Dire warnings of security threats from two leading industry suppliers will either stimulate network operators into a frenzy of preventative activity or have them wondering if their world is coming to an end.
Kevin McNamee, director of Nokia’s Threat Intelligence Lab kicked off the release of Nokia’s Threat Intelligence Report 2019 warning that:
“Cyber criminals are switching gears from the traditional computer and smartphone ecosystems and now targeting the growing number of vulnerable IoT devices that are being deployed. You have thousands of IoT device manufacturers wanting to move product fast to market and, unfortunately, security is often an afterthought.”
In the report McNamee refers to, the fast-growing and evolving threat of malicious software targeting Internet of Things (IoT) devices is highlighted:
- IoT botnet activity represented 78% of malware detection events in communication service provider networks in 2018, more than double the rate seen in 2016, when IoT bot activity was first seen in meaningful numbers;
- IoT bots now make up 16% of infected devices in CSP networks, up significantly from 3.5% a year ago;
- Malware threats against IoT devices could get worse as consumer adoption of such devices accelerate in the years ahead as 5G capabilities – including extreme broadband, ultra-low latency connectivity, and massive networking – advance.
As an indicator of the rising threat, the report found that malware-infected crypto-coin mining is expanding from high-end servers with specialized processors to IoT devices as well as smartphones and web browsers. Crypto-coin mining is generally the process by which crypto currency transactions are verified and added to blockchain technology systems.
Industry analysts widely expect IoT device adoption to accelerate with 5G. The high bandwidth, large-scale and ultra-low latency capabilities of 5G greatly facilitate connecting billions of things to the internet, including smart home security monitoring systems, vehicles, drones and medical devices.
But, as the Threat Intelligence report’s findings underscore, lagging security protection of many current IoT devices and increasing technical sophistication are giving cyber criminals broader scope for successfully launching IoT device attacks.
Also explaining some of the rise in IoT device malware infection rates is the fact that attacks on mobile and fixed networks in 2018 decreased from previous years. This is a result not only of cyber criminals looking further afield for softer targets, like IoT devices, but of better-protected networks, platforms and mobile devices that are designed and built with security in mind.
Derek Manky, Chief, Security Insights & Global Threat Alliances, Fortinet was no less pessimistic stating that:
“We are seeing significant advances in cybercriminal tools and services which leverage automation and the precursors of AI. Organizations need to rethink their strategy to better anticipate threats and to combat the economic motivations forcing them back to the drawing board. Rather than engaging in a perpetual arms race, organizations need to embrace automation and AI to shrink the windows from intrusion-to-detection and from detection-to-containment.”
Manky unveiled predictions from the FortiGuard Labs team about the threat landscape for 2019 and beyond. These predictions reveal methods and techniques that Fortinet researchers anticipate cybercriminals will employ in the near future, along with important strategy changes that will help defend against these oncoming attacks. For a more detailed view of the predictions and key takeaways for CISOs, visit this blog. Highlights of the report follow:
Cyber Attacks Will Become Smarter and More Sophisticated
For many criminal organizations, attack techniques are evaluated not only in terms of their effectiveness, but in the overhead required to develop, modify, and implement them. As a result, some attacks can be interrupted by making changes to people, processes, and technologies. One way that organizations are doing this is by adopting new technologies and strategies such as machine learning and automation to take on tedious and time-consuming activities that normally require a high degree of human supervision and intervention. These newer defensive strategies are likely to impact cybercriminal strategies, causing them to shift attack methods and accelerate their own development efforts. In an effort to adapt to the increased use of machine learning and automation, we predict that the cybercriminal community is likely to adopt the following strategies, which the cybersecurity industry as a whole, will need to closely follow.
- Artificial Intelligence Fuzzing (AIF) and Vulnerabilities: Fuzzing has traditionally been a sophisticated technique used in lab environments by professional threat researchers to discover vulnerabilities in hardware and software interfaces and applications. They do this by injecting invalid, unexpected, or semi-random data into an interface or program and then monitoring for events such as crashes, undocumented jumps to debug routines, failing code assertions, and potential memory leaks. However, as machine learning models are applied to this process we predict that this technique will become more efficient and tailored. As cybercriminals begin to leverage machine learning to develop automated fuzzing programs they will be able to accelerate the process of discovering zero-day vulnerabilities, which will lead to an increase in zero-day attacks targeting different programs and platforms.
- Zero-Day Mining Using AIF: Once AIF is in place, it can be pointed at code within a controlled environment to mine for zero-day exploits. This will significantly accelerate the rate at which zero-day exploits are introduced. Once zero-day mining-as-a-service becomes enabled, it will drastically change how organizations need to approach security as there will be no way to anticipate where these zero-days will appear, nor how to properly defend against them. This will be especially challenging when using isolated or legacy security tools which many organizations have deployed in their networks today.
- The “Price” of Zero-Days: Historically, the price of zero-day exploits has been quite high, primarily because of the time, effort, and skill required to uncover them. But as AI technology is applied over time, such exploits will shift from being extremely rare to becoming a commodity. We have already witnessed the commoditization of more traditional exploits, such as ransomware and botnets, and the results have pushed many traditional security to their limits. The acceleration in the number and variety of available vulnerabilities and exploits, including the ability to quickly produce zero-day exploits and provide them as a service may radically impact the types and costs of services available on the dark web.
- Swarm-as-a-Service: Significant advances in sophisticated attacks powered by swarm-based intelligence technology is bringing us closer to a reality of swarm-based botnets known as hivenets. The progression of this emerging generation of threats will be used to create large swarms of intelligent bots that can operate collaboratively and autonomously. These swarm networks will not only raise the bar in terms of the technologies needed to defend organizations, but like zero-day mining, they will also have an impact on the underlying cybercriminal business model. Ultimately, as exploit technologies and attack methodologies evolve, their most significant impact will be on the business models employed by the cybercriminal community. Currently, the criminal ecosystem is very people-driven. Professional hackers for hire build custom exploits for a fee, and even new advances such as Ransomware-as-a-Service requires black hat engineers to stand up different resources, such as building and testing exploits and managing back-end C2 servers. But when delivering autonomous, self-learning Swarms-as-a-Service, the amount of direct interaction between a hacker-customer and a black hat entrepreneur drops dramatically.
- A-la-Carte Swarms: The ability to subdivide a swarm into different tasks to achieve a desired outcome is very similar to the way the world has moved towards virtualization. In a virtualized network, resources can spin up or spin down VMs based entirely on the need to address particular issues such as bandwidth. Likewise, resources in a swarm network could be allocated or reallocated to address specific challenges related to addressing challenges encountered in an attack chain. A swarm that criminal entrepreneurs have already preprogrammed with a range of analysis tools and exploits, combined with self-learning protocols that allow them to work as a group to refine their attack protocols, makes purchasing an attack for cybercriminals as simple as selecting from an a-la-carte menu.
- Poisoning Machine Learning: Machine learning is one of the most promising tools in the defensive security toolkit. Security devices and systems can be trained to perform specific tasks autonomously, such as baselining behaviors, applying behavioral analytics to identify sophisticated threats, or tracking and patching devices. Unfortunately, this process can also be exploited by cyber adversaries. By targeting the machine learning process, cybercriminals will be able to train devices or systems to not apply patches or updates to a particular device, to ignore specific types of applications or behaviors, or to not log specific traffic to evade detection. This will have an important evolutionary impact on the future of machine learning and AI technology.
Defences Will Become More Sophisticated
To counteract these developments, organizations will continue to raise the bar for cybercriminals. Each of these defensive predictions will have an impact on cybercriminal organizations, forcing them to change tactics, modify attacks, and develop new ways to assess opportunities. The cost of launching their attacks will escalate, requiring criminal developers to either spend more resources for the same result, or find a more accessible network to exploit.
- Advanced deception tactics: Integrating deception techniques into security strategies that introduce network variations built around false information will force attackers to continually validate their threat intelligence, expend time and resources to detect false positives, and ensure that the networked resources they can see are actually legitimate. And since any attacks on false network resources can be immediately detected, automatically triggering countermeasures, attackers will have to be extremely cautious performing even basic tactics such as probing the network.
- Unified open collaboration: One of the easiest ways for a cybercriminal to maximize investment in an existing attack and possibly evade detection is to simply make a minor change, even something as basic as changing an IP address. An effective way to keep up with such changes is by actively sharing threat intelligence. Continuously updated threat intelligence allows security vendors, and their customers, to stay abreast of the latest threat landscape. Open collaboration efforts between threat research organizations, industry alliances, security manufacturers, and law enforcement agencies will significantly shorten the time to detect new threats by exposing the tactics used by attackers. Rather than only being responsive, however, applying behavioral analytics to live data feeds through open collaboration will enable defenders to predict the behavior of malware, thereby circumventing the current model of cybercriminals to repeatedly leverage existing malware.
Speed, Integration, and Automation Are Critical Cybersecurity Fundamentals
There is no future defense strategy involving automation or machine learning without a means to collect, process, and act on threat information in an integrated manner that leverages the sophistication of an intelligent response. To contend with the growing sophistication of threats, organizations must integrate all security elements into a security fabric to find and respond at speed and scale. Advanced threat intelligence correlated and shared across all security elements needs to be automated to shrink the necessary windows of detection and to provide quick remediation. Integration of point products deployed across the distributed network, combined with strategic segmentation, will significantly help fight the increasingly intelligent and automated nature of attacks.