lolloj - Fotolia
An adversarial machine learning “arms race” will develop between defenders and attackers in the coming year, according to researchers at security firm McAfee.
This is the top prediction in the McAfee Labs 2018 threats predictions report, which identifies five key trends to watch in the coming year.
The report focuses on the evolution of ransomware from traditional to new applications, the cyber security implications of serverless applications, the privacy implications of corporations monitoring consumers in their own homes, long-term implications of corporations gathering children’s user-generated content, and the emergence of a machine learning innovation race between defenders and adversaries.
Machine learning can process massive quantities of data and perform operations at great scale to detect and correct known vulnerabilities, suspicious behaviour and zero-day attacks.
However, the report warns that adversaries will certainly employ machine learning themselves to support their attacks, learning from defensive responses, seeking to disrupt detection models, and exploiting newly discovered vulnerabilities faster than defenders can patch them.
To win this arms race, McAfee believes organisations must first augment machine judgment and the speed of orchestrated responses with human strategic intellect. Only then, according to the security firm, will organisations be able to understand and anticipate the patterns of how attacks might play out, even if they have never been seen before.
“The evolution of ransomware in 2017 should remind us of how aggressively a threat can reinvent itself as attackers dramatically innovate and adjust to the successful efforts of defenders,” said Steve Grobman, chief technology officer at McAfee.
“We must recognise that although technologies such as machine learning, deep learning and artificial intelligence (AI) will be cornerstones of tomorrow’s cyber defences, our adversaries are working just as furiously to implement and innovate around them.
“As is so often the case in cyber security, human intelligence amplified by technology will be the winning factor in the ‘arms race’ between attackers and defenders.”
Evolution of ransomware targets
Second, the report predicts that ransomware will move from traditional extortion to new targets, technologies and objectives.
The profitability of traditional ransomware campaigns will continue to decline as software and technology defences, user education and industry strategies improve to counter them.
As a result, the report predicts that attackers will adjust to target less traditional, more profitable ransomware targets, including high net-worth individuals and poorly protected connected devices making up the internet of things (IoT).
The pivot from the traditional will see ransomware technologies applied beyond the objective of extortion of individuals, to cyber sabotage and disruption of organisations.
“They are all pseudo-ransomware, because while they share some characteristics of ransomware, their true purpose is not to collect ransoms but to act as a smokescreen for business disruption, data exfiltration and credential theft,” he told Computer Weekly.
Samani said it is important for cyber defenders in organisations to understand how cyber criminals are adapting and evolving attacks. “They are getting smarter and they are finding new ways to get at what they are after or to hide what they are really doing, be it through pseudo-ransomware, pseudo-DDoS [distributed denial of service] attacks or other blended attacks,” he said.
The drive among adversaries for greater damage, disruption and the threat of greater financial impact will not only spawn new variations of cyber crime “business models”, but also begin to seriously drive the expansion of the cyber insurance market, the report said.
Serverless apps increase risk
Third, although organisations are switching to serverless apps to save time and reduce costs, they will also increase the attack surface for organisations implementing them, and are likely to become a significant security risk in 2018 and beyond.
Serverless apps enable greater granularity, such as faster billing for services, but they are vulnerable to attacks exploiting privilege escalation and application dependencies.
They are also vulnerable to attacks on data in transit across a network, and potentially to brute-force denial of service attacks, in which the serverless architecture fails to scale and incurs expensive service disruptions.
“Serverless apps that are quickly implemented or rapidly deployed can use an inappropriate privilege level, leaving the environment open to a privilege escalation attack,” said Samani.
“Similarly, the speed of deployment can result in a function depending on packages pulled from external repositories that are not under the organisation’s control and have not been properly evaluated.”
There are also new risks, according to Samani. “By looking at the URL, we can tell if the request is going to a serverless environment. As a result, it might be possible for an attacker to disrupt or disable the infrastructure from the outside, affecting a large number of organisations,” he said.
“Another risk is the data included in the function call. Because the data is not on the same server that the function is being executed on, it must transit some network and may be at risk of interception or manipulation.”
Organisations that use serverless apps, said Samani, should make sure their function development and deployment process includes the necessary security steps, and that traffic is appropriately protected by virtual private networks (VPNs) or encryption.
Gathering data from home devices
Fourth, connected home device manufacturers and service providers will seek to overcome thin profit margins by gathering more of our personal data – with or without users’ agreement – turning the home into a corporate store front, according to the report.
Corporate marketers will have powerful incentives to observe consumer behaviour to understand the buying needs and preferences of the device owners.
Because customers rarely read privacy agreements, the report predicts corporations will be tempted to change them frequently after the devices and services are deployed to capture more information and revenue.
McAfee believes that there will be regulatory consequences for corporations that make the calculation to break existing laws, pay fines and continue such practices, thinking they can do so profitably.
Privacy and security of children
Fifth, the report predicts that corporations collecting children’s digital content will pose long-term reputation risks.
In their pursuit of user app “stickiness”, corporations will become more aggressive in enabling and gathering user-generated content from younger users.
In 2018, parents will become aware of notable corporate abuses of digital content generated by children, and consider the potential long-term implications of these practices for their own children.
“This is an aspect of security and privacy is not often discussed, but as a parent this is probably one of my biggest concerns,” said Samani.
McAfee believes many future adults will suffer from negative “digital baggage”, user content developed in a user-app environment where socially appropriate guidelines are not yet well-defined or enforced, and where the user interface is so personally engaging that children and their parents do not consider the consequences of creating content that corporations could use and potentially abuse in the future.
However, in a competitive app environment, McAfee predicts that the most enterprising, forward-looking apps and services will recognise the brand-building value of making themselves a partner with parents in this education effort.