Year: 2016

This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017. 

Throughout 2016, cybersecurity moved more into the public eye than ever before. Hacks into the Democratic National Committee, BitFinex, Yahoo, Dropbox, LinkedIn, and Verizon were just a few of the high-profile security breaches that grabbed headlines this year.

With 2017 fast approaching, we expect that we’ll continue to see breaches in the news. Let’s look at some predictions for the new year around network security:

Sure Things

Phishing attacks will continue to increase…and be effective

While phishing has been around for a long time, it continues to be a very successful method of attack for hackers. The 2016 Verizon Data Breach Investigations Report cites 30 percent of phishing messages were opened by the target, with a median time of the first click on a malicious attachment being within the first three minutes and 45 seconds. It’s effective, and it works. In their Q2 2016 Phishing Activity Trends Report, Anti-Phishing Working Group (APWG) observed 466,065 unique phishing sites in Q2 CY2016 – up 61 percent from the previous quarter’s record in Q1 CY2016. Seagate Technology, Snapchat, and Polycom are just a few examples where spear phishing attacks compromised employee payroll information in 2016. With attackers creating ever-more-realistic-looking emails and landing pages, we’re only going to see more of this in 2017.

Security organizations will begin to move away from security sprawl and towards true automation

To counter the malicious activities coming at them, security operations teams need to be more agile than ever – that means more visibility into what’s coming at them, a reduction of noise, and automating for faster response.

Traditionally, security teams have bolted on additional security solutions to address new threats. This has led to management frustration – coordinating security resources (oftentimes manually) from a variety of security solutions and vendors where the components don’t talk to each other or share knowledge. Security organizations will start to migrate toward solutions that are more contextually aware and security platforms that can share information across the attack surface, utilizing analytics for automated detection and response.

Internet of Things (IoT) attacks become a thing

Experts have been sounding warnings about IoT security vulnerabilities for a few years now, and while hacks have been demonstrated, until recently we hadn’t seen a lot of widely reported malicious activity. That changed in a big way towards the end of 2016. We saw the largest DDoS attack ever delivered by a botnet made up of IoT devices and a major attack on Dyn just a month later led to a massive internet outage across the U.S. and parts of Western Europe.

Gartner estimates that there are 6.4 billion connected things worldwide in use this year, a number expected to reach 20.8 billion by 2020. That’s a lot of targets.

Ease of use will be key to the success of IoT devices, but requiring individual users to constantly update their security wrinkles the user experience. Will “Uncle Joe” really go through the process of updating the default password on his new connected thermostat? Probably not – and that leaves a gaping hole for breaches depending on other connections in his network. I expect we’ll look back and view 2017 as the year IoT attacks really started – and also when we got serious as an industry about preventing them.

Long Shot

Ransomware encroaches on IoT devices

DDoS attacks are one thing, but what about ransomware on IoT devices? Ransomware has traditionally been used to hold an organization’s valuable data hostage by locking down the computers that store that data. Attacks often come into an organization through things like Adobe Flash or executable files.

IoT devices don’t generally store sensitive data and often don’t have the interfaces to deliver ransom notes. Malicious actors of course tend to be motivated by profits and it’s still easier, more efficient, and more profitable today to go after data where it resides. But the vulnerabilities in IOT devices will eventually lend themselves to ransomware that threatens immediate damage – shutting down a power grid or production line, for example.

As we start to see connected devices exploited more often for DDoS attacks, additional kinds of exploits are sure to follow – the question is whether it will become a profitable enough endeavor for bad actors to take mainstream in the next year.

What are your cybersecurity predictions around network security? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for endpoint security.

Zoltan Deak and Joerg Sieber

[Palo Alto Networks Research Center]

This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.

Here’s what we see coming on the threat landscape in 2017:

Sure Things

The ransomware business model moves to new platforms

As we highlighted in our May report, ransomware is not a malware problem, it’s a criminal business model. Malware is typically the mechanism by which attackers hold systems for ransom, but it is simply a means to an end. As noted in our report, the ransomware business model requires an attacker to successfully perform five tasks:

1. Take control of a system or device. This may be a single computer, mobile phone, or any other system capable of running software.
2. Prevent the owner from accessing it. This may happen through encryption, lockout screens, or even simple scare tactics, as described later in this report.
3. Alert the owner that the device has been held for ransom, indicating the method and amount to be paid. While this step may appear obvious, one must remember that the attackers and the victims often speak different languages, live in different parts of the world, and have very different technical capabilities.
4. Accept payment from the device owner. If the attacker cannot receive a payment, and, most importantly, receive the payment without becoming a target for law enforcement, the first three steps are wasted.
5. Return full access to the device owner after payment has been received. While an attacker may have short-lived success with accepting payments and not returning access to devices, in time this will destroy the effectiveness of the scheme. Nobody pays a ransom when they don’t believe their valuables will be returned.

The ransomware business model can target any device, system, or data, where someone can perform all five of these tasks. At DEFCON 24 in August 2016, researchers from Pen Test Partners demonstrated taking over an internet-connected thermostat and locking its controls before displaying a ransom note (Figure 1) demanding one Bitcoin in payment.

Figure 1: Ransom note displayed on internet-connected thermostat at DEFCON 24

While this was not a live attack, a similar screen is sure to appear on an internet-connected device in 2017. For a cybercriminal, making money is the name of the game. If they can capture control of a device, it’s only truly valuable if they can monetize that control. If they take control of an internet-connected refrigerator, they will probably struggle to find data they can sell or otherwise turn into cash, but holding the refrigerator for a small ransom could be very profitable. The same is true for nearly any internet-connected device, as long as they can complete all five tasks outlined above. It would be hard to communicate a ransom note via an internet-connected lightbulb, unless the victim is fairly conversant in Morse code.

Political Leaks are the New Normal

Looking back on the headlines of 2016, it’s apparent that data leaks of a political nature had a significant impact in the United States. While the election may be over, I predict that these types of breaches will continue well into the future, and throughout the world.

Some features of politically focused data leaks are both desirable to government actors and dangerous for an electorate. Consider the following:

1. Years of releases from WikiLeaks and others have conditioned the public to assume that leaked information is true by default. While previously released data may be authentic, this assumption could be easily exploited by a leaker interested in influencing voters.
2. If leaked data has been altered, the breached party may have no reasonable way to disprove the alteration. A digital signature on a document could prove its authenticity, but the lack of a digital signature does not prove it to be inauthentic.
3. A government (or government-sponsored) organization can release information gained through espionage under the guise of a hacktivist, absolving him or her of negative political impact. Even in cases where strong evidence suggests a government was behind the intrusion that revealed the leaked data, plausible deniability exists.

Consider a case where there are private documents describing a trade negotiation between Nation A and Nation B, which Nation C does not favor. If Nation C obtains a legitimate document describing the details of the negotiation and releases an altered version, which drastically favors Nation A; the voters in Nation C may be outraged, causing the negotiations to fail. To disprove the leak, Nations A and B would have to release the actual documents, which could also cause problems for the negotiation.

No matter your political persuasion or opinion on government transparency, it’s important to understand how certain parties can abuse the current environment. Political leaks are a form of information operations that can be conducted with great effectiveness and little chance of retribution. What we have seen in 2016 will be the new normal.

Long Shots

Secure Messaging Apps Gain Widespread Adoption in Response to Massive E-mail Leaks

If people take nothing else away from the leaks of 2016, it should probably be this:

Don’t put in an e-mail what you wouldn’t want to see on the front page of the newspaper.

This is a hard lesson to internalize, as e-mail has become asynchronous communication for most of the world (and certainly people reading these words). But it’s one we should take to heart.

There are many problems with using e-mail to transmit messages that are only intended for a specific audience. The messages often sit unencrypted once they reach their destinations. Even if they are encrypted, the sender typically doesn’t have control over the security of the recipient’s system; the recipient could decrypt the e-mail and store it in plain text or mismanage their encryption keys. In most cases, the messages are sorted, cataloged, and indexed automatically, allowing an individual with just temporary access to drudge up secrets by keyword and forward them to parts unknown.

If you are wondering if you should return to simply making phone calls when you want to share a private message, that’s not a bad idea, but take a look at any teenager’s phone when considering a technology solution. Snapchat’s killer feature is messages that automatically delete themselves after the recipient reads them. This allows users to send messages with less concern about them being shared with others. There are now many security-focused messaging systems, including Telegram, Wickr, Signal and Allo, which feature end-to-end encryption and self-deleting messages. While it’s still possible for someone to grab a screenshot of one of these messages, they are often much safer than e-mail.

Widespread adoption of these services in 2017 is still a long shot, as many users may not be comfortable making the transition from e-mail. However, those who’ve learned from widespread leaks will look for alternative ways to share their private thoughts with others.

What are your cybersecurity predictions around our threat landscape? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for network security.

Ryan Olson

[Palo Alto Networks Research Center]