SAN FRANCISCO -- RSA Conference 2016 --This week RSA Conference has given the security industry a good excuse to take time for some introspection and examine the breaches and attack trends that have plagued it most in the past year. Researchers with the SANS Institute took full advantage of the opportunity to give a packed house a run-down of the threats and the attack techniques that have come to the forefront lately, those which the security industry is most likely to find itself fighting most in the year to come.
Here's a look:
Weaponization of Windows PowerShell
According to Ed Skoudis, fellow for SANS, in spite of the headway in security made with PowerShell 5, the industry is still going to face years to come of attackers abusing PowerShell. The advent of tools like PowerShell Empire have all but assured that, he explained.
"We have pretty much three to five years left of attackers having unfettered PowerShell access. But I'll take that, right?" he says. "These things are moving in the right direction, but until we get these things thoroughly deployed, there's still a lot of attacks in PowerShell."
Stagefright-Like Mobile Vulnerabilities
A system-level vulnerability in many versions of Android smartphones discovered last year, Stagefright, is a bug in a core library file of the operating system that opened up vulnerable devices to being compromised by attackers using a specially crafted MP3 or MP4 file delivered via MMS or other means. As Skoudis explained, the weakness itself was troubling enough, but what it uncovered was also a fundamental difficulty in getting handset makers, mobile platform developers, and carriers to cooperate quickly enough to enable users to patch their phones.
"If you look at the financial motivations that the various handset providers as well as the mobile operators, their biggest motivation is not patching your existing phone, it's selling you your next phone," he explained.
He exhorted the crowd to nevertheless do its best to keep devices patched and use the most recent versions of smartphone device operating systems possible.
"Also, via your mobile device management infrastructure consider forcing your users to use a recent version of their mobile operating system such as Android or iOS," he said.
Developer Environment Vulns Like Xcode Ghost
Xcode Ghost last year gave the industry a wake-up call about the security of the mobile app supply chain.
"What happened here is the bad guys put up Trojan horse backdoor versions of Apple's Xcode development environment and made them downloadable," Skoudis said. "When the bad guys are able to successfully undermine the software environments that we have, they have a significant leg up on us."
He believes that in the next year the security industry is likely to see more targeting like this, and very likely it'll be aimed in the direction of the enterprise.
"I expect to see in the next year [the] targeting of enterprise application stores. So you could have your own enterprise app store where you're pushing your own code, that you approve in your own enterprise," he said. "The bad guys are going to start going after those enterprise app stores. Not Apple's app store, but the enterprise one, and putting malware on it."
Security wonks have been increasing the volume on their cries about the universal weaknesses facing global infrastructure control systems (ICS) that provide the brains behind the world's critical infrastructure like power, gas and water distribution. SANS expert Johannes Ullrich, director of the Internet Storm Center, explained how the recent attack against the Ukranian power grid last December fully highlighted how vulnerabilities in ICS could really put critical infrastructure at risk.
It was a complicated attack that started with a phish, jumped through numerous systems including uninterruptable power supply (UPS) systems and even involved a DDoS-like attack against the customer service phone system, to buy attackers time to get to their target.
As Ullrich explained, the Ukranians were somewhat lucky in that it was only a six-hour outage instead of longer. But the difficulty is the long-lasting impact that this kind of attack has on the underlying ICS infrastructure because the attack involved the use of KillDisk to delete boot sectors in a number systems used by power operators across the grid.
"As far as I know, up to today, they're still working on actually getting full control back. It went into the power system and then caused lasting damage to the power system. Can it be fixed? Sure," he said. "But now you have to go out, you have to replace all of those devices. And how are you ever going to trust your network again?"
Targeting Insecure Third-Party Software Components
"When I code, I don't write software from scratch, nobody does that. I write duct tape that ties a couple of components together," says Ullrich. "That's how software is written these days, and developers never look at the source code that's underneath."
Increasingly, attackers are streamlining their work by attacking vulnerable software components that they know will give them an easy in to a wide array of software rather than a single application. IT organizations are going to need to redouble their efforts toward instituting "standard sane security development practices," Ullrich says.
This means cataloging and enumerating the use of components throughout the corporate code base, understanding when those components change and, even better, working to find ways to standardize on a safe and updated library of components to reduce risk to the organization from third-party components.
Internet of Evil Things
Attackers are starting to push the technical boundaries of the Internet of Things (IoT), seeking profitable ways to take advantage of devices and sensors embedded in our everyday life. According to Ullrich, the early motives seem to be for two main reasons. The first and most obvious is for the purpose of DDoS attacks, as the small devices "make really nice reflectors."
They're also finding that in the corporate environment, embedded devices and other IoT connection points make for a great way to start probing internal networks.
"Because now they have a little beachhead that they can use to attack other devices, not just other devices on the Internet, but in your network," he says.
Changing Malware Economics Presses Ransomware Push
Finally, Ullrich noted that the recent spate is ransomware is not going to let up because the economics of malware and cybercrime is changing.
As he puts it, "all the data has been stolen" already. With huge credit card heists going non-stop for the better part of a decade, and others like the OPM breach continuing to come to light, attackers are finding that they just can't make the same amount of money off selling stolen data that they used to.
"It's really hard these days to get rid of credit card numbers because there's so many out there," he says. "So then someone had the brilliant idea years ago: 'Why don't we just sell the data back to the owner?'"
This was the opening gambit to what he and many security experts believe will be an increasingly complicated play to defraud via blackmail rather than out-and-out theft and fencing. He warns that enterprises should expect to be the next big ransomware targets.
"It used to be much more of the end user product where grandma's computer gets infected, they encrypt a file, and try to sell it back. Just the last couple of weeks, you had the three different hospitals that had their data encrypted and servers are getting attacked more and more."