Predictions 2018: Internet of Things Will Expand as Threat Vector

Millions of unsecure, Internet-enabled devices provide new threat surfaces that security operations experts will have to defend.

IoT.security

We’ve published a list of “prediction” articles here in eWEEK during the last few weeks as 2018 bears down upon us. We’ve touched on about 16 categories, including software, storage, cloud, IoT, artificial intelligence and others. Oh yes, we’ve also touched on key security trends to expect in 2018, compiled by our Sean Michael Kerner.

However, security is such a hot topic and we received so many good observations from people in the field, that we decided to publish several more of them. Good fodder for conversation among enterprise OPSEC staff members, perhaps.

Adam Isles, Principal at The Chertoff Group, a global advisory firm that provides security risk management, business strategy and merchant banking advisory services: We see six important risks we see for in 2018. They are:

  • Expansion of internet of things as a threat vector: “Millions of unsecure, Internet-enabled devices provide new threat vectors. Given the rapid proliferation of Internet of Things devices in advance of IoT-oriented security standards and configuration practices, expect these devices to be increasingly used as weapons for DDoS and other attacks.”
  • Evolution in nation-state activity tradecraft: “State actors are increasingly relying on capabilities – people and technology – with roots in organized crime. Certain governments will continue to expand their cyber operations, both cyberattacks and information warfare, but will do so by leveraging crime-related capabilities, which can complicate attribution.“
  • Increased use of software subversion to bypass security controls:  “Hijacking of trusted software and updates will continue to be an attractive target. As seen during the 2017 MeDoc and CCleaner incidents, adversaries are using 3rd party software as a viable new entry vector for malware.”
  • Advances in identity subversion as a tactic: “Malicious actors will continue to seek new ways of subverting identity as an end-run around cyber and fraud defenses.”
  • Increase in third-party risk: cloud service providers: “Organizations continue to struggle with the one of the weakest links in their technology environment – access between the organization in question and its 3rd party partners, in particular cloud service providers. Successful configuration management, system hardening, access management, etc. are all critical elements to a secure cloud strategy in 2018.”
  • Increase in disruptive and destructive attacks targeting industrial control systems: “The past decade has been punctuated with incidents targeting industrial control systems (ICS). Reference: Stuxnet, a 2014 attack that disrupted a German steel mill, a 2015 attack targeting Ukraine electric utilities, plus numerous other reconnaissance events. These attacks are expected to continue in 2018.”

Eugene Weiss, Lead Platform Architect, Barracuda: Mass ransomware will eclipse targeted ransomware.

“We are seeing a rapid increase in the volume of mass ransomware threats, and this trend will continue over the next one to two years. The growing availability of crypto-currencies provides the attacker with the possibility to remain anonymous while conducting mass attacks. By demanding a relatively small payment from a large number of victims, the attacker is able to run a ‘numbers game’ that increases the likelihood that he will earn a profit while remaining anonymous.  New cryptocurrencies that are more anonymous than Bitcoin will accelerate this trend, and the small payment sizes make it more likely that victims to pay.

“In contrast to the ‘numbers game,’ targeted ransomware involves a focused effort to penetrate a large and often well-protected entity. The successful targeted attack often involves several hours of research as well as trial-and-error attacks. With mass ransomware, attackers can cast a wide net and wait for victims to take the bait. The targeted attack also carries a higher risk of communications with the victim and an increased likelihood of sophisticated law-enforcement resources. Since smaller organizations continue to pay the ransom, mass ransomware has become a threat epidemic and will not slow down anytime soon.”

John Considine, General Manager of Cloud Infrastructure Services, IBM: As GDPR becomes a reality, cloud security growth and sophistication will skyrocket.

“GDPR becomes a reality on May 25, 2018 and will affect companies both in and out of the EU who handle the data of EU citizens. According to a GDPR readiness survey, almost 40 percent of businesses are fearful of a major compliance failing and the financial penalties for non-compliance are severe. As they navigate the complexities of GDPR, enterprises will double down on cloud security and focus on taking security measures to ensure their cloud apps protect personal data from loss, alteration, or unauthorized processing. In response, cloud service providers will continue to take extraordinary steps to ensure security is at the core of the entire cloud stack. Cloud security services will become more sophisticated with advancements to encryption capabilities, the continued integration of AI, and development of security services that work seamlessly across public, private and multi-cloud environments.”

Asaf Cidon, Vice-President of Content Security, Barracuda: Spear phishing will take an enterprise approach.

“Spear phishing will continue to grow as long as it continues to be successful for cybercriminals. These highly targeted attacks that leverage impersonation of an employee or a popular web service have been on the rise, and according to the FBI, have proven to be extremely lucrative for cybercriminals.

“These attacks will continue to grow in number as well as become more sophisticated in terms of how they research and target their victims. In 2018, there will be a large increase of multi-stage spear phishing attacks that involve multiple steps, research and reconnaissance on behalf of the attacker targeting a small number of targets for very large pay outs. Cybercriminals are now taking an ‘enterprise’ approach. Similar to B2B enterprise sales, they go after a smaller number of targets, with the goal of extracting a much greater payload with highly personalized attacks. The latest iteration in social engineering involves multiple steps. The sophisticated cybercriminals don’t try to target company executives with a fake wire fraud out of the blue. Instead, they first infiltrate the organization, and then use reconnaissance and wait for the opportune time to trick their targets by launching an attack from a compromised mailbox.

“Organizations will have to invest in cutting edge tools and tactics in order to thwart spear phishing attackers. Artificial intelligence for real-time spear phishing defense offers some of the best hope in stopping these cybercriminals in their tracks.”

Fleming Shi, SVP of Technology, Barracuda: We’ll see increased complexity of domain spoofing and brand hijacking.

“Domain spoofing has been rapidly increasing and will continue to grow through 2018. Spoofing is a type of impersonation attack that tricks the victim into thinking that a criminal is someone else. Criminals use domain spoofing to impersonate a company or a particular company employee. The criminals often send emails to customers or partners of the company in order to steal credentials and gain access to company accounts on behalf of a company to its customers and partners to steal credentials and gain access to their accounts. This is often the beginning of a multi-stage strategy to steal data and commit fraud with organizations that is quickly becoming the costliest cyber-attacks out there today.

“There has been a stark increase in volume of mass phishing attacks where cybercriminals are spoofing popular e-commerce and consumer brand names and websites aimed to both steal information. The actual names of the brands these attackers impersonate is less important than the tactic, as criminals quickly change brand names with new attempts. The goal is to convince the unsuspecting to either download malicious documents or login into a fake account resulting in surrendered account credentials – which then leads to all sorts of hurtful behavior.

"Attackers can take user credentials and retrieve credit card information, additional personal information, and learn more about their victim’s online behavior for future social engineering attacks. They will actually build websites that mimic actual brand name websites in the hopes to siphon victims during high times of shopping. Even though these counterfeit sites are not identical to these actual sites of the impersonated big brands, attackers are counting on the fact that most consumers do not buy direct from these brands directly, and therefore won’t recognize what their home page actually looks like.

“Brand hijacking in both emails and spoofed websites will only continue to grow in the next year, and both companies and consumers need to be on the guard, educated and ready for these threats to come around.”

Fleming Shi, SVP of Technology, Barracuda: We’ll see a growing threat on secure bank messages.

“We have seen a stark increase in email attacks that impersonate secure messages from financial institutions. These fake “secure messages” carry malicious content and malware for download.

Impersonation is one of the most common tactics used in email attacks because it works very well. These impersonation threats leverage the relationship a victim has with his bank and the associated trust the victim may have in his bank’s online communication. A victim who engages in online communication with the bank is usually of high value to these criminals. 

“These impersonation threats carry malicious word documents that often appear harmless, but include an embedded script that can be updated by attackers at a later date.  This script can be modified to deploy a variety of threats including ransomware or advanced persistent threats. These attacks are very difficult to spot by end users as the email domains used in this attack are designed to look like real emails that customers might receive from an actual bank. The volume of these attacks is rapidly increasing, so plan to see more of these fake secure messages in the coming year.” 

Thomas Fischer, Global Security Advocate of Digital Guardian: "Device kidnapping" will compromise IoT devices on a large scale.
Looking at vulnerabilities in IoT access and management that have already been disclosed, and putting them in the context of other attack trends and events – the criminal underground is awash in PII in 2017 (credentials as well as a wealth of information to affect account hijackings) – there is a picture of motive and opportunity for widespread ransoming of IoT devices. As discussed on the IoT Security Foundation website, while ransomware is easier to reverse on IoT devices than computers, timely and critical attacks will eliminate that advantage and victims, unable to counter the effects of the ransomware, will be more willing to pay the ransom. Possible scenarios include ransoming pacemakers or infusion pumps shortly after surgery, or disabling cars while passengers are traveling in harsh climates.”

Itzik Kotler, Co-Founder and CTO at SafeBreach: Automation will be a rising weapon in cybersecurity.
As security teams grapple with a deluge of data, alerts and constant threats, 2018 will see an increase in adoption of a myriad of security automation technologies. More organizations will embrace the promise of security automation for "purple" team operations. We will see a combination of technologies -- from automating the hacker via breach and attack simulation, to executing remediation playbooks via security automation and orchestration -- working in concert towards smarter security.”

Jason Macy, CTO of Forum Systems:

  • IAM: A target for hacking and compromise:  "As the trend toward identity consolidation and centralized IAM continues, the false sense of security around IAM platforms will result in high-profile hacking of enforcement points. IAM enforcement, or more plainly stated, the locations where credentials are authenticated and authorized, are high-value targets. Compromising these points in the architecture provides a means to impersonate users and hijack the identity decisions that dictate subsequent “trusted users’” acceptance of communications based on trust of the IAM engine. In November, we detailed the severity of the Oracle Identity Manager vulnerability; expect more, similar stories in 2018."
  • API security: A business use case:  "From IoT to mobile and cloud, APIs underlie the modern computing infrastructure. While OWASP’s inclusion of ‘Underprotected APIs’ in the OWASP Top 10 – 2017 RC1 list helped to elevate the criticality of API security, the Wishbone hack, the Instagram vulnerability and the Circle with Disney web filter API Management flaw demonstrated that organizations continue to provide services and integration via APIs that are susceptible to compromise and malicious access. The explosive proliferation of APIs will continue in 2018, and the loss of data and impact to reputation will spur organizations to (finally) carve out a meaningful portion of security spending for protecting APIs."

Galina Antova, Co-founder of Claroty:

  • Nation-states will conduct more critical infrastructure probing:  “The lack of response to 2014 threat activity probing U.S. critical infrastructure and European targets, and the 2015 and 2016 Ukraine attacks, empowered repeat activity from multiple nation-states in 2017. Expect more of the same in 2018.”
  • Ransomware will spillover (again); expect disruption:  “Although WannaCry and Petya/NotPetya did not specifically target industrial networks, the fact that both campaigns reached critical infrastructure leads us to believe that more spillover will occur along with major disruption and financial loss, and threat actors will craft ransomware targeting industrial networks for economic warfare and extortion gains.”
  • Critical infrastructure insecurity will manifest itself:  “Organizations are nowhere near as ready to combat critical infrastructure threats and will realize many (unfortunate) truths: they don’t have a clear understanding of what assets they own; proper cybersecurity hygiene in industrial networks is much harder to achieve than in IT networks; air-gapping is a fallacy; and organizations don’t possess the necessary personnel skills, their teams aren’t talking to one another and they aren’t currently monitoring their networks the way they should.”

Ryan Stolte, Co-founder and CTO of Bay Dynamics:  2018 will be the year of ransomware and stolen credential attacks.

  • On the ransomware front, in 2017, we only scratched the surface, with WannaCry hitting hundreds of thousands of computers worldwide by exploiting critical vulnerabilities in Windows computers. NotPetya was also significant infecting computers using the same exploit (EternalBlue) as WannaCry. In 2018, I expect ransomware attacks to be even more rampant, as criminals shift to more personal attacks, those that hold our intellectual property and life’s work hostage. They are seeing the success of the attacks – whether that’s in dollars and cents with victims paying them off, or severely damaging a business that they think deserves it. They are also getting away with it. Once victims are hit with ransomware they don’t have much recourse. They can either call the FBI or pay the ransom. You hope the FBI would catch the perpetrator but with cyber criminals attacking from around the globe, oftentimes spoofing source destinations and hijacking middlemen using them as proxies, it’s tough to physically get criminals behind bars.”
  • “Stolen credential attacks will also increase, especially considering the onslaught of significant breaches (i.e. Equifax). Criminals have collected so much information about us login credentials and secret questions are pretty much meaningless. Organizations must assume the criminals are already inside masquerading as legitimate employees, and they should use a combination of technologies to stop them. For example, a combination of user and entity behavior analytics with data loss prevention would detect an employee trying to exfiltrate sensitive data, verify it’s indeed unusual vs. business as usual, and stop the data from leaving.
  • A recent report revealed for the first time in years credit card fraud dropped 29 percent. That’s because credit card companies have become very efficient in detecting and stopping fraudsters. Once a suspicious charge is made, the card company contacts the cardholder asking for verification he indeed made the charge. If the cardholder says “no” his account is shut down immediately. We need the same type of prevention methods when it comes to stolen credentials. But until that point, we will continue to see stolen credentials as the hot commodity.”
Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...