The what, how and why of the cyber security threat landscape
- Published: Wednesday, 08 February 2017 06:31
David Emm, principal security researcher at Kaspersky Lab, describes the cyber security threats that are emerging and why these trends are occurring.
The starting-point for understanding the cyber security landscape in 2017 is to look at what data is generated, how it is used and where it is stored. Online behaviour and habits shape how and where data is generated. We live in a connected world, with more connected devices by the day and greater volumes of sensitive data. With the growing influence of the Internet of Things (IoT) it is no surprise that we are creating more opportunities for attackers.
In 2017, we will see:
- More data means greater motivation for attacks. An increasing number of entry points means it is easier for attackers to infiltrate and gain access to this data. Just this month, the Consumer Electronics Show (CES) highlighted a plethora of new Internet connected devices, with everything from light bulbs to daisy dukes.
- Given the masses of data they gather, it’s likely that advertising networks will be targeted by advanced cyber espionage actors to increase the accuracy with which they plan and hit targets.
- We think that financial attacks will become commoditised, with the emergence of middlemen offering specialised tools and other resources for sale in underground forums, and even the development of ‘as-a-service’ schemes.
- There will be an increase in attack and espionage campaigns targeted primarily at mobile devices. During 2016, mobile Trojans continued their growth, doubling their presence when compared with last year (occupying 22 places in the top 30 in 2016, versus just 11 in 2015). Attacks are also growing in sophistication. Given our increasing dependence on mobile devices, it’s likely that we will see the emergence of mobile-specific cyber espionage campaigns.
A look now at how attackers are likely to be evolving and operating in 2017 uncovers some vital areas for consideration and awareness:
- The emergence of APT (advanced persistent threat) campaigns with different bespoke modules for each victim will mean that the value of traditional ‘indicators of compromise’ (IoCs) will decrease. Organizations will be forced to complement IoCs with broader rules and expertise – including, for example the use of YARA rules.
- The appearance of more memory-resident-only malware is likely in 2017 and beyond. The down-side of such malware is that it can’t survive a re-boot; but what attackers lose in persistence, they gain in stealth – it leaves no footprint on the victim’s hard drive. Such malware is likely to be deployed in highly sensitive environments by stealthy attackers keen to avoid arousing suspicion or discovery.
- In 2016, the world started to take seriously the dumping of hacked information for aggressive purposes. Such attacks are likely to increase in 2017. There is a risk that attackers will try to exploit people’s willingness to accept such data as fact by manipulating or selectively disclosing information – for example, to lay the blame for an attack on others.
- There will be more espionage campaigns targeted primarily at mobile devices, capitalising on their widespread use to store sensitive data and the opportunity presented by the fact that the security industry can struggle to gain full access to mobile operating systems for forensic analysis or to install protective technology.
- Critical infrastructure and manufacturing systems will remain vulnerable to cyber attack, possibly resulting in a major industrial incident.
The core motivations for attacks will be to demonstrate capability, to threaten, to support a bigger cause and, for the majority, to make money. Broadly, these motivations can be grouped as follows:
- The theft of banking and other credentials to make money directly, or to sell on to others for criminal purposes, will continue to be the dominant motivation for attacks, with criminals seeking the opportunity to make quick and easy profits.
- In particular, ransomware will continue to be a highly prevalent cyber attack. The cyber criminals behind ransomware are not only diversifying in terms of technical approach, but they are also finding new social engineering tricks to spread their malicious programs: for example, one such program offers to waive the ransom fee if the victim forwards the malware to two other people.
- There will be a rise in ‘vigilante hackers’ hacking and dumping data, allegedly for the greater good.
- The ‘gamification’ of cyber attacks is likely to continue into 2017. Hacking groups are starting to reward people who successfully hit designated victims. This gaming element is designed to incentivise hackers – a shadow image of the bounty programmes offered by legitimate companies for researchers who identify vulnerabilities in their software.