- Breaches will appear to be more frequent, more public, and more dramatic than in previous years
- New attack vectors will emerge just as the industry figures out how to foreclose on older ones
- Artificial intelligence (AI) and machine learning (ML) will increase the stakes for both attackers and defenders
- Threatscape innovation spurs defensive acceleration to zero-trust and “carbon problem” mitigations
Prediction blogs abound this time of year, so top off your eggnog and drink in one more. The forecasts that follow originate from multiple well-informed thought leaders across Bromium business functions. We are grateful for their thoughtful contributions. Collectively polishing the crystal ball from our unique vantage point of hardware-enforced security isolation, Bromium Threat Labs humbly offers the following prognostications for the 2019 threatscape.
Breach Awareness Ramps Up to 11
Next year is shaping up to be the loudest, most noteworthy year on record for breaches due to increasingly stringent worldwide reporting and notification requirements—GDPR foremost among them. Expect a who’s-who of organizations reporting eye-popping numbers of victims in the mega-millions, coupled with huge fines of seven, eight, or even nine figures. The Marriott hack—involving a breach of personal information for up to half a billion customers—may be the first test of GDPR including large multi-million-dollar fines. So, while it might appear that breaches are undergoing a massive increase in quantity, much can be chalked up simply due to mandatory reporting.
Browser Attacks Resurge
File-Based Malware Evolves to Stay on Top
We expect that file-based malware will continue to be the largest source of attacks via web downloads and email attachments. We’ll go out on a limb and predict that 2019 will be the year that Office documents finally start to lessen in importance as a threat vector, as more customers move to online versions of Office/Google Docs, and especially as Microsoft finally begins to apply protections against macros and processes launched from Office (e.g. PowerShell). Users will continue to be the weakest link in the security chain, with at least one “vulnerability” previously considered as “behaving as designed” being patched to remove the risky functionality (e.g. removing DDE from Office documents this year). Malware authors will continue to work feverishly to develop new threat vectors which should begin to appear later in 2019.
Hardware Vulnerabilities Resurface
2018 felt like it was the year of the hardware hack. Spectre and Meltdown became the most expensive vulnerabilities of all time, with Intel, AMD, Microsoft and countless others throwing money at high-profile emergency patches, at the expense of performance. The Supermicro chip implant scare—now partially discredited—which allegedly impacted Apple and Amazon, also highlighted how deliberate implanting of vulnerabilities into hardware is certainly within the realm of possibility for nation-state funded attackers. More hardware-based attacks will come to light, exposing both new and historical chip flaws, with the industry more on edge against malicious implants from international supply chains and intelligence agencies.
Supply Chain and Acquisition Vulnerabilities Increase
For most organizations, the threat of a hardware hack is of minimal concern, as there are more pressing issues to address. The rising number of breaches originating from third parties is just one of the threats facing organizations, with complex supply chains giving hackers a wider surface to attack. As the likes of Ticketmaster (embedded third-party chatbot) and Under Armour (MyFitnessPal connected tracker acquisition) showed, there is increasing risk originating from the supply chain, with organizations having less control over how their data is accessed and managed. Whether it’s a case of using third party services, plug-ins, or in the case of Marriott International, acquiring compromised organizations—which may be a nation-state attack—third parties can increase the risk of a breach. We’re likely to see further failures originating from the supply chain next year, with organizations continuing to depend on detection-alone to protect high-value assets.
Exploit Kits Explode Back on the Scene
We forecast an exploit kit resurgence in 2019, as browser security improves and document vulnerabilities recede in prevalence. Malware-as-a-service and standards-based crimeware sharing will accelerate this trend. Many campaigns adopted cryptojacking last year, but huge cryptocurrency price falls reversed the momentum. We saw exploit kits increase, with new kits like Fallout quickly taking hold—to deliver ransomware and other unwanted payloads—partially fueled by two early-2018 zero-days. The Meltdown and Spectre patch pain many organizations felt at the start of the year caused some to take a less aggressive approach to patch management, increasing their vulnerability to known exploits. April 2018 brought us an IE zero-day for the first time in more than two years, and there were two Flash zero-days this year—all actively delivered by exploit kits, pushing typical banking Trojans and ransomware. A new Flash zero-day is emerging now, and no doubt will be integrated into exploit kits shortly. As Microsoft tightens up Office with initiatives like Attack Surface Reduction, attackers will look at other opportunities, and exploit kit demand will increase. Since IE and Flash have low market share, we expect to see exploit kits evolve to use social engineering techniques like fake updates.
New Attack Vectors Emerge
If browsers are (mostly) secure and Office documents finally become more secure—or at least economically harder to exploit—attackers will seek other vectors, likely via compromised apps and installers. Websites will get hacked using techniques like the compromised npm package, with modified installers becoming the main way to infiltrate enterprises via downloads. Such code-dependency attacks may also be used to target organizations directly, by injecting modified dependencies into enterprise-run web services.
Artificial Intelligence and Machine Learning Go Mainstream
Artificial Intelligence and Machine Learning will see markedly increased prevalence, with one of our forecasters estimating the near future will contain AI in up to 80% of all attacks, including innovative next-generation malware containing a mix of different malware types (kitchen-sink attacks) combined with AI to find the least-defended entry point for each victim. We expect to see big-hype defensive projects from established players and upstarts alike, plus increased use of AI/ML by the bad guys (they’ll innovate faster than defenders), leading to AI vs. AI battles for cybersecurity dominance.
Phishing Attacks Get Up Close and Personal
Spear-phishing attacks will get increasingly customized, targeted and sophisticated. The recent InPage document vulnerability (CVE-2017-12824) attack shows attackers leveraging advanced tools, zero-days, multi-vector and multi-stage attacks to remain undetected. Personalized attacks make targets believe the message is authentic, and once they click on the link or open the attachment, the attacker gains full control. Using fileless, obfuscated payloads, domain-fronting techniques for covert command-and-control communication, and lateral movement, they hide until they achieve their goal. We expect to see micro-targeted, vertical-specific attacks that go way beyond today’s drive-by downloads or SPAM/phishing worldwide email sending. We track Emotet—a modular banking Trojan—as the leader in sample freshness, evading layers of detection-based tools, but others will copy this approach. With bulk repacking of malware at scale, we might soon reach a point where every victim gets their own personalized malware, rendering hash-based detection tools and analysis completely useless.
Ransomware Gets Smarter and More Targeted
We expect to continue seeing ransomware in browsers and file downloads/attachments. Often, new defense-evading downloaders deliver familiar encrypters, but we also expect payload innovation. We forecast more targeted and unique ransomware attacks, increasingly using AI to improve success rates. We predict ransomware will frequently combine with “doxing” to pressure victims to pay up—rather than simply recover documents from backups—involving exfiltration and threatened publication of documents containing confidential information about the company or their customers. We see ransomware becoming increasingly commoditized via on-demand services, with increased open-standards tool sharing. Lastly, we anticipate interest in crypto-malware (ransomware) will follow the prices of cryptocurrency. If Bitcoin continues to decline in value, then cyber-criminals will shift from ransomware to other profit generators, such as banking Trojans.
Credential Phishing: No Hacking Required
Credential phishing will almost certainly continue to rise because it’s easy, inexpensive, and frequently successful despite pervasive anti-phishing training within the enterprise. No hacking or network intrusion is needed, as victims willingly hand over the keys to the kingdom to imposter websites and applications. Credential theft attacks against businesses will continue, as the deployment difficulties and lack of standardization of multi-factor authentication systems prevent 100% adoption, although it is less applicable to national governments because of their near-ubiquitous use of two-factor authentication and Smart Cards.
Government Makes a Slow and Painful Transition
Governments have poured billions into network security—mainly for fixed endpoints on the enterprise domain—with comparatively few laptop or mobile devices. Mobile devices are inherently much less secure—even with forced VPN—compared to devices physically inside the building. Mobile and cloud will take center stage for the public sector next year. Government agencies will continue to struggle to secure the cloud, having aggressively moved there for cost savings. Differences in agency security models (access, logging, backups) and the slower pace of adoption of cloud technologies and processes will lead to continued errors in cloud security, like the recent Amazon Web Services “S3 bucket leaks” at US National Geospatial-Intelligence Agency.
Defenders Step Up their Game
We see “zero trust” network approaches taking root and strengthening, especially in larger organizations, down to the application level. Enterprises will assume the worst about their networks and choose to apply extra protections around their most precious assets—including server/cloud administration consoles, privileged workstations, web services, crown-jewel documents, and customer databases. By segmenting access to high value assets and isolating critical applications, organizations will be able to prevent cybercriminals from seeing or accessing sensitive data, even if the network, server or end-user device is compromised. The “carbon problem” (PEBKAC) remains the biggest risk, forcing organizations to take away users’ ability to cause harm, either deliberately or inadvertently. Email attachments, downloads, and phishing attacks for both credential theft and malicious content delivery will continue to be as active as ever, leading to continued escalation in the detection-evasion arms race.
And to All a Good Night
Happy Holidays to all intrepid security defenders—you can’t just close up shop and take off, because cybercrime never sleeps—in fact, the holidays are historically ripe for increased exploitation. But tonight, may you envision another future: one where your systems and networks are resilient against whatever the threatscape throws at you, using virtualization-based security to deflect the body blows by isolating high-value assets—endpoints, networks, web applications, and databases—out of reach of the attackers. It’s not just a dream. Bromium can help make this your new reality today!