2016 has been the year of ransomware and it'sno secret that social engineering attacks, like phishing, spear-phishing and domain spoofing have grown from being a nuisance to a huge problem. However, one of the lesser publicized problems is impersonation attacks. Whaling attacks can cost organizations millions in financial losses. In fact, according to the U.S. Federal Bureau of Investigation, whaling attacks led to more than $2.3 billion in losses over the last three years. We expect to see whaling attacks as the next “it” attack flooding the media.
Macro malware still in the game. Once thought of as a thing of the past, macro malware has reared its ugly head into the ring of attack methods cybercriminals are using. While most organizations choose to block executable attachments at the gateway by default, they must still allow files, such Microsoft Office documents, to pass freely if employees are to be productive. Attackers exploit this by weaponizing files in these common formats. According to our own research, we found that 50 percent of firms have seen email attacks that use macros in attachments increase over the last year. Why? Well it's such a simple tactic with little proactive AV detection, and that's why we'll continue to see waves of Macro malware into next year and beyond.
Rise of the ransomworm, the next evolution of ransomware. Ransomware will move from a company's one-time issue to a network infiltration problem. Ransomware is already big business for hackers, but ransomworms guarantee repeat business. They not only encrypt your files until you pay up, they leave behind a little present to make sure their malicious ways live on. Microsoft warned of a ransomworm earlier this year called ZCryptor that propagated onto removable drives. By placing a little code on every USB drive, a company's employees bring more than their presentations to a sales meeting, they're carrying a ransomworm--not the greatest impression you want to give a prospect.
Incident response teams are holding their thumbs in a dike about to fail. The security expertise shortage is acute and not getting any better. Security demands are rising, but the talent pool is not catching up. We're seeing more CISOs shifting security responsibility outside the enterprise, but only up to a point. Outsourcing is fine for basic functions such as provisioning a new user, but falls apart for security incident response. The MSSP doesn't have the knowledge, staff, or access to understand how to provide context and respond. So, low level functions go to the MSSP, while high-skill functions such as incident response stay in-house, with more and more pressure building on the incident response teams, many of whom are working without a playbook on what to do when they find an incident. More incidents plus overworked response teams? It's a recipe for a massive breach.
Understaffing will be a major influencer on security projects. Cybersecurity incidents will keep rising, but the pool of qualified talent is shrinking. CISOs will put a lot more thought into security process automation, not only to improve security posture, but also to deal with the lack of skilled security staff.
Poor incident response will be considered a pre-existing condition. The security incident response capabilities of a company will become a measured line item in a cyber insurance policy. Insurance companies are likely to realize that when they offer a cybersecurity policy to companies, they should take into account not only the detection and capabilities of their clients, but also measure how they deal with a security incident when it happens.
Breaches, leaks, and more leaks. This one should be no surprise, but don't expect the leaks to stop in 2017. There will be data leaks, especially from malicious former employees or contractors. These insiders will either gather information before they leave and use it for their own gain, or continue to harvest company resources such as code repositories after they leave due to bad credential management policies and enforcement.
AI-based cybersecurity solutions will reign supreme. We expect more companies to integrate AI into their solutions to boost their protection capabilities and catch up with industry leaders. It is also likely that more companies will attempt, and perhaps succeed, at meeting the high barrier of applying deep learning.
Ransomware will continue to be a threat to operations, especially corporations. We expect to see new kinds or ransomware that are not only encryption-based but use other extortion methods such as theft, data wiping or corruption, denial of access to the entire operating system, and the prevention of the operating system from booting by overwriting the MBR.
Although the majority of ransomware families target only Windows, in the future, ransomware attackers may hit every server, client, mobile device, or any other network component in the organization, leaving no endpoint uninfected.
Another trend we expect to see is a severe ransomware attack that will target industrial networks by simply disrupting activity, which could cause electric, water, gas, or nuclear utilities to shut down until the ransom is paid.
IoT: an increasingly appealing target. We expect IoT-related cyber-attacks to increase in volume and damage. As the main vulnerability of IoT is that default passwords haven't been changed or security patches haven't been updated, we expect the attacks to start targeting enterprises, focusing on devices such as thermostats and security cameras to gain access onto the enterprise's internal network.
Critical infrastructure will be more prone to targeted cyber-attacks. As ICS/SCADA networks shift from old and legacy systems to newer wireless communications protocols, we expect to see more attack attempts on industrial networks and infrastructure, such as trains and railway systems, as well as ransomware that targets SCADA systems.
SMBs will become a bigger consumer of cybersecurity solutions. SMBs are becoming a growing target for cyber-attacks because they are perceived as low hanging fruit. The scale of security spending by SMBs will increase as cyber threats and their business impact become a common reality.
Prevention: The new focus of cybersecurity. The increase in new attacks that can evade sandbox environments, and the prevention limitations inherent in deep-forensics will give rise to cybersecurity solutions that offer real-time prevention, in addition to detection.
The silent attack on information – complete loss of trust. The integrity of information will be one of the biggest challenges global consumers, businesses and governments face in 2017, where information from previously venerated sources is no longer trusted. Cyber attacks won't just focus on a specific company, they'll be attacks on society designed to eliminate trust itself.
We've seen information used as a weapon and propaganda tool in the 2016 U.S. election cycle, but this will move to the next stage where information can no longer be trusted at all. Attackers aren't just accessing information; they're controlling the means to change information where it resides, and manipulating it to help accomplish their goals.
For example, consider how the emergence of tools that allow for greater manipulation of previously unquestioned content – like audio files – could lead to increased extortion attempts using information that may not be real, or grossly out of context. It will be easier than ever to piece together real information stolen in a breach with fabricated information to create an imbalance that will make it increasingly difficult for people to determine what's real and what's not.
Cloudy with a chance of cyber attacks. Cloud infrastructure and the proliferation of cloud-based services have proven to be game changers for business. The benefits of the cloud have not gone unnoticed by the dark side either.
Much like how cyber attackers are channeling the power and insecurity of IoT devices to launch massive DDoS attacks on scales previously thought unachievable, attackers will increasingly use the cloud to ramp up production of attack tools.
With the addition of available computing power and agile development capabilities afforded by the cloud, we'll see new attack tools that are exponentially stronger than previous iterations, we'll see attacks that are stronger and more devastating, and ultimately, because attacks are raining from the cloud, attribution will become nearly impossible. This will also increase the agility of attackers – a strategic advantage that they currently hold over organizations.
Self-learning cyber attacks. The year 2016 was marked by tremendous progress in the field of artificial intelligence (AI) and subsets of the technology such as machine learning, machine intelligence, deep learning and more.
In the field of cybersecurity, hundreds of companies are working to incorporate AI and machine learning into their technologies to predict, prevent and defeat the next major cyber attack.
As we've seen with other technologies, as AI becomes commoditized, we can expect cyber attackers to take advantage of AI in a similar way as businesses. Much like 2016 saw the first massive IoT-driven botnet unleashed on the internet, 2017 will be characterized by the first AI-driven cyber attack.
These attacks will be characterized by their ability to learn and get better as they evolve. Think about “spray and pay” ransomware attacks that get smarter, and more targeted about what information is held hostage, and what to charge for it. This will transform the “advanced attack” into the common place, and will drive a huge economic spike in the hacker underground. Attacks that were typically reserved for nation-states and criminal syndicates will now be available on a greater scale.
Data privacy and pricing structures. The efforts on consumer data-conditioning are almost complete – consumers know that private information is a commodity they can trade for better service. We're beginning to see this in the insurance market, where drivers are giving up driving habits, location, destinations and PII to get better rates.
We expect that more companies will take this approach with online data as well and use cybersecurity fears and concerns over privacy to drive pricing structures.
Consumers will increasingly be faced with a data conundrum – provide more personal information for basic service, or upgrade and spend more money on premium services that require less personal information and provide greater levels of security.
In parallel, small and midsize organizations that have been ‘priced out' of adequate security options, particularly against threats like ransomware, may also be able to make trades for better protection. In the meantime, the emergence and greater adoption of automated security solutions will help close the gaps between available skills, budget and protection.
The agile enemy – hacker collaboration. Unlike private business and government organizations, cybercriminals are not bound by IP, data privacy, budgets or other concerns. We expect to see hacktivists, nation-based attackers and cyber-criminals accelerate use of the tools used to learn from each other's attacks – and identify defacto best practices to emulate them on broader scales.
Agile approaches to spur greater black hat collaboration will enable attackers to ‘improve on' existing malware and viruses like Stuxnet, Carbanak and most recently Shamoon, to unleash a new wave of threats.
These more dangerous attacks will put pressure – potentially regulatory or merger and acquisition related - on public and private organizations to step up collaboration and prioritize ways to incorporate intelligence gained from these attacks into new innovations meant to combat cyber threats and beat the attackers at their own game.
The ratio of detection and prevention budgets will change, with more money going to detection. Additionally, budgets will begin to have specific allocations for advanced threat detection. As breaches continued this year, more CISOs started to consider more budget allocation to detection systems so attackers inside the network could be identified and stopped. Historically more than 75 percent of IT security technology budgets are spent on preventative solutions and their maintenance. However, a recent survey by Pierre Audoin Consultants among 200 decision makers showed they expected to spend 39 percent of their of their IT security budget overall on detection and response within two years. Gartner has also come out projecting that by 2020 60 percent of security budgets will be allocated for rapid detection and response approaches.
Deception technology will enter the mainstream for advanced threat detection. The shift from Intrusion Detection and Prevention stand-a-lone solutions to inclusion in Next-Gen Firewalls will continue and a new category of Advanced Threat Detection solutions will emerge to close the gap for detecting signature-less or unknown attacks, in-network lateral movement, insider and stolen credential attacks. Deception technology will be a preferred solution for Advanced Threat Detection. Gartner has called out deception as an automated responsive mechanism representing a sea change in the capabilities of the future of IT security. They have stated that deception is the most advanced approach for detecting threats within a network and acknowledged it as a top 10 security trend for 2015, 2016, and we predict again for 2017.
The number of days before hidden attacks are discovered will decrease. According to a variety of sources, malware continues to go undetected within companies for months – with some detections occurring after as many as 200 days. With more emphasis on detection technology, there will be a decrease in dwell time and an increase in the number of breaches being detected by the companies by their internal teams, whereas, historically, only 1 in 5 breaches are detected internally. I predict by the end of 2017 that this number will increase to 50 percent of all breaches being detected internally by customers, enforcement agencies, and other interested 3rd parties.
There will be an increased focus on improving incident response speed and efficiency. Vendors will continue to collaborate in sharing information and on integrating their solutions enabling the sharing of data and to provide security teams with a single source for the collaboration of attack information. Collaboration will allow teams to see real threats they might have missed on their own based on a partial view of threat activity throughout the network. Operational efficiency will be increased significantly, providing better detection, quick remediation, and more effective incident response at the time of attack.
POS malware breaches will increase. It may appear that the number of breaches of retailers and the customer records being stolen is reducing. This in fact is a misnomer. The number of breached records is reflecting as lower only because less information is being disclosed on the number of records being stolen and since the attacks are shifting their focus on different segments, retail to travel to restaurants.
Attackers are also moving downstream and focusing more on smaller retailers and businesses as there are more of them and they have less sophisticated IT infrastructure. The core problem around Point of Sale (POS) breaches also remains largely unaddressed. There are still thousands of POS systems that are not running any form of anti-virus software because they are running on older Windows XP operating systems and there is a “trust” relation system with asset management servers. With one compromise to the asset management system, malware can be distributed un-noticed to POS terminals in mass. With this compromise, attackers can also open communications to continue to update new variants of malware, commands, and exfiltration of data. This is an extremely high risk vulnerability that can go undetected for months to years before the breach is discovered. Also, with the increased use of the TOR network and the value of data being sold on the DarkWeb commanding from $5-$30 per stolen credit and debit card, the incentive to continue to attack POS systems will remain high.Click here for Predictions 2017, Part 7