Cyber has been a dynamic, ever changing, never a dull moment industry for more than a decade. 2017 was not different and 2018 will remain true to this nature. At the center of this innovation is constantly evolving attacker TTPs, forcing the cyber industry to adapt to new strategies; making everything about cyber - new always. We experienced this evolution in intrusion methodologies and malware innovation this year in two huge ransomware attacks placed only 30 days apart. The WannaCry ransomware worm and NotPetya exploited the same vulnerability in unusual ways and evaded intrusion detection in large scale attacks that affected millions of systems worldwide.
The question for this blog is how will cyber shape up in 2018 to meet an increasingly volatile threat landscape.
1. AI – Less Hype, More Real
All through 2017, AI has been making news; cyber is no exception. There are limited use cases in Cyber that applies AI; including phishing, natural language processing of threat news, spam filtering, and fraud detection. But it is still not largely deployed. So, what will change in 2018? There are three factors that are important for AI to take off – availability of large security datasets, technology to process the large datasets, and easy availability of AI platforms.
With rampant increase in attacks and breaches, datasets are not a scarce resource any more. Maturity of big data technologies and stacks based on an Apache eco-system provides the horse power to process large datasets. Big data stacks also come in-built with languages and libraries for machine learning, including MLlib, Scala, and R.
AI platforms have emerged. Google Tensorflow, IBM Watson, Intel BigDL, and Azure AI all provide the framework for deep learning algorithms. This makes it easy to apply deep learning algorithms on large security datasets. With the emergence of such eco systems, we will see several use cases getting deployed using AI in cyber security. 2018 might as well be a watershed for AI in Cyber. Here is a link to a quick read on application of AI in Cyber: https://paladion.net/5-minute-guide-to-ai-in-cyber-security/
We have seen organizations move from a data centric world to a hybrid world that has IT infrastructure distributed between data centers and cloud. Very few organizations can claim to be in a pure datacenter world today. Even if they have not officially embraced the cloud, many employees are already using cloud services. Shadow IT is here to stay.
Most organizations live in a hybrid world of cloud services from Azure, AWS, Cloud apps intertwined with conventional datacenters. Cybercrime syndicates have already started exploiting the weak links in the hybrid world to breach organizations. As part of our Managed Detection and Response (MDR) operations for cloud, we are already seeing an increase in targeted attacks on cloud consoles and Office 365 services.
Breach of Azure/AWS console provides the keys to the kingdom. Attackers can potentially replace workloads with malware blended ones and use this to infiltrate corporate network. There is a significant increase in attacks from Nigeria (Nigerian Scam 2.0) and related suspicious geographies on Office 365 leading to compromise of mail boxes. The compromised mail boxes are used for spreading malware to other users and for CEO fraud. This will call for organizations to have a good strategy to monitor and respond to such attacks.
3. Visibility – Shine the Torch on Smart Devices
Proliferation of smart devices (IoT or Industrial) is a key trend across industries including manufacturing, financial services, telco, and health care. But, unmanaged proliferation has resulted in huge risks. Most organizations today are blind to infected smart devices in their manufacturing plants, unauthorized wireless access points in datacenters, orphaned systems beaconing to risky websites, medical devices running with open vulnerabilities, etc. It is therefore not surprising that we have already seen Dyn type of massive DDOS attacks from infected devices.
The Solution is to increase visibility on such unmanaged devices. This is not something we can achieve with conventional asset tracking. The industry needs to adopt creative ways for increasing visibility. Using analytics on proxy, netflow, firewall, and other access logs is one way of doing it. As an example, applying data science algorithms to detect anomalous traffic in netflow or beaconing patterns in proxy logs leads to increased visibility on such devices. Cybersecurity teams will focus on reducing these risks by increasing visibility on IT, IoT, and industrial environments.
4. Web Applications – Evolution as the Main Beachhead
Analysis of advanced attacks in the last few years show targeted phishing emails with malware payloads and web applications as the beachheads. Typical story is that of an employee getting phished, malware getting installed on the endpoint, and from there a lateral movement to the final objective of the attacker. The other beachhead has been compromising web applications to install the malware on the server, and lateral movement to the final objective. Among the two, phishing based beachhead will become less used by cybercrime syndicates due to better evolution of endpoint protection and EDR systems along with higher employee awareness. The return of investment for cybercrime syndicates using the phishing approach is fast diminishing.
On the other hand, web applications are easier to breach given the fast evolution of web technologies. The new OWASP top ten 2017 (https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) is a good reflection of the dynamic nature of vulnerabilities. Fixing vulnerabilities takes significant effort and is always a catch-up game. The alternative of using WAF as a protection mechanism is required but not sufficient. False positives related to WAF does not allow protection against all vulnerabilities. This means that web applications will become an easier beachhead for cybercrime syndicates with much higher ROI
2018 will see evolution of Runtime Application Self Protection(RASP) as complimentary technology for web application protection. Since RASP runs in the context of the application, the detection fidelity is much higher than a WAF and therefore easier to also block attacks.
5. Vulnerability (Un)Management – Prioritize, Prioritize, and Prioritize
Determining the root cause for breaches (vulnerabilities) continue to haunt organizations. It is obvious that trying to boil the ocean by fixing all vulnerabilities is not working. Prioritizing vulnerability remediation based on vulnerabilities getting exploited in the wild began to gain popularity in 2017. Here is a blog that we published on the topic in 2016: https://paladion.net/time-to-be-complacent-about-security-vulnerabilities/
Out of 70,000+ vulnerabilities, active exploitation happens on less than 1000. A few hundreds are used in malware/ransomware. Leading organizations are using the 80/20 rule to prioritize remediation of only those CVEs that are exploited. How do we identify these CVEs? One way is to look at the active exploit kits and identify the CVEs used there. Another way of doing it is to analyze the attacks seen in a SOC and trace back the more targeted CVEs from these alerts. As an MDR player, we consistently create a list of targeted CVEs with data from exploit kits, attacks seen across global SOCs, and information from the dark web. This approach will become the best practice and will gain momentum in 2018 as we try to wrap our heads around the several thousand vulnerabilities across conventional and emerging technologies.
What other cyber security trends do you expect we’ll see in 2018? Please leave your comments below.
Vinod Vasudevan is a co-founder of Paladion and has over 17 years of experience in technology and information risk management domain. As the CTO at Paladion, Vinod has serviced large enterprise organizations across the globe for setting up of integrated risk management systems and for stream lining system based operations. He has held key positions with global firms including Microsoft. He is the co-author of “Application Security in the ISO27001 Environment” and “Enhancing Computer Security with Smart Technology”. He has also authored several papers. He sits on the expert panel of industry consortiums.