The security industry’s predictions for 2017 have been flying thick and fast in the leadup to the Christmas break, but consistency between the key themes suggests that the safe money is on a rise in damaging distributed denial of service (DDoS) attacks and increasingly sophisticated human-targeted compromises.
The expected surge in DDoS attacks is largely attributed to Mirai, the novel DDoS proof of concept that became a nightmare for organisations like Dyn and Deutsche Telekom. Mirai drove a rapid increase in the largest-ever DDoS attacks throughout 2016, and its presence at the intersection of two key security vulnerability vectors – DDoS attacks and Internet of Things (IoT) insecurity – makes it doubly problematic at every level.
In 2017 “cybercriminals will find it easy to extend their reach because there are so many IoT devices containing outdated code based on poorly-maintained operating systems and applications with well-known vulnerabilities,” predicts Sophos technology solutions director Justin Peters – who also warned of increasing attacks on financial infrastructure, increased used of PowerShell and other administration tools for compromises, evolution of ransomware and personal IoT attacks, and growth in socially-targeted phishing attacks that “can no longer be recognised by obvious mistakes”.
These themes were also present in Intel Security’s predictions for 2017, which predicted among other things that the coming year will see a mid-year peak in ransomware, and that hacktivists will target consumer privacy as a flood of fake news, reviews, likes, ads, security warnings, and more contribute to eroding trust online. “Passwords, and the people who create and use them, will remain the biggest weakness throughout most technologies for the foreseeable future,” the company’s analysts warn.
“Cloud authentication is no different and represents a much bigger payoff for thieves. Cloud authentication is no different and represents a much bigger payoff for thieves. Attackers, some of them very patient and sophisticated, will mine social networks, previously stolen passwords, and other personally identifiable information to steal credentials – especially focusing on cloud administration credentials.”
CyberArk chief marketing officer John Worrall was equally concerned about compromises of credentials but also noted the “game changer” posed by attacks on cloud infrastructure, the exploitation of machine learning to develop self-learning cyber attacks, and a flood of fake information: “we’ve seen information used as a weapon and propaganda tool in the 2016 US election cycle, but this will move to the next stage,” he warns, “where information can no longer be trusted at all.”
Forrester Research believes the convergence of these and other factors will make 2017 a battleground “that will determine the amount of control individuals have over their own data and right to privacy, as well as the offensive and defensive responsibilities of our governments.”
With governments weighing the appropriate levels for both defensive and offensive cybersecurity capabilities, Palo Alto Networks vice president and Asia-Pacific regional CSO Sean Duca predicted a growing threat from the exploitation of industrial control systems, IoT devices, and a “ransomware vortex with a nasty surprise” as attack volumes increase and attack technologies become more sophisticated. Duca also, like his peers, sees the erosion of trust as crucially important, with a “business reputational risk and a monetary price to pay”.
As well as warning of more-powerful and more-effective versions of existing attacks, some companies believe their convergence will breed entirely new threats. Security firm ESET, for one, sees ransomware as a key transformational force in 2017 and has coined a new trend that it calls RoT (Ransomware of Things), in which exploitation techniques will be used to hijack home devices – forcing you to pay Bitcoin, perhaps, for your morning coffee.
Trend Micro is thinking along the same lines, arguing that the number of new ransomware families will plateau in 2017 but that ransomware will branch out into IoT devices and non-computing terminals like point-of-sale systems or ATMs.
“Vendors will not secure IoT devices in time to prevent denial of service and other attacks,” Trend Micro data scientist and senior architect Dr Jon Oliver said while arguing that business email compromise, new targeted and increasingly-evasive attack methods and EU General Data Protection Regulation (GDPR)-driven compliance will all play roles in shaping the threat landscape next year.
“Cybercriminals have continuously changed their business models to ensure maximum profits from their activity,” he added, “and we will continue to see this transform with new attack methods threatening corporations, and expanding ransomware tactics impacting more devices.”
Security firm Neustar echoed the sentiment that 2017 will be more of the same as 2016, but worse: “The effectiveness of ransomware, phishing, and malware all reveal many inroads to create lucrative chaos in organisations,” the firm warned. “Next year will produce unlimited opportunity and potential for bad actors to achieve objectives that include theft, disruption, extortion, and impact.”
These and other predictions suggest trying time to come. So rest up over the Christmas-New Year break; by all accounts, you’re going to need it as the battle begins all over again in 2017.