By: David Masson, Canada Country Manager, Darktrace
It was speculated 2016 would see even more cybersecurity activity than 2015 and it did not disappoint. Consider the the 500 million accounts swiped from Yahoo, the University of Calgary ransomware attack, or the Casino Rama cyberattack. Not to mention the IoT-powered botnets launching record-breaking DDoS (distributed-denial-of-service) attacks that brought down major parts of the internet.
This year’s cyber-attack headlines offer just a glimpse of a cyber war between hackers and IT security that is being waged every day. More than anything, they are indications and proof of hackers’ ability to break into any given network if they really want to. In light of this, here are Darktrace’scyber security predictions for 2017.
Attackers Will Not Just Steal Data — They Will Change It
Today’s most savvy attackers are moving away from pure data theft and website hacking to attacks that have a more subtle target: data integrity. Attackers will use their ability to hack information systems not just to make a quick buck, but also to cause long-term, reputational damage to individuals or groups through the erosion of trust in the data itself.
The scenario is worrying for industries that rely heavily on public trust. A lab that can’t vouch for the accuracy of medical test results, or a bank that has had account balances tampered with, are examples of organizations at risk. Governments may also fall to such attacks, as critical data sources are altered, and public distrust in national institutions rises.
These “trust attacks” can also be expected to disrupt the financial markets. For instance, falsifying market information to cause ill-informed investments. We’ve already glimpsed the potential of disrupted mergers and acquisitions through cyber-attacks. Is it a coincidence that the disclosure of the Yahoo hack happened while Verizon was in the process of acquiring the company?
Moreover, these attacks even have the power to sway public opinion. But an even graver risk is the possibility that a nation-state or other sophisticated group could go beyond leaking emails to manipulating them in order to create a false impressions. A public figure could be made out to have done something illegal or dishonorable, even if it is not the case.
While some of the recent breaches may seem stranger than fiction, tomorrow’s cyber-attacks will make it harder than ever to parse fact from fiction.
More Attacks (and Latent Threats) Will Come From Insiders
Insiders are often the source of the most dangerous attacks, which are harder to detect as they leverage legitimate user credentials. Insiders can do huge damage because they have knowledge and access to sensitive information and networks. A disgruntled employee looking to do damage can find their best bet in a cyber-attack.
Insider threats, however, are not just members of staff with a chip on their shoulder. Non-malicious insiders are just as much of a vulnerability. How many times have you clicked on a link without checking the actual email address? Or side-stepped security policy in order to get the job done quicker, In 2017, we can no longer reasonably expect 100 percent of our employees and network users to be impervious to cyber-threats—they just won’t make the right decision every time.
Organizations need to combat this insider threat by gaining visibility into their internal systems, rather than trying to reinforce their network perimeter. We don’t expect our skin to protect us from all viruses, we shouldn’t expect our firewall to stop all advanced cyber-threats.
Just in the past year, immune system defene techniques have caught a number of insider threats including, an employee deliberately exfiltrating a customer database, a week before handing in his notice; a games developer sending source code to his home email address so that he could work remotely over the weekend; a system administrator uploading network information to their home broadband router—the list goes on.
In 2017, we are going to see more insider threats. But at the same time, due to the increasing sophistication of external hackers, we are also going to have a harder time distinguishing between insiders and external attackers who have hijacked legitimate user credentials.
The Internet of Things Will Become the Internet of Vulnerabilities
According to Gartner, 13.5 billion connected things will be in use in 2020, with more than half of major new business processes incorporating some element of IoT. Yet these smart devices are insecure in many cases, offering a big opportunity for hackers.
The most innovative corporate hacks involving connected things happened in 2016. In the breach of DNS service Dyn in October, the Mirai malware spread rapidly across an unprecedented number of devices including webcams and digital video recorders. But many hacks of IoT devices this year have gone unreported, including those of printers, air conditioning units, video conferencing cameras, and even a coffee machine.
While many of these attacks used IoT devices as stepping stones, sometimes the target is the device itself. One of the most shocking threats we found this year was a compromised fingerprint scanner that controlled the entrance to a major manufacturing plant. Attackers were caught in the process of changing biometric data with their own fingerprints, in order to gain physical access.
In another attack, the videoconferencing unit at a sports company was hacked, and audio files were being transferred back to an unknown server in another continent. Want to be a fly on the wall in a Fortune 500 company’s boardroom? Try hacking the video camera.
Consumer Devices Will Be Held for (Cyber) Ransom
Ransomware, like Cryptolocker, has plagued companies around the world—experts estimate that these attacks have increased fivefold in 2016 alone. They encrypt critical files at a speed that is virtually impossible to keep up with and leave companies facing hefty fees for their release.
Hospitals have suffered particularly at the hands of ransomware attacks. They are prime targets, as they have become digital jungles full of everything, from life-saving medical equipment and critical patient records to patient devices and staff computers—all with cyber defences that have failed to keep pace, like The Ottawa Hospital. The result is organizations that pay up. While The Ottawa Hospital didn’t end up paying a ransome, other hospitals like the Hollywood Presbyterian Medical Center in Los Angeles paid the equivalent of $17,000 in Bitcoin, and even educational intitutions like the Calgary University have paid off hackers.
In 2017, we will start to see the beginning of a new type of extortion on a micro level, as consumers are targeted across a range of connected objects. Imagine getting home and turning on your smart TV only to find that cybercriminals are running a ransomware attack on your device. Would you pay $50 to regain access? Or what if the new GPS system in your car got hacked when you were late for a meeting—how much would you pay to unlock it?
Artificial Intelligence Will Go Dark
Artificial intelligence (AI) is exciting for many reasons—self-driving cars, virtual assistants, better weather forecasting, and more. But AI will also be used by attackers to wield highly sophisticated and persistent attacks, attacks that blend into the noise of busy networks.
We have already seen the first glimpses of these attacks. Polymorphic malware, which changes its attributes mid-attack to evade detection, has reinforced the obsoleteness of signature-based detection methods. Additionally, the next generation of attacks that uses AI-powered, customized code to emulate the behaviours of specific users so accurately as to fool even skilled security personnel is now emerging.
In 2017, we can expect AI to be applied to all stages of a cyber-attacker’s mission. This includes the ability to craft sophisticated and bespoke phishing campaigns that will successfully dupe even the most threat-conscious employee.
Next year’s attacker can see more than your social media profile. They’ll know that your 10 a.m. meeting with your supplier is being held at their new headquarters. At 9:15 a.m., an email with the subject line “Directions to our office” arrives in your inbox, apparently from the person that you are meeting, as you get off the train—do you click the map link in the email?