Editor’s Note: These notes — as well as information posted from the FS-ISAC newsletter (permitted to be
distributed without restriction) — were shared by operating
partner (and former Chief Security Officer at Box) Joel de la Garza internally.
They’ve both been reposted below as a resource for those interested
in the topics.
Some of my quick thoughts on security trends this year
‘Passwordless auth’ becomes (even more) real
With the accelerating adoption of the WebAuthN standard and support for U2F showing
up in Safari, it’s highly likely that a large consumer websites will adopt a
“passwordless auth” experience for users.
Discussions with industry peers indicate that major entertainment companies and
others are considering limited tests of the technology to help reduce friction and
the number of customer support calls for password issues.
Cloud configuration overtakes ‘phishing’ as top source of
breached data
When the numbers are finally crunched for 2018 it’s likely that mis-configured
cloud services will overtake phishing attacks as the number one source of breached
personal records.
There have been a number of large breaches in the last year resulting from cloud
service configuration errors — and there aren’t indications that this
trend is changing.
‘New Cold War’ goes… warm, online
With a number of analysts claiming we have entered into a ‘New Cold War’
with China, and possibly Russia, early indications seem to be that that war will
escalate online. In the past year, a number of previously dormant Chinese hacking
groups have sprung back to life along with several high-profile Russian groups.
These groups appear to be refining their operational security practices and looking
to better mask attribution of their attacks. Critical infrastructure operators have
been reporting an increase in activity that usually presages a larger campaign.
There have also been some concerns raised about another attack similar to the attack
on the PG&E substation in San Jose in 2013. Law enforcement sources have
indicated that potential reconnaissance operations have been conducted recently by
nation-state agents.
Other notes on security released by various industry sources (via Financial Services
– Information Sharing and Analysis Center)
from Forcepoint [source]
- The winter of AI
- There is no real AI in cybersecurity, nor any likelihood for it to
develop in 2019
- Industrial IoT disruption at scale
- Attackers will disrupt Industrial Internet of Things (IIoT) devices
using vulnerabilities in cloud infrastructure and hardware
- A counterfeit reflection
- Hackers will game end-user face recognition software, and organizations
will respond with behavior-based systems
- Courtroom face-off
- 2019 will see a court case in which, after a data breach, an employee
claims innocence and an employer claims deliberate action
- A collision course to cyber cold war
- Isolationist trade policies will incentivize nation states and corporate
entities to steal trade secrets and use cyber tactics to disrupt
government, critical infrastructure, and vital industries
- Driven to the edge
- Consumer concern about breaches will cause companies to embrace edge
computing in order to enhance privacy. Designers will face significant
headwinds with adoption due to low user trust
- Cybersecurity cultures that do not adapt will fail
- Industry-wide “security trust ratings” will emerge as organizations seek
assurances that partners and supply chains are trusted partners
from Trend Micro [source]
- Consumers
- Social engineering via phishing will replace exploit kits as attack
vector
- Chatbots will be abused
- E-celeb accounts will be abused in watering hole attacks
- Actual mass real-world use of breached credentials will be seen
- Sextortion cases will rise
- Enterprises
- Home networks in work-from-home scenarios will open enterprises to
BYOD-like security risks
- GDPR regulators will penalize the first high-profile violator the full 4
- Real-world events will be used in social engineering attacks
- Business email compromise will go 2 levels down the org chart
- Automation will be a new wrinkle in business process compromise
- Digital extortion’s wide field of application will be explored
- Governments
- Fight against ‘fake news’ will buckle under the pressure of
various elections
- Innocent victims will get caught in the crossfire as countries grow
their cyber presence
- Regulatory oversight will intensify
- Security Industry
- Cybercriminals will use more techniques to blend in
- 99% of exploit-based attacks will still not be based on 0-Day
vulnerabilities
- Highly targeted attacks will begin using AI-powered techniques
- Industrial Control Systems
- Real-world attacks targeting ICSs will become a rising concern
- HMI bugs will continue to be the primary source of ICS vulnerabilities
- Cloud Infrastructure
- Misconfigured security settings during cloud migration will result in
more data breaches
- Cloud instances will be used for cryptocurrency mining
- More cloud-related software vulnerabilities will be discovered
- Smart Homes
- Cybercriminals will compete for dominance in an emerging IoT ‘Worm War’
- First case of senior citizens falling easy victims to smart health
device attacks will emerge
- Getting ready for the year ahead
- More unknowns require intelligent multilayered security for enterprises
- Developers must embrace DevOps culture with security as a focus
- Users must take up responsible digital citizenship and security best
practices
from McAfee [source]
- Cybercriminal underground to consolidate, create more partnerships to boost
threats
- Artificial intelligence the future of evasion techniques
- Synergistic threats will multiply, requiring combined responses
- Misinformation, extortion attempts to challenge organizations’ brands
- Data exfiltration attacks to target the cloud
- Voice-controlled digital assistants the next vector in attacking iot devices
- Cybercriminals to increase attacks on identity platforms and edge devices under
siege
from Kaspersky [source]
- No more big APTs
- The security industry has consistently discovered highly sophisticated
government-sponsored operations that took years of preparation. What
seems to be a logical reaction to that situation from an attacker’s
perspective would be exploring new, even more sophisticated techniques
that are much more difficult to discover and to attribute to specific
actors.
- Networking hardware and IOT
- Massive botnet-style attacks may affect IoT devices and critical
infrastructure. Network hardware vulnerabilities could lead to a massive
botnet-style compromise.
- Public retaliation
- High-profile attacks, on the geopolitical stage, may be used to exploit
the fear of uncertainty — giving rise to increased false flag
incidents.
- Emergence of newcomers
- The APT world seems to be breaking into two groups: the traditional
well-resourced most advanced actors (that we predict will vanish) and a
group of energetic newcomers who want to get in on the game. (South East
Asia and the Middle East are regions where such groups are becoming more
prevalent.)
- The negative rings
- Citing Meltdown and Spectre as examples, expect an increase in the
development and exploitation of lower level malware. Hypervisor and UEFI
malware will continue to see growth.
- Your favorite infection vector
- Listed as “the most successful infection vector ever”,
spear-phishing is expected to play a bigger role going forward. The key
to its success remains its ability to spark the curiosity of the victim,
and recent massive leaks of data from various social media platforms
might help attackers improve this approach.
- Destructive destroyer
- Destructive attacks have several advantages for attackers, especially in
terms of creating a diversion and cleaning up any logs or evidence after
the attack. Citing Olympic destroyer as evidence of their
effectiveness, we expect to see more occurring, especially in
retaliation to political decisions.
- Advanced supply chain
- Supply chain attacks are an effective infection vector that we will
continue to see. In terms of hardware implants we believe it is
extremely unlikely to happen and if it does, we will probably never
know.
- And mobile
- It goes without saying that all actors have mobile components in their
campaigns; it makes no sense only going for PCs. The reality is that we
can find many examples of artifacts for Android, but also a few
improvements in terms of attacking iOS.
from Malwarebytes [source]
- New, high-profile breaches will push the security industry to finally solve the
username/password problem
- IoT botnets will come to a device near you
- Digital skimming will increase in frequency and sophistication
- EternalBlue or a copycat will become the de facto method for spreading malware
in 2019
- Cryptomining on desktops, at least on the consumer side, will just about die
- Attacks designed to avoid detection, like soundloggers, will slip into the wild
- Artificial Intelligence will be used in the creation of malicious executables
- Bring your own security grows as trust declines
from Symantec [source]
- Attackers will exploit artificial intelligence systems and use AI to aid
assaults
- Defenders will depend increasingly on AI to counter attacks and identify
vulnerabilities
- Growing 5G deployment and adoption will begin to expand the attack surface area
- IOT-based events will move beyond massive DDOS assaults to new, more dangerous
forms of attack
- Attackers will increasingly capture data in transit
- Attacks that exploit the supply chain will grow in frequency and impact
- Growing security and privacy concerns will drive increased legislative and
regulatory activity
from FireEye [source]
- Follow the leader
- Without a deterrent, attackers are going to keep targeting networks and
getting through
- Staffing, cloud, and consolidation
- A lot of innovation in 2019 is going to deal with consolidation
- Intelligence declassified
- …remain skeptical about what you read, especially on the internet
- The supply chain can offer attackers access to multiple high value
targets so that they can capture a wide range of information. Plus, if
the threat actor is targeting deep enough in the supply chain, there’s a
good chance that they can operate unnoticed.
- A view from the clouds
- There have been a lot of cloud-related challenges throughout 2018 and we
expect to see those continue and evolve as we move into 2019.
- First, a lot of data is moving to the cloud and the attackers are going
right along with it. We’re seeing a massive uptick in the number of
incidents that involve cloud, and that’s really just attackers following
the data. It’s not really about cloud being more or less secure.
- Really, the question you should be asking is: Do you have visibility for
the things that are going on in the cloud, and are you able to set up
your security operations center (SOC) to be able to respond to something
that happens?
- From the Files of FireEye Threat Intelligence
- Restructuring of Chinese cyber espionage
- China’s belt and road initiative to drive cyber espionage activity in
2018 and beyond
- Iranian cyber threat activity against U.S. entities likely to increase
following U.S. exit from JCPOA, may include disruptive or destructive
attacks
- Cyber norms unlikely to constrain nation-state cyber operations in the
near future
- Publicly available malware usage by FIN and APT groups
- Abuse of legitimate services for command and control
- On assignment with FireEye Mandiant
- Expect to see a spike in financial threat actors targeting e-commerce
websites and gift cards
- Russian targeting broadens, while emerging nations scramble to keep up
- Continued shift from point of sale to e-commerce environments
- Online banking portals in the crosshairs of attackers
- Target: supply chain
- Under the lens of FireEye Labs
- Social engineering is the most commonly used attacker technique because
it works
- As the threat landscape evolves, so does security
- Business email compromise leveraged in targeted attacks
- Use of emerging technologies to evade detection
- Other evasive maneuvers
- Global Insights: APAC
- The impact of skilled individual attackers and nation-state actors with
skills but insufficient resources will be felt more strongly by
organizations that have failed to keep up with security developments
- Sights on the 2020 Olympics in Tokyo
- Threat evolution
- Global Insights: EMEA
- With attribution, cyber criminal activities will hopefully become harder
to execute in the long run, and this could bring deterrence
- The dark side of social media
- Lack of resources introduces risk
- The fight begins with attribution
- Critical infrastructure attacks looming
- Global Insights: LATAM
- Regions such as Latin America and Africa will become targets of more
impactful attacks, which will be relevant enough to gain coverage in
media outlets around the world
- To stay ahead of threats in 2019, organizations need to begin shifting
from a compliance-based approach to a security-based approach