The Next Tier Trend Micro Security Predictions for 2017
People waking up to the threat landscape of 2017 will say it is both familiar and unchartered terrain. After all, while our predictions for 2016 have become reality, they only opened doors for more seasoned attackers to explore an even broader attack surface. In 2016, online extortion exploded, a smart device failure indeed caused damage, the need for Data Protection Officers (DPOs) became ever more pressing, and data breaches became as commonplace as ever.
New challenges will arise in 2017. Ransomware operations will break off into several routes—fuller, as more variants are produced; deeper, as well-planned targeted attacks are launched; and wider,as threats affect nondesktop targets like mobile and smart devices. Simple-but-effective Business Email Compromise (BEC) attacks will become cybercriminals’ next new favorite, while we will begin to see more hard-hitting Business Process Compromise (BPC) attacks like the US$81-million Bangladesh Bank heist. More Adobe and Apple vulnerabilities will be discovered and exploited. Even innocuous smart devices will play a role in massive distributed denial-of-service (DDoS) attacks and Industrial Internet of Things (IIoT) devices will be targeted by threat actors.The General Data Protection Regulation (GDPR)implementation looms nearer, and as enterprises scramble to change processes to comply, administrative costs for those affected will skyrocket, even as they grapple with threat actors worldwide bent on infiltrating their networks for various motives. This is the next tier of digital threats, requiring next-level solutions.
Trend Micro has been in the security business for more than two decades now. Our real-time monitoring of the threat landscape, along with the findings of our Forward-Looking Threat Research (FTR) Team, has allowed us to understand the different drivers that determine how the landscape moves and toward where. Read on to see how 2017 and beyond looks like.
1. Ransomware growth will plateau in 2017, but attack methods and targets will diversify.
We accurately predicted that 2016 would be the “Year of Online Extortion.” Ransomware’s attack chain—combining a wide array of delivery methods, unbreakable encryption, and fear-driven schemes—transformed this old favorite into a foolproof cybercriminal cash cow. Ransomwareasaservice, a setup where a ransomware operator rents his infrastructure to cybercriminals encouraged even the nontechnical to get into the game. Also in 2016, some ransomware code was shared with the public, allowing hackers to generate their own versions of the threat. These resulted in a staggering 851% spike in the number of ransomware families from January to September.
We predict a 25% growth in the number of new ransomware families in 2017, translating to an average of 15 new families discovered each month. Although the tipping point has passed in 2016, a period of stabilization will push competing cybercriminals to diversify, hitting more potential victims, platforms, and bigger targets.
We also predict that ransomware will become an increasingly commonplace component of data breaches. Cybercriminals will first steal confidential data to sell in underground markets, then install ransomware to hold data servers hostage, doubling their profit.
Mobile ransomware will likely follow the same trajectory as desktop ransomware given how the mobile user base is now a viable, untapped target. Nondesktop computing terminals like point-of-sale (PoS) systems or ATMs may also suffer extortion-type attacks.
There is currently little value in taking smart devices hostage as the effort to attack them outweigh the possible profit. For example, it is easier and cheaperto replace a hacked smart lightbulb than to pay the ransom.On the other hand, attackersthreatening to take control of a car’s brakes while it is on the expressway might turn a profit, but again, the effort required to perform such an attack does not make it a very viable means of extortion.
It is now clearer to enterprises that suffering a ransomware attack has become a realistic possibility and a costly business disruption. Ransomware (against industrial environments) and IIoT attacks will cause bigger damage as threat actors can get more money in exchange for getting a production floor back online, for instance, or switching facility temperatures back to safer ranges.
While there is no silver bullet that can protect potential targets from ransomware attacks 100% of the time, it is best to block the threat at its source, via Web or email gateway solutions. Machine-learning technology is likewise a strong complement to multilayered security that can detect even unique and newly created ransomware.
2. IoT devices will play a bigger role in DDoS attacks; IIoT systems in targeted attacks.
Thousands of webcams that people didn’t think twice about securing became the stronghold for the Mirai DDoS attack that took down major websites. Connected devices, like sleeper agents, are innocuous until activated by cybercriminals. We predict that in 2017, more cyber attacks will find the Internet of Things (IoT) and its related infrastructure front and center, whether threat actors use open routers for massive DDoS attacks or a single connected car to stage highly targeted ones.
We predict that cybercriminals will use Mirai-like malware in DDoS attacks. From 2017 onward, service-oriented, news, company, and political sites will get systematically pummeled by massive HTTP traffic either for money, as a form of indignation, or as leverage for specific demands.
Unfortunately, we also predict that vendors will not react in time to prevent these attacks from happening. In the Mirai attack, webcam recalls were indeed triggered by the vendor, but it did not exactly prompt similar code reviews on unaffected but still controllable connected devices. Therefore, there will always be a potent attack surface available to threat actors.
Likewise, as IoT introduces efficiencies into industrial environments like manufacturing and energy generation, threat actors will build on the effectiveness of the BlackEnergy attacks to further their own ends. Together with the significant increase in the number of supervisory control and data acquisition (SCADA) system vulnerabilities (30% of the total number of vulnerabilities found by TippingPoint in 2016), the migration to IIoT will introduce unprecedented dangers and risks to organizations and affected consumers in 2017.
These dangers can be proactively addressed by vendors who sell smart devices and equipment by implementing security-focused development cycles. Barring that, IoT and IIoT users must simulate these attack scenarios to determine and protect points of failure. An industrial plant’s network defense technology must, for instance, be able to detect and drop malicious network packets via network intrusion prevention systems (IPSs).
3. The simplicity of Business Email Compromise attacks will drive an increase in the volume of targeted scams in 2017.
Targeting finance departments worldwide, BEC is about hacking an email account or tricking an employee to transfer funds over to a cybercriminal’s account. There is nothing special about the attack, except perhaps the reconnaissance required to gain insights into the best way to craft a believable email—but even that is often just a well-designed search engine query away.
We predict that this simplicity will make BEC, specifically CEO fraud, a more attractive mode of attack for cybercriminals. The scam is easy and cost-effective, not requiring so much in terms of infrastructure. But the average payout for a successful BEC attack is US$140,000—the price of a small house. The total estimated loss from BEC in two years is US$3 billion. In comparison, the average payout for a ransomware attack is US$722 (currently 1Bitcoin), which could reach up to US$30,000 if an enterprise network is hit.
The relative payout speed will also drive this projected increase. Based on our BEC research using Predator Pain cases, attackers were able to net US$75 million in just six months. The slower wheels of justice when it comes to cross-border crime, meanwhile, will increase the threat’s attractiveness. For instance, it took over two years before a Nigerian national got arrested for scamming several companies since 2014.
BEC is especially hard to detect because these emails do not contain malicious payloads or binaries, but enterprises should be able to block these threats at the source using Web and email gateway solutions. These security technologies will be able to identify abnormal traffic and malicious file behaviors or components, but defending against BEC scamswill remain difficult if victims continue to willingly hand over money to cybercriminals. Companies must implement stringent policies for normal and out-of-the-ordinary transactions, which include layers of verification and thresholds for large sums requiring more validation, before executing transfers.
4. Business Process Compromise will gain traction among cybercriminals looking to target the financial sector.
The Bangladesh Bank heist caused losses of up to US$81 million. Unlike BEC, which relies on erroneous human behavior, the heist stemmed from a much deeper understanding of how major institutions processed financial transactions. We are calling this category of attacks “BPC.”
We predict that BPC will go beyond the finance department, although fund transfers will remain its most typical endgame. Possible scenarios include hacking into a purchase order system so cybercriminals can receive payment intended for actual vendors. Hacking into a payment delivery system can likewise lead to unauthorized fund transfers. Cybercriminals can hack into a delivery center and reroute valuable goods to a different address. This already happened in an isolated incident in 2013, where the Antwerp Seaport shipping container system was hacked in order to smuggle drugs.
Cybercriminals staging BPC attacks will still solely go after money instead of political motives or intelligencegathering, but the methods and strategies used in these and targeted attackswill be similar. If we compare the payout between ransomware attacks in enterprise networks, the average payout of BEC attacks and the potential gain in BPC attacks (US$20,000, US$140,000, and US$81 million, respectively), it is easy to see why cybercriminals or even other threat actors like rogue states in need of more funds will be more than willing to take this route.
Enterprises have limited visibility of the risks associated when business processes are attacked. The typical security focus is to ensure that devices do not get hacked into. Cybercriminals will take full advantage of this delayed realization. Security technologies like application control can lock down access to mission-critical terminals while endpoint protection must be able to detect malicious lateral movement. Strong policies and practices regarding social engineering must be part of an organization’s culture as well.