Cyber-criminals will ramp up attacks on mobile devices and point of sale (POS) systems, according to the 2015 cyber trends and threat analysis by Verisign iDefense Security Intelligence Services.
This is one of 10 predictions made by the iDefense analysis to help cyber security and business operations teams plan their response to the most critical cyber threats and trends affecting their enterprises.
In 2014, Windows-based banking Trojans remained a key cyber-crime tactic, but attackers are also targeting retailers with PoS malware, and researchers have observed new malware directed at the iOS, Android and Windows Phone smartphone platforms.
Josh Ray, senior intelligence director for Verisign iDefense, said: “With more and more users merging their professional and personal mobile experiences onto a single device, any malicious content downloaded during personal use can find its way to the corporate network when connected in the office.
“Existing bring your own device measures will have to be further enhanced to ensure that any malicious content is kept out of the corporate network.”
Given the nature of targeted attacks as well as the lack of security awareness of end users, iDefense researchers expect bring your own device (BYOD) security will remain a challenge.
“Fortunately, keeping devices in their non-rooted or non-jail broken state and using mobile apps from only official app stores can avoid many mobile compromises,” said Ray.
Verisign iDefense’s 10 predictions for 2015
- More attacks on mobile devices and point of sale systems
- Increase in frequency and severity of hacktivist operations
- Windows XP will remain in widespread use and increasingly vulnerable to compromise
- New era of state-sponsored hacktivism, with no-hold-barred blended attacks
- Increasing shift to downloaders to deliver malware
- Higher mass media profile of attacks will persist
- DDoS attacks will rise in frequency, complexity and volume
- Critical infrastructure will be targeted by hacktivists and nation states
- Greater targeting of open source software vulnerabilities
- Bug bounty programmes and security research crowdsourcing are here to stay
iDefence researchers believe the expected growth of the internet of things (IoT), coupled with the increase in available IPv6 addressing space, sets the stage for potentially billions of low-cost discrete and embedded devices that manufacturers have not hardened or made tamper-proof, but may be deployed by organisations regardless.
“At the other end of the spectrum is the issue of legacy devices, applications and operating systems that vendors no longer maintain, or that organisations cannot update; such systems that are still in use create weaknesses in the networks on which they reside,” said Ray.
The second iDefense prediction is that global events will continue to drive an increase in the frequency and severity of hacktivist operations.
“As witnessed through several events globally in 2014, including protests over the Ferguson, Missouri, police shooting, spending for the Brazilian World Cup, the Syrian civil war and others, hacktivist groups are taking up cyber arms against those who they perceive to be responsible, complicit or the most visible billboards for their cause,” said Ray.
“We expect 2015 to yield even more instances as these types of events gain significant public attention and DDoS-as-a service grows in availability and popularity. Access to real-time actionable threat intelligence will be key for protecting against these threats.”
The third iDefense prediction is that Windows XP will remain in widespread use and the unsupported OS will be increasingly vulnerable to compromise.
The continued use of this outdated operating system and others effectively invites malware developers and other cyber-criminals to exploit these networks, said iDefense.
“Worse still, Windows XP is used in more than 420,000 ATMs in the US, with half of those ATMs owned by the financial sector,” said Ray.
“This presents a significant upgrade challenge because of their custom software. Organisations need to allow sufficient time to upgrade legacy systems, allowing as many as 200 days for servers and 300 days for users and major application changes to be implemented.”
Fourth, state-sponsored hacktivist activity will usher in a new era of blended no-holds-barred cyber-attack.
Although previous attacks have aimed at achieving a political goal via network-based DDoS or DoS through destructive malcode, iDefense researchers observed a fundamental shift in late 2014 in the three most common forms of cyber activity (hacktivism, cyber-crime and cyber-espionage).
Ray said: “We expect to see them become more pronounced in 2015. This type of attack combines the most destructive elements of each: complete data exfiltration and disclosure, global DoS via destructive malcode, and public defacement, with personally identifiable information and credential dumps.
“This attack type is made worse due to the custom malcode leveraged, technical acumen required and extra-legal status of the responsible parties.”
Ray believes that threat mitigation requires greater focus on actor intent for early identification, and implementation of proper security controls and recovery methods to help survive such a threat.
Fifth, there will be a growing shift to poorly detected downloaders in the delivery stage of cyber-crime malware.
According to iDefense, the majority of banking Trojans are now deployed via downloaders, which are small in size and use custom obfuscation to evade anti-virus detection. Once executed on the victim machine, the downloaders establish connections to compromised websites and download malware payloads.
“This new methodology (as opposed to delivering the entire payload at once) provides the adversary with increased delivery and command and control flexibility, malcode reuse and more granular targeting controls,” said Ray.
iDefense predicts more use of downloader modules in 2015 rather than the actual malcode in the malicious attachments of phishing emails, and that mitigations will require network and host-based detection along with an intelligence reporting and information sharing capability.
Sixth, mass media coverage of the security community’s research focused on cyber-espionage groups will persist throughout 2015.
“While this did serve to raise awareness surrounding this threat throughout 2014, an unfortunate side-effect of this ‘rush to publish’ approach was that multiple espionage campaigns were incorrectly attributed, potentially to the detriment of targeted organisations because scarce internal security resources may have been improperly allocated,” said Ray.
iDefense believes this highlights the need for capable analysts with the ability to assess actual threats via sound tradecraft in order to avoid poor attribution or incident correlations.
Distributed denial of service
Seventh, DDoS attacks continue to increase in frequency, complexity and volume.
During the course of 2014, Verisign DDoS Protection Services encountered a steady increase in the size of DDoS attacks, which averaged well over six Gigabits per second (Gbps). The largest attack that Verisign encountered in 2014 peaked at around 300Gbps or 90 million packets per second.
In 2015, iDefense expects these trends to continue as attack tools and mitigation resources continue their arms race.
“Amplification attacks will remain popular with lower-skilled attackers, and higher-skilled attackers will evolve their techniques in new directions, such as DDoS as a diversion, while they perpetrate other more lethal attacks,” said Ray.
“This will necessitate a move to hybrid DDoS protection solutions in 2015 and beyond to enable organisations to protect their web servers, DNS servers, application servers and, most importantly, their customers and reputation.”
Eighth, hacktivists and nation states will increasingly target critical infrastructure.
iDefense expects greater focus on critical infrastructure protection (CIP) initiatives in 2015 as adversaries continue to find weaknesses in industrial control systems (ICS) globally.
“The increased development and growth of critical infrastructure engineering, consumer services automation and commercial cyber-physical systems will bring about device-monitoring challenges (such as non-deterministic behaviour), new vulnerabilities and new threat vectors,” said Ray.
“Attackers have access to tools to search the internet and locate sites on which ICS hardware runs openly (without encryption or authentication) on the internet. Organisations will need to do more thorough analysis of their network device and service exposure to the internet, and either limit the exposure or bolster the security and monitoring of the exposed devices and services.”
Ninth, greater targeting of open source software (OSS) vulnerabilities is expected.
“The software landscape is saturated with many OSS products. Some of these products, or libraries, such as OpenSSL, are even integrated into another piece of software,” said Ray.
“This creates widespread vulnerabilities when exploits are developed. Though many OSS projects consist of many files and thousands of lines of code, a motivated reverse-engineer can simply download a copy of the program and review its source code to identify flaws in the logic.”
And iDefense's 10th and final prediction is that bug bounty programmes and security research crowdsourcing are here to stay.
In 2014 the security industry saw the widespread adoption of bug bounty programmes by multiple companies, including some not usually associated with vulnerability research.
“This increase in adoption of bug bounty programmes is a testament to their effectiveness in meeting two goals: first, getting security researchers to privately report vulnerabilities within software; and second, ensuring that researchers are compensated for their time and effort, and hence are motivated to find vulnerabilities,” said Ray.
iDefense expects to see more companies follow suit and announce their own bug bounty programmes in 2015.
“The mission of defending your company is a continuously evolving collection of threats, technology and business objectives, driving the requirement for a multilayered intelligence-driven security approach,” said Ray.
“All stakeholders within a company’s supply and business ecosystem must be charged with responsibility to serve as data custodians, as a data breach can easily occur based on any of these trusted relationships of shared access.”
iDefense believes that, in 2015, both governments and private sector businesses will need to bolster their physical and cyber security defenses, including their staffing, policy, operation centres and intelligence services.