Cybersecurity in 2017: Goal, Illusion, or Oxymoron?
Here at the (relative) beginning of 2017, we can safely say that the previous year was among the most significant in history from a cybersecurity standpoint. Nation-state actions, in the form of the assumed Russian interference in the U.S. elections (especially the presidential race) and in the leaks of e-mails from the Clinton campaign, dominated cybersecurity news. However, 2016 also saw the largest DDoS attacks in history, with the second attack being the current record holder at approximately 1.5 terabits/second of data. These attacks, in turn, put the malicious use of Internet of Things (IoT) devices in the security spotlight. It was an eventful year.
The only factor that has the potential to make 2017 less significant is the lack of a U.S. Presidential election this year. In all other respects, from nation-state activities to malicious use of technology, we’re in for quite a ride. Obviously everyone wants to see stronger security, but is that a realistic expectation? Or maybe a better question to ask is, whether the security is stronger or not (for it is demonstrably stronger than it was 10 years ago, yet attacks have flourished), will there be fewer breaches, or more? Whichever way things break overall, here are some of the things I think we’re likely to see this year:
Cars will get ransom-locked
Prepare for hackers to take the driver’s seat in 2017. With the advancement of autonomous cars and increasingly interactive and personalized conventional (i.e. human-piloted) vehicles, hapless owners will discover one day in 2017 that their cars won’t start. The infotainment screen will announce that the car has been crypto-locked and is completely disabled until the ransom is paid. We know several things that make this scenario plausible:
- Ransomware is effective for criminals. Several organizations, including hospitals, the San Francisco Municipal Railway, and educational institutions, have paid ransoms to unlock important files.
- Cars have security holes. While some of the high-profile car hacks have been patched quickly by manufacturers, it stretches credulity to believe that no exploitable attack surface remains in modern vehicles.
Botnets, by definition, rely on a command-and-control (C2) infrastructure. That’s what puts the “net” in “botnet.” These systems have evolved over the years from IRC to HTTP/S and fast-flux domains, and now a diabolically ingenious method of botnet C2 uses auto-generated, fictitious, social media accounts to direct the bots. This method is clever for several reasons:
- Unlike IRC, which involves somewhat static server infrastructure, or HTTP/S which involves domains and IP addresses that can be blacklisted, social media infrastructure is durable, trusted, and very unlikely to be voluntarily dismantled; you can’t just take down Twitter because a botnet is using it.
- The fictitious accounts have proven difficult to identify and shut down at scale. This may change as social media platforms become more concerned about these botnets, but for now, assume that we have not seen the end of social media as a botnet C2 channel.
“Drip Campaigns” will undermine trust in networks and data
While spectacular or well-publicized attacks can certainly undermine trust, they do have some drawbacks from the attacker’s perspective. Because they get attention, their remediation likewise gets attention, which can help restore trust. Also, a large attack or breach often gives the incident response team a lot of information to help the forensic effort and ultimately restore integrity. 2017 will see an evolution in threat actor technique, with more subtle attacks designed to destabilize systems and undermine trust by making a series of small disruptions or anomalies that cause an enterprise to question and gradually lose trust in the integrity of their systems overall. This could potentially create various kinds of openings for other exploits, but perhaps the most pernicious aspect of such a campaign is that its small moves could make forensics harder to carry out.
The baddies will get more proficient, but so will InfoSec
We already know we’re living in interesting times, and that one of the things that makes them “interesting” is the abundance of ways in which our reliance on technology, and on its integrity and security, can come back to bite us. If the cars won’t start, the bots don’t show up where we’re looking for them, or the systems we rely on seem to inexplicably degrade, the good news is that the InfoSec community will learn from the attacks and get a little bit better at detection and prevention, making the bad guys’ jobs in 2018 just a little bit harder.