David Emm, pictured, principal security researcher at Kaspersky Lab, looks at what are the cyber threats in 2017.
The starting-point for understanding the cyber-security landscape in 2017 is to look at what data is generated, how it is used and where it is stored. Online behaviour and habits shape how and where data is generated. We live in a connected world, with more connected devices by the day and greater volumes of sensitive data. With the growing influence of the Internet of Things (IoT) it is no surprise that we are creating more opportunities for attackers. In 2017, we will see:
– More data means greater motivation for attacks. An increasing amount of entry points means it is easier for attackers to infiltrate and gain access to this data. Just this month, the Consumer Electronics Show (CES) highlighted a plethora of new Internet connected devices, with everything from light bulbs to daisy dukes.
– Given the masses of data they gather, it’s likely that advertising networks will be targeted by advanced cyber-espionage actors to increase the accuracy with which they plan and hit targets.
– We think that financial attacks will become commoditised, with the emergence of middlemen offering specialised tools and other resources for sale in underground forums, and even the development of ‘as-a-service’ schemes. In 2016, following the theft of $100 million in just two hits, many banks were forced to improve their authentication and SWIFT software update procedures, but they are still languishing behind where they need to be.
– There will be an increase in attack and espionage campaigns targeted primarily at mobile devices. During 2016, mobile Trojans continued their growth, doubling their presence when compared with last year (occupying 22 places in the top 30 in 2016, versus just 11 in 2015). Attacks are also growing in sophistication. Given our increasing dependence on mobile devices, it’s likely that we will see the emergence of mobile-specific cyber-espionage campaigns.
How?
A look now at how attackers are likely to be evolving and operating in 2017 uncovers some vital areas for consideration and awareness:
– The emergence of APT (Advanced Persistent Threat) campaigns with different bespoke modules for each victim – such as ProjectSauron ‒ will mean that the value of traditional ‘Indicators of Compromise’ (IoCs) will decrease. Organisations will be forced to complement IoCs with broader rules and expertise – including, for example the use of YARA rules.
– The appearance of more memory-resident-only malware is likely in 2017 and beyond. The down-side of such malware is that it can’t survive a re-boot; but what attackers lose in persistence, they gain in stealth – it leaves no footprint on the victim’s hard drive. Such malware is likely to be deployed in highly sensitive environments by stealthy attackers keen to avoid arousing suspicion or discovery.
– In 2016, the world started to take seriously the dumping of hacked information for aggressive purposes. Such attacks are likely to increase in 2017. There is a risk that attackers will try to exploit people’s willingness to accept such data as fact by manipulating or selectively disclosing information – for example, to lay the blame for an attack on others.
– There will be more espionage campaigns targeted primarily at mobile devices, capitalising on their widespread use to store sensitive data and the opportunity presented by the fact that the security industry can struggle to gain full access to mobile operating systems for forensic analysis or to install protective technology.
– Critical infrastructure and manufacturing systems will remain vulnerable to cyber-attack, possibly resulting in a major industrial incident.
Why?
The core motivations to attacks will be to demonstrate capability, to threaten, to support a bigger cause and, for the majority, to make money. Broadly, these motivations can be grouped as follows:
– The theft of banking and other credentials to make money directly, or to sell on to others for criminal purposes, will continue to be the dominant motivation for attacks, with criminals seeking the opportunity to make quick and easy profits.
– In particular, ransomware will continue to be a highly prevalent cyber-attack. The cybercriminals behind ransomware are not only diversifying in terms of technical approach, but they are also finding new social engineering tricks to spread their malicious programs: for example, one such program offers to waive the ransom fee if the victim forwards the malware to two other people.
– There will be a rise in ‘Vigilante Hackers’ hacking and dumping data, allegedly for the greater good.
– The ‘gamification’ of cyber-attacks is likely to continue into 2017. Hacking groups are starting to reward people who successfully hit designated victims. This gaming element is designed to incentivise hackers – a shadow image of the bounty programmes offered by legitimate companies for researchers who identify vulnerabilities in their software.
Who?
What will a bad guy look like this year:
– More often than not, it comes down to money. The majority of the attacks will be done by existing cybercriminal networks seeking to make money, whether through random, speculative attacks on consumers, or through targeted attacks on corporations to steal financial and other data.
– Every business has intellectual property. Data is a valuable commodity. We will continue to see attacks designed to infiltrate organisations and steal sensitive corporate data. While attacks on big companies create headlines, targeted attacks affect businesses of all sizes.
– A handful of the most sophisticated attacks are sponsored by nation-states. In a connected world, it’s should come as no surprise to find that governments also make use of technology. Attribution is often impossible – not least because those behind an attack can set ‘false flags’ to throw researchers off the scent.
