By Juliusz Idzik, Senior Information Security Consultant
During 2017 we witnessed some interesting but unnerving cyber campaigns that have forced many of us to rethink our security posture and whether our organisations are prepared to face sophisticated attacks. These campaigns use new, innovative tools that can pass traditional security mechanisms without any alert or detection. Sysnet Cyber Risk Consultants have classified and described three of the most widespread groups of attacks this year:
- Ransomware (WannaCry, NotPetya) built with the use of offensive security tools stolen from the NSA (U.S. National Security Agency) repository: EternalBlue
- Commercial use of fileless malware, described for the first time by Kaspersky Labs and Airbus Security in the previous year (Duqu, Kovter, PowerShell), but only recently used by organised crime actors: FIN7, Carbanak Gang
- Intentional abuse of worldwide security vendors and their antivirus products to conduct cyber espionage: Kaspersky Labs, or to spread malware: Emotet
Although the cases described above are the most famous examples, there were others like Bad Rabbit, or the abuse of Microsoft’s DDE (Dynamic Data Exchange) that have also changed our approach to technology risk. They made us reconsider the key concepts of defence-in-depth and associated principles of data security. The following five cyber-predictions are threats that have been identified by the Sysnet Cyber Team as probable scenarios that may have the most significant and widespread effects (negative or positive) on businesses across the globe in the next 12 months.
1. GDPR as new source of unfair advantage or extortion method
Most people in the legal and security industry are well aware of the new EU data protection regulation (GDPR) that will come into force on the 25th of May 2018. The most significant aspect of the new regulation is its worldwide applicability: every business outside of the EU also falls under GDPR regulations if it offers goods/products to EU citizens or monitors their behaviour. As a result the regulation impacts a huge number of global businesses, as many offer services in their daily practices which in some form encompasses that applicability, for example personal data consumed/processed by tech giants like Google, Facebook, Instagram.
Sysnet Cyber Risk Consultants have identified a new type of GDPR threat that may be used by business competitors to gain an unfair advantage or by organised crime to extort money. Cybercriminals may, for example, demand a ransom from a targeted organisation in exchange for not releasing personal data obtained from them by non-legal means.
The side effect of GDPR coming into effect next year is that it may create new extortion opportunities for threat actors to put extra financial pressure on business organisations.
Before GDPR the scope of sensitive data to be protected by an organisation was limited to personal identifiers and information such as social security numbers, national identity numbers or healthcare data or financial information such as payment card data. GDPR however introduces a more comprehensive definition of personal data for the digital age. From May 2th 2018, the compromise of digital identifiers such as (but not limited too) IP addresses/MAC addresses or “authentication cookies”, as well as genetic or biometric data will also be classified as a personal data breach. Such a breach may be lead to enforcement action and fines by the appropriate EU supervisory authority.
A cybercriminal that has succeeded in compromising personal data may seek to use it maliciously against the breached organisation – demanding a ransom from the organisation in exchange for not publicly disclosing the breach – rather than monetising each individuals’ data – e.g. by selling the individuals’ data on to be used for identity theft and fraud. Organisations may well pay such a ransom to try to avoid the publicity and reputational damage associated with a data breach but it is unlikely they will avoid all GDPR enforcement actions if the cybercriminal did compromise the personal data, as all such breaches need to be notified to the supervisory authority.
The threat of new ransom practices may serve to strengthen the overall information security postures of businesses but certainly cannot be avoided completely. We may also see new forms of extortion services offered on the underground market, that would target less tech savvy businesses. From regulatory point of view, these threats may warrant more detailed (and expensive) investigations of the circumstances of each data breach, the background and forensics of the source of the data leakage and the commercial motives behind it.
2. Increase usage of fileless malware
Fileless malware, a variant of malware that exists exclusively as a computer memory-based artefact has existed for years; however, it hasn’t been mitigated successfully by the information security industry (e.g. malware attacks such as PowerShell/Sc/Netsh, Mimikatz, Meterpreter/Msfvenom,). Multiple new announcements from security vendors were made in 2017 uncovering the issue in detail but, so far, no single commercial product or industry solution has been presented that could be regarded as future-proof.
The main issue with fileless malware comes from the fact that it directly challenges the key concepts used broadly by the information security industry today, and which form the basis for the important “first-line of defence” (end-point security suites, or advanced antivirus software):
- Signature analysis that stops initial infection based on past patterns (signatures), used by antivirus software, intrusion detection/prevention tools etc.
- File integrity monitoring (FIM) that generates an alert if any critical file is altered, used by FIM tools, HIDS (host-based intrusion detection system) etc.
Since fileless malware resides only in volatile memory, there are no files to be checked against the signature database and no change is made to file systems (no file is written or amended). Some experts conclude this is the “natural evolution” of exploitation tools developed in response to strict file integrity controls implemented by advanced end-point protection suites (signature-based controls have not been efficient for many years).
At Sysnet we envisage a surge in fileless malware attacks next year, possibly becoming the main form of attack used by threat actors to compromise any traditional signature-based first line of defence. In order to combat this, it is recommended that, when choosing your preferred security vendor, greater consideration be given to whether their end-point security includes advanced protection mechanism like Artificial Intelligence or behaviour-based analysis.
3. Cyber AI (artificial intelligence) – rise of the machines
Artificial Intelligence (AI) is seen by many as the most promising technical development in recent years. We have witnessed many different predictions in relation to AI’s potential and the scale at which it is going to take active control in our everyday lives. At Sysnet we believe in the enormous potential of AI but we also see the danger that is explicitly associated with its capabilities and the wide variety of usages in different sectors of IT. Almost all technology giants have shifted their business strategies to incorporate AI due to the major efficiencies that it brings. At Sysnet we have examined active developments in AI, especially Deep Learning which is part of Machine Learning, and how it can be employed in practical terms in cyber-space.
The most obvious usage of AI is for laborious, repetitive tasks that does not involve too much creativity. One of the best examples of this is the role of first-line security analyst in SOC’s (Security Operation Centres), where the analyst routinely goes through hundreds of similar (if not the same) alerts trying to correlate events to isolate a valid security incident. Major SIEM (security information and event management) vendors are already including in their add-on modules, AI automation so that first-line SOC analysts are able to focus on more challenging tasks, like identifying new forms of threats. Therefore, one may conclude that AI is already the first line of defence in the largest SOCs where billions of alerts are being analysed.
Another major use of AI is for the orchestration of events, vulnerabilities and threats to close the cyber-triangle to obtain a comprehensive view of the organisation’s security posture and the real technology risk that it faces. The most apparent next step when moving on from detection to prevention, is to employ AI to provide an automatic response to security incidents. This can be done immediately after an incident has occurred, thus shortening the time to respond to almost zero, in which the AI constrains adversary actors and runs identification and prevention software blocking and preventing the cyber-attack.
Naturally, malicious actors are actively working on their own implementation of AI in a variety of offensive ways. One of the prime examples of this is initial analysis and reconnaissance to locate the weakest link in the defences of a target. Further phases, like weaponisation or exploitation, are also being automated with the newest Deep Learning methods, like machine programming which relies on the development of custom binary code that cannot be detected by any traditional security mechanism. At Sysnet, we believe that this trend will continue to grow rapidly in 2018, and the old saying of “catch me if you can” will be moved to the next level: “catch my AI if yours is smart enough”.
In the next issue of the Sysnet Cyber Risk newsletter, we continue predictions for 2018 in part 2 of this article.