Cybersecurity predictions and wish list for 2018

Google researched from March 2016 to March 2017 in black markets and found the following:

• 788,000 credentials that were stolen via keyloggers,
• 12 million were stolen via phishing, and
• 3 billion were exposed by third-party breaches.

According to the third edition of the Hacker’s Playbook Findings Report, published by SafeBreach in December 2017, of the 3,400 security breach methods tested, the malware infiltration success rate reported was in excess of 60 percent. More significantly, once an enterprise is breached, hackers can navigate laterally through the network at an astounding rate more than 70 percent of the time.

Global ransomware costs are expected to exceed $5 billion by the end of 2017.

It is estimated that 3 trillion dollars were stolen in cybercriminal activity in 2016. Some believe that the dollar amount attributed to cybercrime could easily triple in the next few years.

What are some of the things we expect to see and/or increase in 2018:

• One or more Internet of Things botnets will cause outages, DDoS or wreak other types of havoc once again similar to Mirai. Examples of two recently discovered IoT botnets are Reaper and Satori. They won’t be the last. They could be exploited through the vulnerable interfaces, default passwords, the connected cloud or wherever the weakest link is in the entire IoT ecosystem.
• Cybercrime as a service will expand. You no longer have to be a hacker/coder to run a botnet, distribute ransomware or take over computers. You can start as inexpensively as a few hundred dollars to start your own cybercrime business. Technical support may be better than software support at major tech companies.  No command line, just point and click and you are in business. Not only that, the exploits you purchased may come with a performance guarantee. 
• More leaks of zero day code will take place such as Vault 7 and 8 by Wikileaks that will enable attackers to easily compromise their victims until patches are developed and actually installed.
• The dwell time from discovering a vulnerability, to releasing the exploit and taking advantage of that vulnerability will continue to decrease.
• We will see more legitimate software being modified for malicious purposes utilizing legitimate digital certificates. Continual verification of code validity will become more important.
• We will see the beginning of the cyber machine learning arms race pitting cyber defenders’ machine learning versus cyber attackers’ machine learning code.
• We will see the cyber weaponization of Fake News in online media.
• Ransomware will continue to evolve utilizing new targets, objectives and technology. Examples could be: being locked out of the home (IoT/smarthome locks), automobiles and demanding ransom as a result.
• Bitcoin and cryptocurrency mania will become a large draw for cybercriminals that will steal from exchanges as well as individuals taking advantage of the easiest targets and vulnerabilities.
• We will continue to see less traditional malware like executables and more fileless malware, exploits with the intent of moving to command line, hijacking user credentials, elevating privileges, then utilizing legitimate processes/utilities like Powershell, Win32 to exploit computers. Advanced endpoint security will be required more than ever to be able to recognize what is and is not malicious.
• More compromised computers will contain APT (Advanced Persistent Threat), a persistence that cannot be cleaned unless every last change to the computer has been recorded and can be reversed by Next Generation Endpoint protection solutions. The alternative is a full-disk wipe and complete re-imaging.
• Advanced adversaries will utilize attacks on firmware/hardware vulnerabilities which most antivirus will not detect.
• We will see at least one lawsuit prosecution take place that will utilize evidence gathered from recordings of Amazon Alexa, Google Home or similar devices that listen to your every word.
• There will be some major breaches in public cloud and online repositories such as GitHub exposing private keys, passwords, privileged information and possibly intellectual property.
• A company outside of the EU will have a breach that results in violation of the GDPR with fines worth millions of dollars.

Wish list:

• Boardroom and CISO work together to communicate and understand the risks to the business. Working together to refresh their technology, visibility, processes and defenses in reasonable cycles much faster than in previous years.
• Realize that most GRC compliance is an excellent start, a foundation of sorts for starting a risk management program; however, this should not be considered an end goal but a beginning. Ask a good Red Team if compliance by itself will stop them from completing their task of penetrating your network. The answer is highly unlikely.
• The patch cycle for laptop and desktops needs to be reduced to days, eventually even hours instead of weeks or months.
• All people involved in cyber resilience decision making and planning do not under estimate their adversaries.
• Artificial Intelligence and machine learning will be necessary for cyber defense since the attackers will be utilizing it as well.
• IoT devices, especially consumer devices, will be provided with regular security updates ideally for a minimum of least five years. More contracts for business and industrial devices will have this explicit requirement of manufacturer’s support of security patches to be placed in writing.
• IoT devices will go through some type of security certification program before they can be sold to the consumer or industry.
• Cyber compliance to laws and regulations should be considered part of a risk management program to avoid fines and other legal penalties, but should not be considered the risk management program. Compliance to these laws and regulations should be viewed as part of an audit function.
• Regulators should understand if their requirements for compliance to their cybersecurity standards are onerous, they may actually take budget and resources away from risk management projects that could reduce risk even more than the standards they put in place.
• Don’t be overly reliant upon Indicators of Compromise. The cybercriminals can change malware hashes, domains and IPs as fast or faster than your analysts can verify them. A large percentage of them may end up being hindsight, simply historical indicators and not forward indicators that can be relied upon.  Only IoC’s from slow moving adversaries will be of use.
• More focus needs to be on TTPs (tools, techniques and procedures) and less on IoCs (Indicators of Compromise.)

Just because your business is compliant to current required standards does not mean you are secure.

This is a year where cyber defenders will not be able to rest on their laurels.  All will have to adapt faster, better with greater visibility using every tool we have at our disposal.