Kaspersky Takes on 2018

In 2018, you have a choice: stride boldly into a new year and defend against a bunch of increased or new security threats, or hide under your desk with your PC turned off.

If you trust Kaspersky Labs or respect their opinion –- and I'd suggest there's no tangible reason not to –- then the findings of its annual threat prediction report will be of interest. It's Kaspersky's educated guess about what 2018 holds and is somewhat of a primer for anyone in the SOC.

The developer takes the predictions of last year and measures them against what happened this year. And it has to be said, its strike rate is pretty good. If its predictions for next year hold water, then we are all in for a rough ride with plenty of unfortunate potential for catastrophic attacks and shockwaves.

"[We have] a heightened concern for the security posture of users at large, and each event is a bigger catastrophe," said Kaspersky in the report. "Rather than consider each new breach as yet another example of the same, we see the compounding cumulative insecurity facing users, e-commerce, financial, and governmental institutions alike."

The issues facing enterprises and the public at large are the sum of greater sophistication from hackers; the ability to sit in networks unobserved, and educate themselves about security defenses, new attack vectors, and the ability to manipulate and evolve malware for sale on the Dark Web and elsewhere. And, sadly, unerring human gullibility when it comes to social engineering and phishing.

The most troublesome predictions are those which have the potential to affect the fundamental infrastructure of e-commerce, the global enterprise supply chain, and the potential for mobile malware on a huge scale. Then, there are what appear to be savage nation-state attacks whose only goal is destruction of the assets of a country or organizations perceived as an adversary.

Identity and e-commerce
This year, we were showered with PII (personally identifiable information) penetrations that affected, in the case of Equifax, about 145 million American and European consumers. There's no sign that will slow down and there will be no shortage of reports of security chaos at blue-chip firms that expose consumers to identity theft and spoofing. And herein is a sage reminder of what we're all worrying about in the longer term.

"While many have grown desensitized to the weight of these breaches, it's important to understand that the release of PII at scale endangers a fundamental pillar of e-commerce and the bureaucratic convenience of adopting the Internet for important paperwork," the report said. Harking to an emerging theme throughout the industry, this activity brings into question the very validity of common forms of authentication (particularly US social security numbers), devaluing the information but likely accelerating the use of multiple-factor solutions.

Supply chain
As we know, lateral movement after access can create a bushfire. Hackers who are frustrated at outguessing security at their target have used third-party suppliers to companies as a weak spot for entry, and then moved briskly onto their target. There's speculation that October's SONIC Drive-in fiasco, which swiped consumer credit and other PII details is rumored to have been initiated through a third party, although the chain remains quiet about what happened. Another example was the -- admittedly innovative -- CCleaner attackwhere the payload was delivered through code lines in the company's regular product update before it was even released to customers.

According to Kaspersky, these attacks are very sophisticated, wielding lots of ammunition including zero-day exploits and fileless attack tools. Apparently, they can also combine traditional hacking with escalation to high-skilled teams that extract the information itself.

"Even a target whose networks employ the world's best defenses is likely using software from a third-party," said Kaspersky. It will be interesting to see if organizations are blind-sided by this in 2018.

Mobile malware
Somehow, lawful intercept spyware software –- developed by private firms and sold to governments -- is making its way into the hands of black hat teams. Using this legal software, so-called malware implants gain access to the PII and behavior of mobile users and exfiltrate data. Apple's iOS is called out by Kaspersky as more susceptible to these advances than Android. Rather than a single event, the malware can sit there for months, all the harder to find because iOS is a locked system.

"We estimate that in 2018 more high-end Advanced Persistent Threat malware for mobile will be discovered, [because] of both [increased] attacks and improvement in security technologies designed to catch them," said Kaspersky.

Destructive attacks
When it comes to the nuclear option, malware that carries wiper payloads is fatal if the goal is the equivalent of a military sniper campaign. There's little regard for the data and this all-out approach is designed for maximum disruption of vital endpoints. Wipers have spread to encompass an additional ransomware vector of which ExPetr/NotPetya is a prime example.

New wiper variants include the Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012. So-called Shamoon 2.0 has emerged after Shamoon itself lay dormant for four years, illustrating the persistence of zombie threats which mutate and re-emerge. Not surprisingly, Kaspersky predicts that destructive attacks will increase in the next year.

For those curious to see the full report list of predictions, and not hiding under their desk, here it is:

There will be:

The full report can be downloaded as a PDF here.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now