Wednesday 19 December 2018

Top-5 Predictions for 2019: Cyber Threats and How to Protect

Written by: Stuart Peck, Director of Cyber Security Strategy, ZeroDayLab 

2018 has been an eventful year, especially with the introduction of GDPR and the California Consumer Privacy Act, a never-ending barrage of high-profile breaches, sophisticated malware and crypto jacking campaigns, and a ramp up in criminal and fraudulent activities. Reviewing the events from the last 12 months, it’s clear that although there has been a significant increase of attacks, the attack vectors remain vastly the same as they have always been: human error, configuration issues, weaknesses in the supply chain and, unsurprisingly, patching problems!

So, without dampening the Christmas Spirit (too much), what does 2019 potentially have in store for us? What can organisations do pre-emptively to reduce the likelihood and impact of a cyber-attack? Here are my top 5 predictions for 2019;

1.     More Third Party Applications / Code Libraries will be targeted.

Organisations focus on protecting their own critical assets with significant investments in resources and technologies, but then either give access (or share critical data) with third parties who are not as mature. In 2018, we've seen some examples where Open-Source or third-party integrations have been abused by attackers, with Magecart’s JavaScript injection being a primary example. With API abuse to steal authentication tokens also on the rise, the impact of this attack can be significant, not only exposing client / customer data, but potentially the entire supply chain, similar to the recent Facebook breach. In 2019, I predict that this will be the vector of choice for a few reasons;

1) Many organisations don't conduct regular security reviews on their supply chain, let alone review the impact of using third-party code libraries and integrations.
2) These attacks are easy to scale and are therefore cost effective for attackers.
3) The yields and likelihood of selling off or sharing the techniques to other groups is also very high, again making this a profitable exercise.

2.       Business Email Compromise attacks will evolve.

In 2018, ZeroDayLab saw a significant increase in not only the intensity of business email compromise campaigns, but the sophistication used by attackers. In the last Quarter of 2018, attackers were using more advanced techniques to compromise supply chain mailboxes to harvest invoices and other information, usually to craft highly convincing phishing emails that either deliver malware aim to defraud their target out of funds. These attacks, although not new, have adapted as awareness of Whaling (CEO Scamming), has matured, but the techniques witnessed in Q4 2018 will proliferate in 2019, and catch unsuspecting organisations off guard.

3.       Crime-as-a-service will be a driving factor behind many attacks.

After high profile Global Ransomware attacks such as NotPetya and Wannacry, it seems in 2018, Ransomware attacks have dropped off the face of the earth, mainly due to awareness, volatility in crypto currencies, and increased attention from law enforcement. However, bucking the downward trend is ransomware-as-a-service offerings such as “GandCrab”, which have both seen an upturn in infections, and maturity of the offering to their criminal consumers, with reported ill-gotten gains in the millions. 

Crime-as-a-service has all but removed the barrier to entry to cyber-crime, with hacking-as-a-service, malware / ransomware-as-a-service and now phishing-as-a-service featuring highly on the Dark Web and Telegram; these platforms provide even the most novice of criminals the ability to target relatively mature organisations with some level of success. This trend is only going to rise in 2019.

4.       Lack of visibility will be punished

There are a few things that the recent Marriot breach has taught us: blind spots can be punishing, attackers are constantly looking for ways to compromise assets that organisations have no visibility of, or even worse, are not in an asset register and therefore have no idea of its existence. The rise of Shadow IT, where solutions and technology are purchased without the knowledge of IT / Information Security, provides attackers a target where in most cases there is no protection or monitoring for unauthorised access. This opportunity allows the attacker to potentially pivot on to a more critical system, or in worst case scenarios, actual access to personal information.

In both cases, these are an easy attack surface with significant oversight. Attackers constantly use tools like Shodan and Censys to discover public facing assets with default / weak passwords, weak encryption, or any of the critical risks found within the OWASP Top Ten; these are quick wins for attackers and deal a devastating blow to organisations with a huge impact to reputation, and usually catch the information security team off guard.

5.       Cloud Security Misconfiguration

Although great strides have been made to improve the security of critical assets in the cloud, organisations still haven’t fully embraced the protection available, or worse, have misconfigured environments allowing attackers to capitalise on this. There have been many incidents in 2018 that highlighted this: open S3 buckets with vast amounts of customer data unencrypted and available to anyone, weak admin credentials with no MFA, private keys posted in GitHub repositories, the list goes on. Human error is a factor that the cloud sadly won’t fix, only expedite, with significant consequences for organisations that don’t embrace the Sec in ‘DevSecOps’! With increased Governance around the protection of the Privacy and Security of PII (Personal Identifiable Information), those fully adopting the benefits of the cloud also need to fully enforce the security controls.

There is some good news, however; there are many things organisations can do to reduce the impact of the aforementioned security risks;

  1. Ensure Asset registers are fully up to date and include any cloud-based applications and systems within these. In addition, ensure they are patched to the latest version, or highlight the risk for those that cannot be, with the relevant justifications and mitigation. This seems simple, but the volume of organisations that don’t have a fully up to date and relevant register is significant.
  2. Conduct regular Ethical Hacking Assessments on your risky assets, especially those that are public facing. Check cloud and internal networks for misconfiguration - the quickest win to prevent abuse from attackers. Also test those integrations; understand how and where you are exposed.
  3. Train Developers and Operational teams (DevOps) on secure coding and deployment principles. Ensure these are documented through a defined set of procedures and policies. Also ensure developers are using secure coding frameworks, and not using risky third party libraries, or untested open-source object.
  4. Conduct regular BIA (Business Impact Assessments), to help define critical assets, and ensure they have the relevant controls in place - essentially find your blind spots and fix them!
  5. Conduct Supplier Evaluation Risk Assessments regularly, understand the security maturity of your critical suppliers, and act to address those that expose you to unnecessary risk.

By conducting the above activities in 2019, you’ll not only reduce the risk to your critical assets, but also have the appropriate intelligence to develop a strategy moving forward.