Notes on Security in 2019

Editor’s Note: These notes — as well as information posted from the FS-ISAC newsletter (permitted to be distributed without restriction) — were shared by operating partner (and former Chief Security Officer at Box) Joel de la Garza internally. They’ve both been reposted below as a resource for those interested in the topics. 

Some of my quick thoughts on security trends this year

‘Passwordless auth’ becomes (even more) real

With the accelerating adoption of the WebAuthN standard and support for U2F showing up in Safari, it’s highly likely that a large consumer websites will adopt a “passwordless auth” experience for users.

Discussions with industry peers indicate that major entertainment companies and others are considering limited tests of the technology to help reduce friction and the number of customer support calls for password issues.

Cloud configuration overtakes ‘phishing’ as top source of breached data

When the numbers are finally crunched for 2018 it’s likely that mis-configured cloud services will overtake phishing attacks as the number one source of breached personal records.

There have been a number of large breaches in the last year resulting from cloud service configuration errors — and there aren’t indications that this trend is changing.

‘New Cold War’ goes… warm, online

With a number of analysts claiming we have entered into a ‘New Cold War’ with China, and possibly Russia, early indications seem to be that that war will escalate online. In the past year, a number of previously dormant Chinese hacking groups have sprung back to life along with several high-profile Russian groups.

These groups appear to be refining their operational security practices and looking to better mask attribution of their attacks. Critical infrastructure operators have been reporting an increase in activity that usually presages a larger campaign. There have also been some concerns raised about another attack similar to the attack on the PG&E substation in San Jose in 2013. Law enforcement sources have indicated that potential reconnaissance operations have been conducted recently by nation-state agents.

Other notes on security released by various industry sources (via Financial Services – Information Sharing and Analysis Center)

from Forcepoint [source]
  • The winter of AI
    • There is no real AI in cybersecurity, nor any likelihood for it to develop in 2019
  • Industrial IoT disruption at scale
    • Attackers will disrupt Industrial Internet of Things (IIoT) devices using vulnerabilities in cloud infrastructure and hardware
  • A counterfeit reflection
    • Hackers will game end-user face recognition software, and organizations will respond with behavior-based systems
  • Courtroom face-off
    • 2019 will see a court case in which, after a data breach, an employee claims innocence and an employer claims deliberate action
  • A collision course to cyber cold war
    • Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cyber tactics to disrupt government, critical infrastructure, and vital industries
  • Driven to the edge
    • Consumer concern about breaches will cause companies to embrace edge computing in order to enhance privacy. Designers will face significant headwinds with adoption due to low user trust
  • Cybersecurity cultures that do not adapt will fail
    • Industry-wide “security trust ratings” will emerge as organizations seek assurances that partners and supply chains are trusted partners
from Trend Micro [source]
  • Consumers
    • Social engineering via phishing will replace exploit kits as attack vector
    • Chatbots will be abused
    • E-celeb accounts will be abused in watering hole attacks
    • Actual mass real-world use of breached credentials will be seen
    • Sextortion cases will rise
  • Enterprises
    • Home networks in work-from-home scenarios will open enterprises to BYOD-like security risks
    • GDPR regulators will penalize the first high-profile violator the full 4
    • Real-world events will be used in social engineering attacks
    • Business email compromise will go 2 levels down the org chart
    • Automation will be a new wrinkle in business process compromise
    • Digital extortion’s wide field of application will be explored
  • Governments
    • Fight against ‘fake news’ will buckle under the pressure of various elections
    • Innocent victims will get caught in the crossfire as countries grow their cyber presence
    • Regulatory oversight will intensify
  • Security Industry
    • Cybercriminals will use more techniques to blend in
    • 99% of exploit-based attacks will still not be based on 0-Day vulnerabilities
    • Highly targeted attacks will begin using AI-powered techniques
  • Industrial Control Systems
    • Real-world attacks targeting ICSs will become a rising concern
    • HMI bugs will continue to be the primary source of ICS vulnerabilities
  • Cloud Infrastructure
    • Misconfigured security settings during cloud migration will result in more data breaches
    • Cloud instances will be used for cryptocurrency mining
    • More cloud-related software vulnerabilities will be discovered
  • Smart Homes
    • Cybercriminals will compete for dominance in an emerging IoT ‘Worm War’
    • First case of senior citizens falling easy victims to smart health device attacks will emerge
  • Getting ready for the year ahead
    • More unknowns require intelligent multilayered security for enterprises
    • Developers must embrace DevOps culture with security as a focus
    • Users must take up responsible digital citizenship and security best practices
from McAfee [source]
  • Cybercriminal underground to consolidate, create more partnerships to boost threats
  • Artificial intelligence the future of evasion techniques
  • Synergistic threats will multiply, requiring combined responses
  • Misinformation, extortion attempts to challenge organizations’ brands
  • Data exfiltration attacks to target the cloud
  • Voice-controlled digital assistants the next vector in attacking iot devices
  • Cybercriminals to increase attacks on identity platforms and edge devices under siege
from Kaspersky [source]
  • No more big APTs
    • The security industry has consistently discovered highly sophisticated government-sponsored operations that took years of preparation. What seems to be a logical reaction to that situation from an attacker’s perspective would be exploring new, even more sophisticated techniques that are much more difficult to discover and to attribute to specific actors.
  • Networking hardware and IOT
    • Massive botnet-style attacks may affect IoT devices and critical infrastructure. Network hardware vulnerabilities could lead to a massive botnet-style compromise.
  • Public retaliation
    • High-profile attacks, on the geopolitical stage, may be used to exploit the fear of uncertainty — giving rise to increased false flag incidents.
  • Emergence of newcomers
    • The APT world seems to be breaking into two groups: the traditional well-resourced most advanced actors (that we predict will vanish) and a group of energetic newcomers who want to get in on the game. (South East Asia and the Middle East are regions where such groups are becoming more prevalent.)
  • The negative rings
    • Citing Meltdown and Spectre as examples, expect an increase in the development and exploitation of lower level malware. Hypervisor and UEFI malware will continue to see growth.
  • Your favorite infection vector
    • Listed as “the most successful infection vector ever”, spear-phishing is expected to play a bigger role going forward. The key to its success remains its ability to spark the curiosity of the victim, and recent massive leaks of data from various social media platforms might help attackers improve this approach.
  • Destructive destroyer
    • Destructive attacks have several advantages for attackers, especially in terms of creating a diversion and cleaning up any logs or evidence after the attack. Citing Olympic destroyer as evidence of their effectiveness, we expect to see more occurring, especially in retaliation to political decisions.
  • Advanced supply chain
    • Supply chain attacks are an effective infection vector that we will continue to see. In terms of hardware implants we believe it is extremely unlikely to happen and if it does, we will probably never know.
  • And mobile
    • It goes without saying that all actors have mobile components in their campaigns; it makes no sense only going for PCs. The reality is that we can find many examples of artifacts for Android, but also a few improvements in terms of attacking iOS.
from Malwarebytes [source]
  • New, high-profile breaches will push the security industry to finally solve the username/password problem
  • IoT botnets will come to a device near you
  • Digital skimming will increase in frequency and sophistication
  • EternalBlue or a copycat will become the de facto method for spreading malware in 2019
  • Cryptomining on desktops, at least on the consumer side, will just about die
  • Attacks designed to avoid detection, like soundloggers, will slip into the wild
  • Artificial Intelligence will be used in the creation of malicious executables
  • Bring your own security grows as trust declines
from Symantec [source]
  • Attackers will exploit artificial intelligence systems and use AI to aid assaults
  • Defenders will depend increasingly on AI to counter attacks and identify vulnerabilities
  • Growing 5G deployment and adoption will begin to expand the attack surface area
  • IOT-based events will move beyond massive DDOS assaults to new, more dangerous forms of attack
  • Attackers will increasingly capture data in transit
  • Attacks that exploit the supply chain will grow in frequency and impact
  • Growing security and privacy concerns will drive increased legislative and regulatory activity
from FireEye [source]
  • Follow the leader
    • Without a deterrent, attackers are going to keep targeting networks and getting through
  • Staffing, cloud, and consolidation
    • A lot of innovation in 2019 is going to deal with consolidation
  • Intelligence declassified
    • …remain skeptical about what you read, especially on the internet
    • The supply chain can offer attackers access to multiple high value targets so that they can capture a wide range of information. Plus, if the threat actor is targeting deep enough in the supply chain, there’s a good chance that they can operate unnoticed.
  • A view from the clouds
    • There have been a lot of cloud-related challenges throughout 2018 and we expect to see those continue and evolve as we move into 2019.
    • First, a lot of data is moving to the cloud and the attackers are going right along with it. We’re seeing a massive uptick in the number of incidents that involve cloud, and that’s really just attackers following the data. It’s not really about cloud being more or less secure.
    • Really, the question you should be asking is: Do you have visibility for the things that are going on in the cloud, and are you able to set up your security operations center (SOC) to be able to respond to something that happens?
  • From the Files of FireEye Threat Intelligence
    • Restructuring of Chinese cyber espionage
    • China’s belt and road initiative to drive cyber espionage activity in 2018 and beyond
    • Iranian cyber threat activity against U.S. entities likely to increase following U.S. exit from JCPOA, may include disruptive or destructive attacks
    • Cyber norms unlikely to constrain nation-state cyber operations in the near future
    • Publicly available malware usage by FIN and APT groups
    • Abuse of legitimate services for command and control
  • On assignment with FireEye Mandiant
    • Expect to see a spike in financial threat actors targeting e-commerce websites and gift cards
    • Russian targeting broadens, while emerging nations scramble to keep up
    • Continued shift from point of sale to e-commerce environments
    • Online banking portals in the crosshairs of attackers
    • Target: supply chain
  • Under the lens of FireEye Labs
    • Social engineering is the most commonly used attacker technique because it works
    • As the threat landscape evolves, so does security
    • Business email compromise leveraged in targeted attacks
    • Use of emerging technologies to evade detection
    • Other evasive maneuvers
  • Global Insights: APAC
    • The impact of skilled individual attackers and nation-state actors with skills but insufficient resources will be felt more strongly by organizations that have failed to keep up with security developments
    • Sights on the 2020 Olympics in Tokyo
    • Threat evolution
  • Global Insights: EMEA
    • With attribution, cyber criminal activities will hopefully become harder to execute in the long run, and this could bring deterrence
    • The dark side of social media
    • Lack of resources introduces risk
    • The fight begins with attribution
    • Critical infrastructure attacks looming
  • Global Insights: LATAM
    • Regions such as Latin America and Africa will become targets of more impactful attacks, which will be relevant enough to gain coverage in media outlets around the world
    • To stay ahead of threats in 2019, organizations need to begin shifting from a compliance-based approach to a security-based approach