- Breaches will appear to be more frequent, more public, and more dramatic than in previous years
- New attack vectors will emerge just as the industry figures out how to foreclose on older ones
- Artificial intelligence (AI) and machine learning (ML) will increase the stakes for both attackers and defenders
- Threatscape innovation spurs defensive acceleration to zero-trust and “carbon problem” mitigations
Prediction blogs abound this time of year, so top off your eggnog and drink in one more. The forecasts that follow originate from multiple well-informed thought leaders across Bromium business functions. We are grateful for their thoughtful contributions. Collectively polishing the crystal ball from our unique vantage point of hardware-enforced security isolation, Bromium Threat Labs humbly offers the following prognostications for the 2019 threatscape.
Breach Awareness Ramps Up to 11
Next year is shaping up to be the loudest, most noteworthy year on record for breaches due to increasingly stringent worldwide reporting and notification requirements—GDPR foremost among them. Expect a who’s-who of organizations reporting eye-popping numbers of victims in the mega-millions, coupled with huge fines of seven, eight, or even nine figures. The Marriott hack—involving a breach of personal information for up to half a billion customers—may be the first test of GDPR including large multi-million-dollar fines. So, while it might appear that breaches are undergoing a massive increase in quantity, much can be chalked up simply due to mandatory reporting.
Browser Attacks Resurge
File-Based Malware Evolves to Stay on Top
We expect that file-based malware will continue to be the largest source of attacks via web downloads and email attachments. We’ll go out on a limb and predict that 2019 will be the year that Office documents finally start to lessen in importance as a threat vector, as more customers move to online versions of Office/Google Docs, and especially as Microsoft finally begins to apply protections against macros and processes launched from Office (e.g. PowerShell). Users will continue to be the weakest link in the security chain, with at least one “vulnerability” previously considered as “behaving as designed” being patched to remove the risky functionality (e.g. removing DDE from Office documents this year). Malware authors will continue to work feverishly to develop new threat vectors which should begin to appear later in 2019.
Hardware Vulnerabilities Resurface
2018 felt like it was the year of the hardware hack. Spectre and Meltdown became the most expensive vulnerabilities of all time, with Intel, AMD, Microsoft and countless others throwing money at high-profile emergency patches, at the expense of performance. The Supermicro chip implant scare—now partially discredited—which allegedly impacted Apple and Amazon, also highlighted how deliberate implanting of vulnerabilities into hardware is certainly within the realm of possibility for nation-state funded attackers. More hardware-based attacks will come to light, exposing both new and historical chip flaws, with the industry more on edge against malicious implants from international supply chains and intelligence agencies.
Supply Chain and Acquisition Vulnerabilities Increase
For most organizations, the threat of a hardware hack is of minimal concern, as there are more pressing issues to address. The rising number of breaches originating from third parties is just one of the threats facing organizations, with complex supply chains giving hackers a wider surface to attack. As the likes of Ticketmaster (embedded third-party chatbot) and