2016 has now come to an end and a new set of security predictions are being revealed. The past year has been a whirlwind tour of challenges and changes in the cybersecurity landscape. Targeted threat activity took on a new emphasis by focusing on both disinformation and weaponized, confidential information. Ransomware activity continued to grow and jumped to the OS X platform with the KeRanger malware. Finally, world policies have shifted towards protectionist strategies throughout the world. Based upon this environment, Anomali has compiled a set of predictions for the upcoming year and near-term future.
Mail Dump Protection
In 2016, we saw a large amount of mail spools dumped after they had been compromised. This activity has been used many times over the years, including in February 2011 when LulzSec hackers dumped HBGary Federal’s email spool. The recent mail dumps had mild impact, while the mail spool dump in 2011 ultimately resulted in crippling the HBGary Federal company. In 2017 we expect leading organizations to renew emphasis on protecting the confidentiality of their data, particularly mail sensitive spools. This will likely come in the form of greater file and email message encryption, and an increased adoption in two-factor authentication.
Balkanization of the Internet
Many countries are focusing inward rather than on open-border and free-trade strategies. This includes recent advances in tax-policy, where previous approaches to multi-national corporate governance have come under the microscope of the world’s treasurers. Further initiatives are expanding in the internet realms, with new operating system initiatives being pursued to remove dependency upon foreign software, and foreign hosted SaaS offerings being excluded from other countries such as the Russian LinkedIn Ban. Additionally multiple governments are enhancing their surveillance initiatives, such as the Russian government’s requirement to hold all cryptography keys to decrypt Internet traffic. We believe this will continue resulting in an increasingly balkanized and separated internet. Governments are likely to require that their country’s data stays within their own law enforcement’s reach, rather than relying upon Mutual Legal Assistance Treaties (MLATs) for data access.
The Global Collections Threat
As the nation states balkanize the Internet, internet border collections systems will be enhanced. This will take forms similar to the Great Dam in China or the border initiatives in other countries. Russia has publicly announced efforts that can only be realized through these types of systems. Corporations and activists will become even more sensitive to the implications of bulk traffic interception, decryption and collection. Confidentiality concerns will become a mainstay threat to both corporations and threat actors alike. Threat Actors will subsequently encrypt more C2 channels by default.
Nation State Hacking
As nations draw inward and leave drawback free-trade, we expect that diplomatic solutions in place to prevent nation states from preying on corporate entities will falter. This will bring nation states back to the front and center of threats.
A Shadow Adversary Arises
Over 60 countries have intelligence based cyber initiatives. Thus far, very few of those country’s operations have been publicly detailed. A handful of countries were clients of surveillance as a service [NP2] vendors such as HackingTeam and Gamma International. In western countries, the focus has most recently been on Russian and US operations, as Chinese APT operations have fallen out of the news. Chinese security companies have recently been exposing suspected US operations in actor reports. Over this next year we believe a previously un-exposed countries operations will be discovered and exposed. After this group is exposed many security companies will dig into their data repositories creating a years-long timeline of that group’s activity.
APT actors have been using cloud services for C2 channels for a few years now. There has been a continued evolution in this activity by many actor groups over the past two years. In 2017 we expect to see continued development of malicious software using cloud services. Security companies will not report on this activity for fear of losing potential clients.
Cloud Services Compromise
Cloud-based methods of persistence and compromise have been presented at many security conferences, including BlackHat and Defcon this past year. In 2017, we expect to see the leading security organizations begin to catch malicious actors breaching their cloud management infrastructure. Additionally, we expect to see malware purpose-built to capture cloud services credentials similar to the banking trojans that are able to intercept Two-Factor Authentication input. After the malicious actors gain access to cloud infrastructure, we will see new methods of persistence established via the cloud management profiles. This activity will present a significant challenge for understanding Intrusion timelines.
Cloud Vendor Compromise
Thus far, none of the large cloud storage / infrastructure companies have detailed a breach since the Aurora attacks on Google in 2009. In an environment where as many as 89% of healthcare organizations experienced a data breach in 2015, we aren’t hearing much about data breaches in the cloud and infrastructure companies that host the healthcare industry’s data and systems. In 2017, we expect that a major cloud vendor will be in the news for a significant security breach.
Mobile or IoT Ransomware
In 2017 we expect to see a continued evolution in ransomware. The Mirai malware has already demonstrated the ease with which IoT compromises can be automated. It’s only a matter of time before some enterprising ransomware authors decide that the hordes of non-managed, non-backed up webcams, routers and refrigerators can be held ransom for a cheap price or else they will flash the EPROM bricking the devices. We also expect to see ransomware make the jump to mobile devices, where many people store their most cherished personal data.
Aaron began work in the security field after machines he was responsible for were compromised in the 2004 Stakkato Intrusions. At this point he went to graduate school at Carnegie Mellon Universities Heinz College for Information Assurance, where he currently holds an adjunct position teaching Network Security Analysis. He has been a security researcher at the Software Engineering Institutes CERT/CC initiative and Dell SecureWorks, with a focus on responding to and analyzing threat intelligence.