In every intelligence industry there’s often a central aim: predicting the future. We collect and analyse, dissect and interpret, looking for that essential nugget that will give us the edge over our adversaries by indicating what they’ll do next. While this activity goes on 24/7/365, the start of the year encourages us to go public with forecasts to help navigate the choppy waters on the horizon. This year, because all good intelligence involves collaboration, Tom Kellermann has combined his thoughts with those of threat analysts and security strategists to give some insight into the tactics, techniques and procedures and sectors likely to be top of the list for cyber attackers in 2019.
Destructive attacks and nation state activity continue to ramp up
Geo-political tension remained high throughout 2018, bringing with it an associated uplift in cyber insurgency. The US trade war with China is undoubtedly a factor behind the recent resurgence in Chinese cyber espionage and this is set to continue.
As well as espionage targeted at infiltration and data theft, our intelligence detected an escalation of attacks where the primary objective was destruction. Our most recent Quarterly Incident Response Threat Report depicted a widespread adoption of C2 on sleep cycles, while a high prevalence of attack victims experiencing ‘island hopping’ and counter incident response.
In 2019, I’m predicting we’ll see more instances of island hopping, particularly via public cloud infrastructure. We’ll also continue to see a wave of destructive attacks as geopolitical tension continues to manifest itself in cyber space.
Counter-detection becomes more sophisticated
In 2019, we’ll continue to see attackers attempt counter-detection in the form of Vapor worms – fileless attacks that display worm characteristics and propagate through networks – and Internet of Things (IoT) worms. As attackers become more sophisticated in their methods, defenders will need to become more adept at spotting evidence of incursions through proactive threat hunting and analysis.
Breach to extortion will become common
Paul Drapeau, enterprise architect in our Threat Analysis Unit, believes that our habit of putting our private lives online in the hands of third parties will come back to haunt us in 2019. He told me: “Attackers have been actively using ransomware to make a quick buck by locking systems and encrypting files, but this activity could move from compromise of systems to compromise of personal lives. Breaches of social media platforms present a wealth of data to be mined by bad actors. This data could be used to correlate activities between people to find illegal, scandalous or compromising behaviour and then leveraged for traditional blackmail at scale. An example note might read: ‘Pay up or your spouse/employer receives copies of these direct messages’. We can fight ransomware on our own networks with anti-malware tools or back-ups, but we depend on giant companies to protect our more personal details.”
The breach doesn’t even have to be real to result in extortion attempts, as was seen in 2018 with the mass e-mail scam purporting to have compromising video and passwords of the victims. Imagine an attacker building on data from a breach and fabricating message contents and then demanding a ‘ransom’ be paid. This type of attack takes more work to executive and is more targeted and difficult, but the pay-off could be there. Victims may be willing to pay more money and pay up more readily when it’s their real lives and reputations at stake versus their digital files.
Supply chain attacks in healthcare
When it comes to the sectors facing the highest risk, our security strategist Stacia Tympanick expects to see a lot more supply chain attacks occur within the healthcare industry. Healthcare is a tough attack surface to protect and could be a tempting target for nation state actors bent on disrupting Critical National Infrastructure.
There’s so much focus on just making sure that devices are discovered and protected on networks that managing medical devices on top of this opens up a large attack surface. The trend toward remotely managing patient conditions via IoT devices increases that surface still further. This vector could be ‘weaponised’ by bad actors.
Healthcare is also starting to move to the cloud as part of the UK Government’s ‘Cloud First’ policy, so cloud providers should be evaluated under a stern eye to ensure that proper and secure procedures/processes are in place to protect patient data.
Steganography makes a comeback
I always like to make at least one semi-bold prediction each year, and this year I’m saying that steganography makes a comeback. Steganography is the technique of hiding secret information within innocuous images or documents. It’s an ancient practice – think Da Vinci hiding codes in the Mona Lisa.
Examples of steganography are just as hard to detect in the cyber world, with code being masked in legitimate files designed to make it past scanners and firewalls.
We could see steganography being used in combination with other attack vectors to create persistence and control mechanisms for malware that’s already running on a compromised network.
Tom Kellermann is Chief Cyber Security Officer at Carbon Black