CyberWire Daily - 2018 forecast [Special Editions]
Episode Date: January 26, 2018It’s fair to say that 2017 was a busy year when it came to cyber security, and as we head into 2018 there’s certainly no sign of things slowing down. Days into the new year the news of serious vul...nerabilities like Meltdown and Spectre, the ongoing threat of ransomware, major data and privacy breaches, and political unrest around the world, well, hold onto your hats, it looks like we may be in for a bumpy ride. In this CyberWire special edition, we’ve gathered a group of seasoned cyber security experts to share their views on what we might expect over the coming year.  Nate Beach-Westmoreland is Head of Strategic Threat Intelligence at Booz Allen's Cyber4Sight. https://www.linkedin.com/in/natebeachw/  Christopher Porter is Chief Intelligence Strategist at FireEye. https://www.linkedin.com/in/christopher-porter-039620112/  Caleb Barlow is Vice President Threat Intelligence at IBM Security. https://www.linkedin.com/in/calebbarlow/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
It's fair to say that 2017 was a busy year when it came to cybersecurity,
and as we head into 2018, there's certainly no sign of things slowing down.
Days into the new year, the news of serious vulnerabilities like Meltdown and Spectre,
the ongoing threat of ransomware, major data and privacy breaches,
and political unrest around the world, well, hold on to your hats.
It looks like we may be in for a bumpy ride.
In this CyberWire special edition, we've gathered a group of seasoned cybersecurity experts to share their views on what we might expect over the coming year.
Nate Beach-Westmoreland is head of strategic threat intelligence at Booz Allen Cyber Foresight.
Christopher Porter is chief intelligence strategist at FireEye.
And Kayla Barlow is vice president of Threat Intelligence at IBM Security.
Stay with us.
I think when we look back at 2017, it seemed that basically every quarter there was really a historic level event that could have really vied for being the hack of the year, quote unquote.
That's Nate Beach-Westmoreland from Booz Allen's Cyber Foresight team. Whether it was WannaCry or the Triton Trisis malware, we saw these massive global
ransomware campaigns and attack on industrial control systems, safety systems. We saw
allegations flying of all the usual major national adversaries. I mean, it was a really busy year in the past year.
I think a lot of what we saw in 2017 relates to the predictions that we have made for 2018.
That's Christopher Porter from FireEye.
Probably the most notable development to me is that several of the state sponsors have been
willing to engage in activities that we traditionally think of as being associated with cybercrime.
For example, North Korea going after cryptocurrency exchanges.
And likewise, cybercriminals gaining access to tools that several years ago, if we had seen that during an incident, we would have said, oh, this must be a state actor.
So you're seeing a lot more blurring of those lines between state and non-state actors,
and that informs a lot of what we think we're going to see going forward into 2018.
As we saw in the later half of 2017, ransomware has certainly been out there
and has certainly been used to mask several attacks like WannaCry and NotPetya.
That's Caleb Barlow from IBM Security.
But we really think we're going to see ransomware rear its
ugly head and start to look at IoT devices. So expect lower ransoms, but also expect things like,
you know, just devices to potentially be locked up, someone to force you to pay a ransom to get
your data back or unlock your device that may have some kinetic connection. So almost sort of a
nuisance type of ransomware.
Yeah, exactly.
And, you know, especially when we look at these IoT devices,
you know, these things are rarely patched, right?
So think of something like, you know, a control system in a plant
or even if you go to consumer devices, you know, a nanny camera.
Generally speaking, no one's going around and worrying about how they patch and update that.
Oftentimes the software that comes with it when it came out of the box is the same software that's in it when it gets thrown in the trash 10 years later.
And that really presents a ripe opportunity for vulnerabilities as well as exploitation.
And that's where I think we'll really start to see a rise in, as you put it, nuisance ransomware start to emerge in 2018. There's a couple of reasons why we think we'll see, you know, nation state use of ransomware.
I mean, on the one hand, there's ransomware as just gathering money, you know, earning,
you know, hard currency.
This really only appeals, we think, to a small number of nation states,
the sorts that are basically cut out of the loop for traditional financial markets.
And so they need to resort to these alternative means of gaining currency, as well as just
other states that are simply strapped for cash
and already engage in more traditional sorts of criminal activities,
gray area activities such as drug running.
But the other side of that coin is there are nation states
that they are certainly not lacking in money,
but they would still be interested in using ransomware
because in effect it's a type of disruptive attack.
You know, if you simply throw away the key years, allegedly associated with nation states,
ransomware provides a much more plausible cover than simply wiping the master boot record,
rendering hard drives unreadable. Ransomware now, nation states get to look like they're cyber criminals and have a degree of plausible deniability. For the last decade, let's say,
when there was a major cyber operation, it probably involved one of the major powers,
the US hacking someone, China hacking someone, Russia hacking someone, often each other, right?
Well, those are countries that have mature, stable diplomatic relations around the world
and ways of resolving conflicts that, even if they're acrimonious at
times, don't devolve into anything worse. There's a way to sort of stop the damage and the blowback
from cyber operations. But as these tools start to become more widespread and you've got regional
powers that neighbor one another that maybe have fought armed conflicts with one another recently,
if they get caught hacking one another,
I don't think it's a given that it's going to stay in the cyber box. I think it's much more likely to
spill over into armed violence or other kinds of responses that we haven't seen from the
mature, stable, global cyber powers. So sort of the proliferation of tools naturally,
but also the deliberate sharing of training and the spreading of cyber knowledge,
offensive cyber capabilities and knowledge. I think you're going to see that really surprise
some people in the way that it's responded to and the way it could spiral out of control in some
areas. One of the biggest assumptions I think a lot of people have when they think about cyber
threat is, you know, when we talk about APT groups, advanced persistent threats, most folks in the
cybersecurity industry, you know, we got into this persistent threats. Most folks in the cybersecurity industry,
you know, we got into this business because we were interested in the technology. And so they
focused on the advanced part. But really, I think in most cases, it's the persistent part that's
more dangerous. So looking forward into 2018, I think we're going to see several things.
One is the spread of the really high-end cyber threat groups, the world leaders in terms of tools, techniques, infrastructure, and persistence, their willingness to conduct aggressive activities.
We're going to see that not only spread naturally.
You often hear people talk about proliferation as though it were a natural occurrence, but being deliberately shared. And the reason for that is being led by
the United States and NATO, there's a push to take cyber operations from their origin as sort of
being intelligence gathering tools, secretive intelligence gathering tools, and to militarize
them. Well, and naturally, if you have military alliances, the U.S. has them around the world,
Russia, China, other actors have them with their partners around the world. Military alliances are going to be much more conducive to sharing tools,
techniques, lessons learned from successful operations than intelligence gathering tools.
So the militarization of cyber operations and the fact that that's become more widely accepted
and under international laws being treated very differently than the
intelligence gathering tools that maybe people had assumed it would be in the past.
I think we're going to see a lot of those top tier APT groups, their techniques, their tools,
some of the overlapping targets get shared with what in the past had been considered second and
third tier actors. And the way that'll play out in the private sector is going to be the emergence of more APT groups, APT groups beyond those traditional threat countries,
the big players that I talked about, but demonstrating that level of skill.
We're likely to see a growth in new attacks and threat actors coming out of Africa,
largely as a derivative of the fact that the technology growth in Africa is much on the rise,
and also this is a rising economy.
And, well, with that comes local threat actors.
So it really represents for us the largest potential for kind of net new impactful cyber events in 2018.
And do you see this as being a shift towards Africa or a whole new market, if you follow the nuance there?
I think it's very much of a whole new market, right? It doesn't say that there aren't bad
guys from other places that are outsourcing their efforts to Africa. Those other criminal
entities are likely to still keep on doing what they're doing. But we've got some new actors
coming onto the playing field here, if you will. Many of the most damaging cyber attacks were probably responses to sanctions.
So countries that had been sanctioned by the U.S., countries that had been isolated economically.
North Korea is a great example.
They were willing to go after the global financial transaction system, go after major global banks, go after cryptocurrencies.
system, go after major global banks, go after cryptocurrencies, all these things that other countries, other cyber threat groups could have done, but generally passed on doing. Certainly
the more destructive, disruptive attacks like ransomware, other countries are capable of doing
and generally have not done as much. And so why is North Korea so willing to do that? And a big
part of it is because they've got not much left to lose. They're already isolated. I think we're going to see that going forward, not only in the countries that are
outright sanctioned, but I could imagine, for example, China. We saw even just recently
in the U.S. the CFIUS review turning down acquisition of American companies by would-be
Chinese parent companies. Activities like that are going to increase the pressure on state-sponsored cyber
threat groups around the world to conduct operations, not just for traditional political
military intelligence, but also to support their national economies.
So again, we're seeing those blurring of the lines, not between non-state actors and state
actors, but also the purposes for which those activities are being carried out.
State actors are carrying out things for more direct economic benefit than they ever have in the past. China obviously is well known
as an accused intellectual property thief for a long time, but they've had the Xi-Obama agreement
since 2015 to curtail a lot of that activity, and it's been very successful. If we see growing
tensions between Washington and Beijing over economic and trade
issues, could some of that come back? Those are the kinds of issues that we're warning our clients
about. First of all, you have these certain pariah states that are being cut out of the
international markets for a variety of reasons. And so they're seeking these alternative means of gaining financial resources.
Allegedly, North Korea has been targeting professionals involved in the cryptocurrency
industry in order to gain access to their computers and networks.
The other reason is national control.
So what we've seen are several countries have publicly announced, like Russia and China, that they are considering having their own national cryptocurrencies.
You know, the digital renminbi, the digital ruble.
Part of that we see is a form of essentially power and control.
You know, these countries are well known for their issues of currency flight with leaders in their country making a lot of money and perhaps taking it out of the country.
And those nations would want to have that money stay in the country.
And if you're using a cryptocurrency that's managed by a given country, you can keep that money safe and inside and not in dollars that can be used globally.
and not in dollars that can be used globally.
So in a sense, sanction busting. You have this currency that you can control
and no one else in the rest of the world could mess with.
You have your own form of secure currency.
Information sovereignty,
the idea that this has been battled over at the UN for years,
but the idea that national sovereignty and sovereignty over one's internal affairs it you know extends to the information
sphere extends to what information comes in and out via the news media or you know obviously via
the internet it's traditionally been the big powers that fought over those issues and that
you know rubbed each other the wrong way and that led to media conflicts. Well, what happens when the second and third tier cyber powers also have the same issues?
Are they going to be hacking one another's media companies? Are they going to be running their own
information operations campaigns? I think the sort of activities that we've seen, the political
interference and others that we've seen from the major global powers, I think you'll start to see
more countries doing that as a normal means of their international relations. So all of that is very destabilizing,
potentially. It doesn't say a whole lot about what tools and techniques will be used. But
I think the most important thing is going to be what are the sponsors of those cyber threat groups
going to be asking their hackers to do for their countries? Because of the turbulent political
times we live in, because of increased economic pressures, I think you're going to see those state-level
national resources be more and more used that way. In the West, in threat groups around the world,
everyone's going to be doing this in the not-too-distant future.
When we look at 2018, we're likely to see a rise in attacks where the cyber criminals are actually using
machine learning to spoof human behaviors. Much like the cybersecurity industry has been using
artificial intelligence to try to find the bad guys, the bad guys are also using AI to figure
out where we're vulnerable. So in an interesting game of cat and mouse, this is going to be a
little bit of AI versus AI in 2018.
And is that the availability of these tools have become cost effective?
Well, it's cost effective. They're pervasive. But also, you know, these tools give you the ability to spread a kind of broader net as an attacker and try to find a way in.
What do you suppose the effect of GDPR coming online this May is going to have on the global security world?
Sure, yeah. There's GDPR. There's other regulations as well.
You know, New York Department of Financial Services have regulations that are going into effect that, in the U.S. anyway, will have a significant impact as well.
GDPR, obviously the biggest and most important breach.
You've got 72 hours to give notice.
It'll be really interesting to see how that plays out in practice.
Certainly, I think the increasing regulation, because it'll increase confidence and decrease
ambiguity, those are all good things for enterprises.
Nobody likes regulation, but also people don't like having no rules at all either.
So I think a lot of this is going to be very positive for cybersecurity.
If for no other reason, then it'll give a clear incentive.
You know, on the margin, there are companies, you know,
we tend to think about the laggards that are not doing notifications well,
and they're not doing cybersecurity well.
You know, there's always the possibility that some of those companies
that actually have been very good and very forward-leaning
could regress to a mean and take on a more compliance mindset.
So that's something we want to fight against.
The vast majority of companies, obviously, are going to be more concerned about meeting GDPR notification requirements and can they host their data appropriately for local laws.
From a threat perspective, that gives you several different things.
One is that many of the best APT groups,
many of the best, most threatening groups, one of their big advantages is they can prepare and
in advance, they can choose the time and place of their engagement in cyberspace.
And they can move very fast once they're inside the network and between different companies.
So having those quick notifications, yes, it's good for customers. Yes, it's good for
organizations to have clarity on the rules. It'll increase pressure on some of those cyber threat groups because if they breach
one company and, you know, but there were 10 that they were targeting, they're going to have to
think about, well, now how does this notification affect the defender's ability to coordinate,
the defender's ability to share information between different vendors and between different
companies. So those are positive developments generally having those regulations on the books. Well, there's certainly a lot of
desire in various communities for policy and regulation. I think the challenge we have to
recognize is that even with policy and regulation, you know, a check on a device, a certification
stamp is only really as good as the moment at which it was
certified. I think we've all learned that new vulnerabilities can appear at any time in a
system. And what we really need to do is move to a model where anything that connects to the internet
has to have a way to update itself at any time over the wire. It's really that simple. Now,
that may sound simple, but now when we talk about
IoT, that sounds really complicated. I mean, you know, when you go buy a used car now, and this is
actually something you kind of have to do today, you go buy a used car, it isn't just go get the
oil changed and have your mechanic check it out. You also need to update the software and change
all the passwords on that car. I mean, how many people thought of that historically when they went and bought a new car?
You know, I have seen improvements in the sense of a lot of really active information sharing communities amongst professionals out there.
I've seen lots of effort to try to dial down some of the rhetoric within the community whenever we find potential nation state activities.
So, for example, you know, I saw a report that came out this year that deliberately withheld
information to the Trice's Triton attack that, you know, it wouldn't have helped defenders,
but it would have really thrown the whole discussion into a much less nuanced
national adversary discussion. I think in the United States anyway, we tend to define critical
industries. We tend to have a list of these are the industries that are critical. And I think to
some degree, everybody else is kind of left to fend for themselves when there's major cyber
attacks in terms of the government response. I wouldn't say that it's not getting attention from other people,
but in particular going forward, if economic competition among states returns to being a little more cutthroat
and people using state-level resources to do it,
I think you're going to have to have much better coordination and cooperation between the private sector and the government,
even among the industries that are not in those critical industries list. It's great, and there's obviously a lot of work to be done to protect critical
infrastructure. But I think you want to make sure that it's casting a wider net for cooperation.
That's something that I bring up in every meeting that I can, is that it needs to be more focused on
national level efforts, international efforts to coordinate and share information as quickly as possible,
speed's the key. And you don't really care if who is breached as a retailer or the energy sector.
Obviously, there are differences in terms of the damage that can be caused and the systemic damage
and the types of malware that might be used and so forth. There are many differences,
but there's more similarities in terms of the back-end infrastructure and who's doing it and why and so forth.
So just making sure that we don't forget that most industries fall outside of the critical infrastructure, critical industries lists, and that they need defending too, and that they can contribute to security even of those critical industries.
Because who knows?
They might be the first ones who are breached or that see a certain piece of malware.
So being more adversary-focused, less focused on siloed industries, that's a big one for me. You know,
if we look at identity, we've had over 2 billion records stolen in 2017. And this is a scale like
we've never seen before. You know, if we go back to the healthcare breaches of 2015, where most of
us lost our healthcare records, of course, then we bring in 2017,
and most of us also lost things like our social security number and other forms of immutable data
that might be used to establish credit, things like that. And of course, the challenge in all
of this is that we as a society have been using things like social security numbers, dates of
birth,
mother's maiden name. This is what we call immutable data. You can't change it. Well,
we really shouldn't be using these things for both identity and access. We should really only be using them for identity, you know, to tell that, hey, I'm the John Smith that lives on High
Street versus the John Smith that lives on Oak Street. But using
them to actually also establish access in a system is really something we shouldn't be doing anymore.
And I think the reality is we might as well just publish our social security numbers,
because guess what? The bad guys kind of already have them.
Do you think we'll see solutions in this coming year that will
reduce some of the friction for people to be able to use some of these multi-factor systems?
I do, and, you know, in fact, I think in many ways these things are already here.
I mean, inside of my own corporation, we use two-factor for most everything.
It's simple and painless, I think, in a lot of kind of robust online communities,
certainly a lot of the major social networks now, you see two-factor authentication,
and it's not easy, and it provides an extra level of protection. And I'll tell you what,
I'd much rather be occasionally putting in an extra password from my phone than trying to
remember a 16-digit password with upper, lowercase letters, special characters, and everything else
that people are asking for nowadays. Do you think we'll see any shifts in terms of a political will
to come at some of these problems from a policy point of view? Well, I don't think we have a choice because
at the end of the day, if all of our identities are out there and all these forms of immutable
data are out there and people are still using them as a form of access, then we're going to
see the rates in fraud rise dramatically. So whether we want to
see it or not from a political point of view, we are certainly going to see a drive towards it from
an economic point of view. You know, remember, we talk a lot about, you know, nation state activity
and all that's all the stuff that makes the news. But this is a $445 billion annual problem
when we talk about this from the segment of organized crime.
Now, put that in perspective, that's larger than the GDP of a lot of countries like, oh, let's say Ireland.
It's true that a lot of the stuff we look out for is the same stuff we've been looking out for for the past 20 years.
We're going to see a tremendous amount of social engineering.
We're going to see a tremendous amount of social engineering. We're going to see phishing. We're going to see Word documents with malicious macros. And the reason we keep seeing all these things is because if it ain't broke, don't fix it.
that's coming over the horizon in the next year,
vulnerabilities like Spectre and Meltdown could ultimately degrade customer expectations
of virtual machine instances,
that they can be, in fact, truly isolated
from the hardware they're running on.
So essentially, this could drive some organizations
to rethink their growing reliance on cloud services.
Really, what these attacks showed was the risk was that someone else could be existing on these cloud services
and see what other processes were going on, what data was exposing the data of other customers on cloud services.
So one response you might see is a wish to draw back
within the castle walls. I think what we can expect to see are several types of innovations
on existing attack. For example, in our report, one of the things that we call out are attacks on software updates, the supply chain of software updates.
So we saw some significant attacks in the past year, be it the NotPetya incident with
the Ukrainian tax software or the CC Cleaner update incident.
We think that while we've seen malicious software updates for years, going back
to at least the 2000s, we think that the publicity globally that these incidents received will end up
drawing a lot more adversaries into this space. So we're imagining that in the coming year, we will see just greater interest by
nation states and cyber criminals at trojanizing these software updates, be it for ransomware,
be it for cryptocurrency mining. So that's one of those major trends we expect to see in the next
year. If you had advice for someone to change something that they did in 2017 for 2018 to update something or
do something better? What would your advice be? Well, I think there's two things that people have
to do that they probably haven't thought of before as we go into 2018. The first and foremost is
we've really got to get an inventory of what systems and devices do we have in our networks and in our corporations or even in our
house. Historically, we really didn't worry about all the devices that might be connected to the
network. As we move into 2018, we're likely to see the scenarios where we not only need to update,
kind of patch our Windows and Apple systems and our phones, but also need to patch IoT devices and patch
hardware. And that's something we're not used to doing. So I think that's the first thing.
The second thing I think people have to do as they go into next year, they probably haven't done,
is they need to truly, really rehearse an incident. Because, you know, we refer to this as left of
boom and right of boom, right? So if boom is an explosion in this case,
when you become aware of that breach,
everything left of it is preparing for it and getting ready.
Everything right of it is dealing with the aftermath and ensuring resiliency.
Well, almost all of our time, thought, and investment to this data and industry
has gone into the left of boom activity before we know about the breach.
It's time to go spend some time on right of boom and really understand
when the breach does occur, it's unfortunately somewhat inevitable.
How are we going to respond?
How are we going to react?
And what decisions are we going to make?
I think that having war gaming is really important if they're a large organization.
You're considering how would we respond if we
had, you know, ransomware that infected our network? How would we respond to a sudden loss
of the power grid in Ukraine? So wargaming that out. Also, really focusing on just documentation so that you have like a playbook of how you respond to these sorts of problems.
You know, I think it's always safe to assume that you have been breached or that you will be breached.
There's no reason to think that just because you have some level of expertise that somebody couldn't steal something from you or cause damage to a system and so forth.
that somebody couldn't steal something from you or cause damage to a system and so forth.
So having that mindset of, you know, I've already been breached or I could be breached if the adversaries wanted to,
I think that's very important.
Can you go in and can you pick out what information is most important to your organization?
Do you know where your valuables are, essentially?
I think that's going to be the key. So if you assume that you've already been breached and you don't necessarily know where it is,
and, for example, your organization is moving a lot of your valuable data to the cloud, to a cloud service provider,
well, at FireEye, 80% to 85% of our customers are moving some of their key data to the cloud.
That has many upsides for security.
One of the potential downsides, though, is that between the transfer from on-prem to cloud,
I think there's an institutional tendency to sort of assume that it's all over there somewhere,
wherever over there is, and not to think as much about where exactly logically data is being protected and defended
and what controls, there's so many controls to configure, what controls apply to which bucket of data. In some ways, that's not that it's easier, but you're forced to do it when
you're on-prem and you're not forced to do it because it's so convenient when it's in the cloud.
So having a good inventory of where your truly vital either data or truly vital operations is
usually easier, but the truly vital data, where it's at when you're putting it in the cloud,
what controls are there, what's logged. I think that's something that people tend to overlook. And that's, you know, that's kind of
obvious advice for a lot of people, but it's still also a very common cause of problems. So even if
you think you've done it, assume that you've messed up somewhere and go find it, go, you know,
go red team yourself, that kind of a thing. The name of the game in cybersecurity is really risk
management. You know, you need to understand what is the threat and what is our mitigation to it.
And is that an acceptable level of risk we are willing to take on?
So you have to make sure that you have the processes in place in order to both, you know, to really make that equation and calculate it.
make that equation and calculate it. And if there's just a theme to all these things I've just been laying out, it's relentless preparation. Imagine that there's always something coming down
the pike, making sure that you just don't take the mentality that we completed the audit last
year. We checked all the boxes. We're good. No, you have to be constantly
evolving, preparing and understanding what's coming over the horizon in order to manage your risk.
And that's our CyberWire special edition looking ahead to 2018.
Our thanks to Nate Beach-Westmoreland, Christopher Porter, and Caleb Barlow for joining us.
We're excited to be featuring original music in this special edition podcast from local artist Ben Hobby.
If you like what you hear, you can check out more of his stuff on Twitter, where he is at Ben Hobby.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John
Petrick, social media editor Jennifer Ivan, technical editor Chris Russell, executive editor
Peter Kilpie, and I'm is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.