Ransomware, leaked exploits, mobile hacks and more have made 2017 a year of unexpected threats and breaches of unprecedented magnitude. Since it began in March, Virtual Case Notes has been covering the events, issues and research that reflect an evolving world of highly motivated hackers and those fighting to keep up with a barrage of new threats. Over the months, we have looked at unique methods of biometric authentication, surprising strategies for hackers to steal information, and how malicious actors buy and sell tools and services in an emerging cybercrime economy.
This week, I spoke with two cybersecurity experts—Carl Herberger, vice president of security at Radware, and Andrea Little Limbago, chief social scientist at Endgame—about what 2018 is likely to bring to the world of cybersecurity, and what we can learn from last year’s events.
IoT Continues to Connect the World—to Hackers
The internet of things—the ever-growing network of web-connected devices, objects, appliances, vehicles, toys, accessories and more—has added new levels of convenience, functionality and efficiency to everyday life. It has also opened up countless new avenues for hackers, who can crack these devices to gain access to a larger system, or take them hostage to use for their own nefarious purposes.
Last year already saw the internet of things put to the test in both proof-of-concept and real-life scenarios. Researchers created hacked lamps to read keystrokes and hacked surveillance cameras to take orders infrared signals, while real-world cybercriminals infiltrated IoT devices for their botnets and denial of service attacks. Cyber enthusiasts at the annual DefCon conference tested their skills hacking connected cars and voting machines, and one hacker even spread a device-destroying malware called BrickerBot—first discovered by Radware research Pascal Geenens—allegedly to raise awareness about the vulnerability of these devices.
The IoT will become even more prevalent as new devices flood the market, filling every corner of homes, businesses and public facilities—and even ending up in the hands of young children. This growth will force developers and regulators to acknowledge these devices’ impact on cybersecurity as the scope of their influence increases.
“The result of unsecure connected devices is an environment where hacks and new threats thrive. IoT security has proven to be an issue with global consequences, and hackers will continue to evolve their tactics, using automation, AI, and other tools to increasingly threaten our security,” Herberger, of Radware, explained. “These threats will only grow until significant changes are made to how IoT security is implemented and regulated. As we look to the future of connected concepts and devices - driverless cars, smart cities, and all other IoT systems - it is clear their development is dependent upon improvements to IoT security.”
Threats—and Defenses—Get Automated, Intelligent
Artificial intelligence is another innovation that has drastically changed the world over the last few years. Once science fiction, AI is now integrated into many everyday experiences and industries, from our interactions with our phones and our immersion into video games, to the machines in a factory and robotics in a laboratory.
But AI is also a potential weapon in the hands of hackers who will use its ability to quickly learn and predict to evade cyber defenses and automate certain attacks. In July, I spoke with Black Hat conference speaker and technical director or data science at Endgame Hyrum Anderson about machine learning malware “factories” that will relentlessly test defenses until they find a way in. As Anderson told me, the best defense against this kind of attack is to have a defense system that can also learn and improve itself.
Herberger said AI can also be a valuable defense against other types of automated threats, such as botnets. This type of defense will be important in what Herberger says will likely be the “Year of Automation,” in his blog post on Radware’s website.
“Cyber-attacks are increasingly automated. We’re already facing a barrage of botnets and other automated tools that execute large and frequent attacks,” Herberger explained. “Businesses need automated protections that can keep up with the size and scale of these new threats to protect their organization. Many cybersecurity applications already use some form of AI to detect attack patterns, abnormal web traffic, and other anomalies, but it is likely we will see rapid expansion and adoption of AI security tools in 2018 to keep up with today’s evolving threats.”
Last Year’s Events Will Bring More Attention to State-Sponsored Attacks, Cryptocurrency
We may not have a looking ball into the future, but we can learn from the things we experienced last year to predict what might take center stage this year. Two of 2017’s most notable cyberattacks—the WannaCry and NotPetya ransomware attacks—both brought attention to potential financial motives and made “ransomware” more of a household name than ever before. And despite it being taken down by the FBI and partners in July, the revelation of dark web marketplace AlphaBay’s popularity and success shone a light on the appeal of untraceable and highly valuable cryptocurrencies.
But greedy individuals looking to make a quick buck were not the only cybercriminals exposed last year. With the U.S. and five other countries placing responsibility for the WannaCry attack on North Korea, and experts observing that NotPetya appeared “intent on havoc, not extortion,” state-sponsored cyber sabotage emerged as a dangerous force to be reckoned with in 2017.
Limbago, from Endgame, says the biggest players and usual suspects are not the only entities to look out for when it comes to international threats.
“We generally associate state-sponsored attacks with major powers, but with the open source proliferation of digital weapons, smaller countries and non-state groups are leapfrogging and deploying many of the same strategies and tactics as major powers,” she explained. “Over thirty countries are building offensive cyber capabilities according to an intelligence estimate early last year, and that number is only going to continue to grow, as is the range of entities targeted.”
Data Protection Rules Will Go Into Effect—But Not All Will Comply
In April 2016, European Parliament adopted the General Data Protection Regulation (GDPR), which sets a May 25, 2018 deadline for all companies that collect data on EU citizens to comply with certain standards to protect that data. This includes giving users a way to access their own data, have their data erased, and be notified if there is ever a breach in which their data may have been exposed, among other requirements.
Although this is a European regulation, businesses in many countries, including the U.S., will still be affected, and potentially face millions of dollars in fines for failing to shield users’ data. Despite this risk, many predict that a large amount of companies will not be compliant by the May deadline—for example, senior editor of CSO Michael Nadeau predicts that “many, if not most, U.S. companies will not meet GDPR compliance by deadline.” This means 2018 may be the year we see how things play out when the stakes are raised, and penalties put pressure on companies to better protect the data of their patrons.
“The true impact of GDPR compliance likely will not be felt until the first high profile non-compliance case brings the regulations closer to home, especially if it occurs in a non-EU headquartered company. Until that happens, and despite the potential for hefty fines, the risk calculus for GDPR compliance may still tilt in favor of non-compliance,” Limbago predicted. “Proactive companies who do want to prepare ahead of time can fortunately follow many of the tenets of good ‘cyber hygiene’ that make them more secure. This includes maintaining greater visibility into what kind of data they collect and where it is held. Similarly, corporate resilience greatly depends on well-planned responses to breaches, including both the PR and the technical aspects. For companies without such a breach notification strategy, the GDPR can serve as a forcing function that also makes strong business sense.”