As one of the hottest topics of 2016, businesses and consumers alike have been affected by the almost daily threats of data breaches and the impact these have on an continuous basis.
Will such threats enable identity fraud, send a business under or even give adversaries further power to conduct ever more dangerous attacks?
With this in mind, Michael Sutton, CISO at Zscaler, has crafted his top five predictions for the year ahead and what this will mean for the threat landscape.
- Nation states ‘offensive offense’ – It’s likely 2017 will see the US and other nations step into a cyber mudslinging contest
- AI will be used for good and evil – Another platform that holds mass quantities of data will be susceptible to savvy criminals in 2017
- Ransomware gets physical – Encrypting data will be replaced with extortion via disabling physical systems
- Data breaches 3.0 – The next wave as criminals seek to alter, not exfiltrate data with corporate espionage in mind
- Cyber insurance disruption – Risk scoring algorithms will need to go far deeper with internal corporate security systems to calculate the likelihood of a breach
“Offensive Offense – Increasingly, motivations for offensive nation state sponsored attacks have gone into a new realm and have been driven primarily as an effort to undermine the credibility of another government or in some cases influence public sentiment. The Director of National Intelligence went so far as to publicly accuse the Russian Government of the attack on the DNC and others have openly speculated that they too were behind the compromise of Hillary Clinton Campaign Chairman John Podesta’s inbox. In light of such aggressive and direct medaling in the political affairs of another nation, some in the intelligence community are suggesting that the US should return the favour. This is a troubling notion. If we enter an era where nations are actively conducting offensive cyber attacks with the primary goal of embarrassing their foe by leaking documents online, many innocent victims will be caught in the crossfire. It’s one thing to conduct cyber espionage covertly to get a leg up on the competition either from a military or economic perspective, but it is an entirely different situation when private documents are being handed over to Wikileaks. Given current political tensions, the precedent that has already been set and the aggressive tone of the incoming US administration, it’s likely that 2017 will see the US and other nations step into this cyber mudslinging contest.
“Rise of the Machine (Learning) – Machine learning and artificial intelligence (AI) are the current buzz words du jour in the security industry. Machine learning will revolutionise security because humans simply can’t scale in the same way that but machines do and we’re willing to invest in perfecting the neural networks that drive them. While AI may not be ready to replace humans just yet, a number of startups in the User Entity and Behavior Analytics (UEBA) space such as Interset, Gurucul and Exabeam are proving that the science is mature enough to add value. At the same time, the magic of AI is becoming increasingly accessible to those that can’t afford to hire an army of machine learning experts thanks to projects such as Microsoft Azure Machine Learning Studio, Amazon Machine Learning and Google’s TensorFlow. These projects deliver powerful machine learning platforms that are available to programmers. Yet, as with any good tool, AI will be used for good and evil. Just as IaaS platforms were quickly adopted by those spreading malware, so too will the AI platforms. Mass quantities of data are being stolen and savvy criminals are looking to monetise it. Stealing networking logs is of limited value, but being able to analyse those logs to identify user behaviours, such as employees more susceptible to social engineering attacks, or those with higher access privileges, is very valuable. Just stole 18 million records from OPM and need to sort through it, identify connections and figure out who may be susceptible to extortion? AI is for you.
“Ransomware gets Physical – Most ransomware to date remains relatively unsophisticated, relying primarily on social engineering as the infection mechanism. Attackers don’t need to pull 0day tricks out of their bag to infect PCs, when signature based defenses are easily evaded and humans remain gullible. What is changing, is the targets that the attackers are going after. The vulnerable state of IoT devices is finally front and centre thanks to the Mirai botnet DDoS attacks and we can expect ransomware authors to train their sights on Internet enabled hardware devices. This phase of ransomware will be different. Encrypting data will be replaced with extortion via disabling physical systems. Corporations are all too willing to pay ransom demands when valuable intellectual property has been locked up and we can expect them to be even more eager when systems go offline. The silver lining to the current generation of ransomware attacks is that enterprises are finally taking data backup seriously and upping their security game with next gen endpoint protection – two defenses that will do little to protect vulnerable IoT devices. If an enterprise is willing to pay ransom to retrieve valuable data, how much will they be willing to shell out when an assembly line or manufacturing plant producing millions of pounds worth of goods per day is brought to a grinding halt?
“Data Breaches 3.0 – First we had the era of the financial data breach with the likes of Target, Home Depot, Michael’s and Neiman Marcus all suffering massive thefts of debit/credit card data across 2013 and 2014. Healthcare then bore the brunt of the attacks announced in 2015 with Anthem, Premera and Carefirst all acknowledging that millions of records had been stolen. In 2017 we can expect a third data breach phase, with attackers seeking to alter, not exfiltrate data. Such attacks raise the stakes as the damage can be far greater and longer lasting. Stolen data is more likely to ultimately be identified, either because of indicators pointing to the exfiltration or because the stolen data is spotted in the wild. Altered data on the other hand, can fly under the radar indefinitely, especially if the alterations are subtle. Data is meant to be manipulated and attackers with internal access have the ability to do so, not through anomalous behavior, but by leveraging the very systems designed to alter the data in the first place. Why would attackers want to do this? Imagine attackers conducting corporate espionage altering data to influence business decisions designed to alter negotiations with a partner or competitor? How about changes to data used in financial analysis that would lead a trader to conduct a trading pattern that is now predictable? Most concerning are nation state sponsored attacks designed to alter political policy.
“Disruption in cyber insurance – The insurance industry is one that’s ripe for disruption. With data breaches becoming the norm, cyber insurance has also become a must have item for large enterprises. Insurance companies are desperate to get in on the game, but they have a big challenge – how do they calculate the likelihood of a breach? Life insurance is easy – plenty of people have lived and died and we have solid data on it. Data breaches are entirely different. For one, the risk has only existed for a couple of decades at most, so there is limited data. Beyond that, any company can be hacked. Today, insurance companies are forced to limit the size and scope of policies to also limit the size of a potential payout as they simply don’t have confidence in their ability to fully understand risk. A variety of startups have emerged to help fill the void. In order generate true value to insurance companies, risk scoring algorithms will need to go far deeper and integrate with internal corporate security systems to gain a complete picture of the threat landscape for a given entity. Such a system would benefit provider and consumer alike, allowing insurance companies to provide policies with broader scope and diligent corporations could drive lower premiums by continually demonstrating best of breed security controls.”